05:34 PM
Connect Directly

Center For Internet Security Issues Free Security Metrics

Global coalition of enterprises, government, and vendors looks to its vendor members to automate collection of new metrics in their products

The Center for Internet Security on Wednesday issued a set of free metrics for organizations to use in measuring their security postures.

CIS, a coalition of enterprises, government agencies, universities, and vendors from around the world, in September provided an overview of the user-driven metrics project. The organization now has published a series of metrics for organizations to measure their key security operations -- incident management, vulnerability management, patch management, application security, configuration management, and financial metrics.

Metrics have begun gaining traction as a way for organizations to gauge their security risks, as well as how their existing tools and strategies are -- or are not -- working. A yardstick to measure just how secure an organization really is can help when it comes at budget time, experts say. Security consultancy Securosis, with initial financial backing from Microsoft, is in the process of creating a set of open-source metrics specifically for patch management. Securoris is gathering input in an open submission process for the so-called Project Quant metrics model, Version 1 of which is planned for release by the end of June.

Both CIS and Securosis were aware of one another's metrics projects, which could overlap on the patch management side.

"The purpose of this project is to define what a security incident is and how it can be counted and reported," says Bert Miuccio, CEO of CIS. "The challenge for information security professionals is to measure some aspect of security, like incident management, in an unambiguous way, and in a way that the measurement is repeatable over time so that different parts of the enterprise aren't measuring the same aspect of its security status in two different ways."

Among the around 20 different definitions/metrics by CIS is "Mean Time to Incident Recovery (MTIR)," or the ability of the organization to regain normal operations after a breach. MTIR is measured by the average amount of time elapsed between when an incident occurred and recovery.

Miuccio says CIS's vendor members -- which include Symantec, BMC Software, Belarc, CA, Configuresoft, nCircle, NetIQ, Opsware Network, Quest Software, Solidcore Systems, Tenable Network Security, and Tripwire -- are "in the process of examining" the metrics to determine, for instance, how to integrate them with their products' reporting features. "The most important aspect for the future adoption of the metrics is for the IT security software vendors to integrate these definitions into their tools and software solutions so they can automate the collection and reporting of these measures," he says.

But with budget pressures in a tight economy, it's unclear whether organizations will see adopting metrics as a potential cost-saving and efficiency strategy, or whether they just don't have the resources to adopt them. CIS's Miuccio says the coalition's metrics project is well-timed, "not only because of the condition of the economy, but also the state of security as a profession. There's an increasing emphasis on understanding the value that is derived from increasing security investments in the enterprise -- that was the rationale for staring this project in the first place."

Caroline Wong, chief of staff and manager of metrics for eBay, said in a statement that the metrics project "lays the groundwork for benchmarking, which has been impossible to date."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.