As organizations have developed their information security strategies in recent years, it has become more and more common for companies to use measurement metrics to gauge various security-related key performance indicators (KPIs) to determine overall security efficiency.
From measuring the time to detect/respond to threats and the frequency of third party access to corporate systems, to calculating the volume of data transferred within a corporate network and the number of systems with known vulnerabilities, effective management of information security performance indices such as the aforementioned can significantly help an organization highlight it’s security strengths and weaknesses.
In fact, effective metrics have the potential to make the difference between a practical and efficient project and one that is doomed to fail from the get-go.
However, there are a vast amount of different security metric options to consider, so how does an organization ensure value from using them, and are there some metric methods that simply prove ineffective and should be avoided?
Infosecurity spoke to Kumar Saurabh, CEO of LogicHub, to further decipher the security metric landscape.
How important is it to have effective security metrics and why?
Every day, cyber-criminal activity grows more sophisticated and metrics are the only indicator of whether or not security operations are keeping pace.
Running security operations without metrics is like driving a car without a speedometer. CISOs and security decision makers don’t know if they’re running too fast, too slow, if they’ve stalled or if they’re making progress. The difficulty then lies in knowing which metrics are effective and which are not. By using effective metrics, security analysts are better equipped to do their jobs and organizations can set and track toward realistic security goals, make better organizational decisions and compare performance against industry standards.
What is the current standard of security metric effectiveness?
The larger the security operations team and the more organizational emphasis placed on security, the more robust and differentiated measuring, reporting and tracking processes you will find.
Understanding the audience is the most important aspect of implementing effective metrics. Metrics that work for a SOC analyst are different from those that work for a CISO, and even further separated from those that work for the C-suite. The majority of metrics are highly contextual and different teams should be tracking different things.
Incident response teams should be measuring the type of cases, how long investigations take and what’s causing the alert in the first place. Threat detection teams should be using different KPIs such as what penetration tests detect. Whereas operation teams will be measuring how many systems hold vulnerabilities and what is currently patched and what still needs to be.
What are the most effective cybersecurity metrics to use today?
Skilled SOC analysts are still the very best defense in combating threats. In understanding this, the most effective metrics are those which allow analysts to take action by cutting through the noise and triaging the alerts presenting the greatest organizational danger. Today’s analysts are drowning in alerts and false positives and metrics that answer the simple question of ‘do I or don’t I need to take action?’ are highly beneficial. These types of metrics quieten the noise analysts face and enable them to concentrate only on what’s important, and ignore the rest.
In addition, it’s important to gauge the efficiency of SOC teams with threat metrics such as meantime to detect, meantime to respond and meantime to resolve. This way security operations can benchmark performance and identify areas for improvement.
Why are some information security metrics not effective?
Metrics which prove ineffective are those which don’t enable analysts to take action. Any metric that is non-actionable is non-functional. Some of the least-actionable metrics currently used by enterprise security teams include:
- Top 10 IP addresses in use: as far as turning this metric into action, there is little benefit. Simply knowing which IP addresses are most commonly used does not enhance threat visibility and educate SOC teams as to which are dangerous and require further investigation/action, and which do not
- Any metric without a threshold: if a metric cannot be painted green, yellow or red, it’s less actionable. Without a threshold, consumers of a particular dashboard are caught wondering ‘do I need to take action, is everything OK?’ Metrics must be associated with a scale of importance/danger in order to be effective
- A funnel: this is the definition of a vanity metric. It does little to know you have a billion events, 100 alerts, 10 cases, etc. What SOC teams need to understand is why the alert is being produced and what the potential consequence of not taking action is. Analysts require context around why they should care about these numbers and what they should do with them, and not what the numbers are themselves