Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:40 PM

Five Tactical Security Metrics To Watch

Wondering how secure the corporate network is? Here's five operational security metrics that can help. First of a two-part series

Ask security professionals for a list of important metrics, and expect to get a long list with much debate. Yet information security managers need a way to keep track of their progress on securing the network while watching out for potential threatening situations.

Good metrics can help define the fight. While many professionals might argue that it's better to have as much information on the security of their networks as possible, too much information can blind practitioners to what is going on, says Mike Lloyd, chief technology officer for network monitoring and discovery firm RedSeal Networks.

"You don't have to have, nor want, a dashboard like an airplane," he says. "You want a dashboard that's more like a car."

In its own dashboard for clients, RedSeal goes to one extreme: a single overall score for network risk. Drilling down on the score is what reveals the specific metrics that make up the score. A network map and two top 10 lists round out the dashboard.

Verizon and its managed security practice focuses more on incident metrics. Tracking what goes wrong can help an IT manager figure out where to allocate resources, says Christopher Porter, a principal of Verizon's RISK team.

"The types of incidents that you have in your organization are kind of indicative of the people, process, and technology that you have in place," he says.

Here are five recommended metrics:

1. Your ignorance
From Sun Tzu to Donald Rumsfeld, military generals interested in security are always worried about what they don't know. Security practitioners should take a page from their playbooks, RedSeal's Lloyd says.

While measuring what is unknown may seem at best an oxymoron and at worst an exercise in futility, it's both doable and important. Comparing the picture that different groups have of the network can lead to finding parts that one team knows about and another team does not.

"You have to be able to survey they terrain," Lloyd says. "If you can't tell, as a CISO, how big the gaps are in your knowledge, then you are in trouble."

By counting the anomalies between sets of asset data and tracking that number, an IT security manager has a good idea of remains to be discovered.

2. Attack surface area
Once a network has been mapped, companies can then attempt to find the paths into the network that an attacker might use.

The overall black-box measure of a system or network can be expressed as a rating of the attack surface area -- a measure to be minimized. If the network is a chess board, then the systems in the network are chess pieces, Lloyd says. If any are left open to attackers, they can be compromised.

"You can take any given asset and figure out how easy it to get in," Lloyd says. "A vulnerability scanner is a great way to assess the network chess board. It knows about an awful lot of pieces."

3. Incidents over time
When incidents happen, whether router misconfigurations or actual attacks, those should be tracked as well, Verizon's Porter says.

Tracking incidents can help security manager to get an idea of how aware the team is of potential issues before they become problems.

"If I start collecting my incidents and I can see the types of incidents that are affecting similar organizations, I can see my weaknesses," he says. "I can see if my resources are making those incidents go down."

4. Vulnerability of critical assets
Prioritizing issues that need action is a necessary part of any security manager's job.

One way to triage security issues is to rank them by the level of vulnerability of an asset and the value of the asset. A critical vulnerability in an exposed server holding the company's sensitive customer list is far more important than a low-severity issue in an internal file server.

"The question that needs answering is which actions have the highest payoff," RedSeal's Lloyd says.

5. Impact of mitigating vulnerabilities
Finally, companies need to be able to look for solutions to problems that may be beneficial to multiple servers and workstations. A good metric to track that positive benefit is to focus on the impact of fixing a particular vulnerability, Lloyd says.

"The highest impact I might have is not just by patching the most critical servers over and over again," he says. "I want to find a way to maximize the downstream impact of fixing some assets."

Patching a dozen critical servers or updating firewall or intrusion-detection rules? Knowing the impact of each action is key.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/13/2012 | 7:02:31 AM
re: Five Tactical Security Metrics To Watch
Good to know about the-Five Tactical Security Metrics
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.
PUBLISHED: 2019-10-16
There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces.
PUBLISHED: 2019-10-16
A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute code with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating as the re...
PUBLISHED: 2019-10-16
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient...