Five Tactical Security Metrics To Watch

Ask security professionals for a list of important metrics, and expect to get a long list with much debate. Yet information security managers need a way to keep track of their progress on securing the network while watching out for potential threatening situations.

Good metrics can help define the fight. While many professionals might argue that it's better to have as much information on the security of their networks as possible, too much information can blind practitioners to what is going on, says Mike Lloyd, chief technology officer for network monitoring and discovery firm RedSeal Networks.

"You don't have to have, nor want, a dashboard like an airplane," he says. "You want a dashboard that's more like a car."

In its own dashboard for clients, RedSeal goes to one extreme: a single overall score for network risk. Drilling down on the score is what reveals the specific metrics that make up the score. A network map and two top 10 lists round out the dashboard.

Verizon and its managed security practice focuses more on incident metrics. Tracking what goes wrong can help an IT manager figure out where to allocate resources, says Christopher Porter, a principal of Verizon's RISK team.

"The types of incidents that you have in your organization are kind of indicative of the people, process, and technology that you have in place," he says.

Here are five recommended metrics:

1. Your ignorance
From Sun Tzu to Donald Rumsfeld, military generals interested in security are always worried about what they don't know. Security practitioners should take a page from their playbooks, RedSeal's Lloyd says.

While measuring what is unknown may seem at best an oxymoron and at worst an exercise in futility, it's both doable and important. Comparing the picture that different groups have of the network can lead to finding parts that one team knows about and another team does not.

"You have to be able to survey they terrain," Lloyd says. "If you can't tell, as a CISO, how big the gaps are in your knowledge, then you are in trouble."

By counting the anomalies between sets of asset data and tracking that number, an IT security manager has a good idea of remains to be discovered.

2. Attack surface area
Once a network has been mapped, companies can then attempt to find the paths into the network that an attacker might use.

The overall black-box measure of a system or network can be expressed as a rating of the attack surface area -- a measure to be minimized. If the network is a chess board, then the systems in the network are chess pieces, Lloyd says. If any are left open to attackers, they can be compromised.

"You can take any given asset and figure out how easy it to get in," Lloyd says. "A vulnerability scanner is a great way to assess the network chess board. It knows about an awful lot of pieces."

3. Incidents over time
When incidents happen, whether router misconfigurations or actual attacks, those should be tracked as well, Verizon's Porter says.

Tracking incidents can help security manager to get an idea of how aware the team is of potential issues before they become problems.

"If I start collecting my incidents and I can see the types of incidents that are affecting similar organizations, I can see my weaknesses," he says. "I can see if my resources are making those incidents go down."

4. Vulnerability of critical assets
Prioritizing issues that need action is a necessary part of any security manager's job.

One way to triage security issues is to rank them by the level of vulnerability of an asset and the value of the asset. A critical vulnerability in an exposed server holding the company's sensitive customer list is far more important than a low-severity issue in an internal file server.

"The question that needs answering is which actions have the highest payoff," RedSeal's Lloyd says.

5. Impact of mitigating vulnerabilities
Finally, companies need to be able to look for solutions to problems that may be beneficial to multiple servers and workstations. A good metric to track that positive benefit is to focus on the impact of fixing a particular vulnerability, Lloyd says.

"The highest impact I might have is not just by patching the most critical servers over and over again," he says. "I want to find a way to maximize the downstream impact of fixing some assets."

Patching a dozen critical servers or updating firewall or intrusion-detection rules? Knowing the impact of each action is key.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.