C7 To Design Securely, You Have to be Able to Measure Your Security
Date & Time
Tuesday, June 23, 2020, 10:40 AM - 11:30 AM
Winn Schwartau

To design security environments and to defend our networks, we must be able to measure their performance; we should be able to measure the efficacy, risk and trust of the various defensive appliances we use.


I’m going to show you the exact techniques to measure the security of portions of your internal networks, such as anti-virus, malware, phishing, access control devices and anomalous event detection. Then we will apply the same techniques to compare the security of classes of protective security products even though vendors don’t supply such specifications.    


You will see how to measure security and compare the effectiveness of protective devices as a function of time. We will call BB any vendor’s Black Box that performs any abstract security service. The internal process mechanism is immaterial to system measurement; signature-based A/V, rule-based binary decision making, heuristics, deep learning or any possible hybrid.

It’s still a Black Box. With Time Based Security as the premise, we first show how to measure D(t), detection efficacy as a function of time. Then we will show how the injection of ‘hostile’ test code can create a time-based metric for product comparison. By varying the sensitivity of detection criteria, especially with ‘smart’ systems, we can see how which kinds of hostile code will trigger the BB’s detection mechanism. (This is a non-vendor presentation!) The time difference between those two numbers is your current, accurately measured Detection Time, or T(1) – T(0) = D(t) The second step in measuring security in the time domain is to continue to Reaction. The Detection Trigger stops the primary clock and begins the reaction measurement process, up to and including remediation, all in the time-domain.

R(t). The measurement of D(t) + R(t) gives us the maximum exposure to the system (process, etc.) equaling E(t), Exposure Time. How do your products and services really perform? Measuring security in the time domain for cyber is a critical tool for understanding and improving security postures. Attendees will receive the math, the tools, charts and schematics on how to measure their own security. COMMENTS: Handouts: Charts, Diagrams of Measurement Techniques. Objective #1 Learn why vendor/product’s Detection Time and Reaction Times are critical to security. Understand their effect on an organization’s risk and exposure. Learn how to measure the security of your defensive security products in the time domain.

Schematics and formulas will be made available to all!

Technical Level: High

Session Type
Main Conference Session