Network security metrics might not be the most tantalizing topic in the IT world, but it’s one that is increasingly important as networks become more complex and threats more pernicious. Metrics can help security managers identify risks and vulnerabilities, evaluate a network’s overall security posture and make necessary changes. In short, without them you don’t know what you don’t know, which can leave you not only at risk but unable to make improvements.
Cyber threats have outpaced some traditional security controls as networks have grown from onsite server rooms to cloud computing environments with many mobile users. This complex, multi-tiered environment has led many organizations to adopt continuous monitoring, the practice of automatically and regularly scanning a network’s assets, configurations and vulnerabilities, while looking for signs of suspicious activity. That monitoring generates a lot of data that, when turned into useful metrics, can identify many ways to improve security.
For federal agencies, security metrics are required as part of the Federal Information Security Management Act (FISMA) with reports due every year. The 2014 metrics document covers priority areas such as continuous monitoring, identity management and boundary protection.
DHS’s metrics are intended to evaluate how well agencies are automating monitoring and security controls, and to identify best practices. That can be helpful in getting a government-wide view of security and giving individual agencies a model to follow so they can be more like DHS’s Office of Inspector General, the only agency to get a score of 99 two years in a row on the FISMA report to Congress.
Some organizations with unique circumstances might want to establish additional metrics. Before starting down that path, it’s a good idea to know what a metric is.
One definition of a metric is a combination of data points that provide analytical insights into an enterprise. But a simpler definition is that metrics are data that, combined with an algorithm, can tell a story.
With both definitions, it’s important to distinguish between measurements and metrics. Identifying a number of vulnerabilities in an enterprise is a measurement, not much of a story. Showing that the number represents a spike from previous years and that the vulnerabilities are spread across other organizations is a metric. It tells a story and is more likely to get a response.
And, not incidentally, a good story can help when making the case to C-level executives for the funding or manpower to make improvements.
A key to getting good metrics is knowing what to measure in the first place. That can vary somewhat, particularly with regard to internal metrics that may be unique. But some metrics are nearly universal in their ability to identify potential soft spots in the network.
A few examples of effective metrics:
- What is the time taken to patch critical, automatically exploitable vulnerabilities (per business unit)?
- What is the percentage of systems with up-to-date malware defenses (per business unit)?
- What is the percentage of systems scanned in-depth (credentialed) by a vulnerability scanner?
- What is the time taken to identify unknown assets on the network?
- What percentage of staff has completed security awareness training?
Metrics such as these grow out of an understanding of what is to be measured and what the potential implications are in each category. They also could be used to establish comparative benchmarks.
DHS’s annual roundup also illustrates another important factor regarding metrics—the importance of sharing your results. Whether through a formal process such as a government-wide report or via other methods, sharing results can help you put them in context. Results from another organization might clue you in to a best practice, or warn you of a potential weakness. They could even help identify a poorly designed metric that doesn’t really tell you what you think it does.
The current state of networking and the cyber threat landscape makes continuous monitoring essential to keeping networks secure. But monitoring is only effective if you have the metrics to turn that data into useful information—into a story, so to speak, that inspires real improvements.
COMMENTS