Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:40 PM

Five Tactical Security Metrics To Watch

Wondering how secure the corporate network is? Here's five operational security metrics that can help. First of a two-part series

Ask security professionals for a list of important metrics, and expect to get a long list with much debate. Yet information security managers need a way to keep track of their progress on securing the network while watching out for potential threatening situations.

Good metrics can help define the fight. While many professionals might argue that it's better to have as much information on the security of their networks as possible, too much information can blind practitioners to what is going on, says Mike Lloyd, chief technology officer for network monitoring and discovery firm RedSeal Networks.

"You don't have to have, nor want, a dashboard like an airplane," he says. "You want a dashboard that's more like a car."

In its own dashboard for clients, RedSeal goes to one extreme: a single overall score for network risk. Drilling down on the score is what reveals the specific metrics that make up the score. A network map and two top 10 lists round out the dashboard.

Verizon and its managed security practice focuses more on incident metrics. Tracking what goes wrong can help an IT manager figure out where to allocate resources, says Christopher Porter, a principal of Verizon's RISK team.

"The types of incidents that you have in your organization are kind of indicative of the people, process, and technology that you have in place," he says.

Here are five recommended metrics:

1. Your ignorance
From Sun Tzu to Donald Rumsfeld, military generals interested in security are always worried about what they don't know. Security practitioners should take a page from their playbooks, RedSeal's Lloyd says.

While measuring what is unknown may seem at best an oxymoron and at worst an exercise in futility, it's both doable and important. Comparing the picture that different groups have of the network can lead to finding parts that one team knows about and another team does not.

"You have to be able to survey they terrain," Lloyd says. "If you can't tell, as a CISO, how big the gaps are in your knowledge, then you are in trouble."

By counting the anomalies between sets of asset data and tracking that number, an IT security manager has a good idea of remains to be discovered.

2. Attack surface area
Once a network has been mapped, companies can then attempt to find the paths into the network that an attacker might use.

The overall black-box measure of a system or network can be expressed as a rating of the attack surface area -- a measure to be minimized. If the network is a chess board, then the systems in the network are chess pieces, Lloyd says. If any are left open to attackers, they can be compromised.

"You can take any given asset and figure out how easy it to get in," Lloyd says. "A vulnerability scanner is a great way to assess the network chess board. It knows about an awful lot of pieces."

3. Incidents over time
When incidents happen, whether router misconfigurations or actual attacks, those should be tracked as well, Verizon's Porter says.

Tracking incidents can help security manager to get an idea of how aware the team is of potential issues before they become problems.

"If I start collecting my incidents and I can see the types of incidents that are affecting similar organizations, I can see my weaknesses," he says. "I can see if my resources are making those incidents go down."

4. Vulnerability of critical assets
Prioritizing issues that need action is a necessary part of any security manager's job.

One way to triage security issues is to rank them by the level of vulnerability of an asset and the value of the asset. A critical vulnerability in an exposed server holding the company's sensitive customer list is far more important than a low-severity issue in an internal file server.

"The question that needs answering is which actions have the highest payoff," RedSeal's Lloyd says.

5. Impact of mitigating vulnerabilities
Finally, companies need to be able to look for solutions to problems that may be beneficial to multiple servers and workstations. A good metric to track that positive benefit is to focus on the impact of fixing a particular vulnerability, Lloyd says.

"The highest impact I might have is not just by patching the most critical servers over and over again," he says. "I want to find a way to maximize the downstream impact of fixing some assets."

Patching a dozen critical servers or updating firewall or intrusion-detection rules? Knowing the impact of each action is key.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/13/2012 | 7:02:31 AM
re: Five Tactical Security Metrics To Watch
Good to know about the-Five Tactical Security Metrics
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...