tagged 
metrics, risk, security, vulnerability in Writing
metrics, risk, security, vulnerability in Writing CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
Sunday, January 31, 2010 at 3:19PM Full disclosure
In my day job I am Solutions Architect for the McAfee Risk and Compliance Business Unit. Our products cover compliance management, risk management, IT security risk analysis, and a range of application and change control technologies.
[3/2/2010 note: when I wrote this article I worked for McAfee. I do, however, no longer. :)]
In a former life I evaluated complex, multidimensional data sets using models and metrics - I was a scientist performing quantitative analysis of noisy data. The result is that I've spent many years and a lot of energy thinking about and using models, metrics, and measurement. That background gives me certain views, opinions, and expectations.
Now that you know where I'm coming from let's talk about risk, measurements, metrics, and uncertainty. ;)
What We Need
IT security is a relatively young field. Our ability to create and leverage models that consume data (measurements, metrics) and predict when a Bad Thing™ might happen is not where we really want it to be.
I have written on this topic before. In that article I propose that our best path to mitigating IT security risk is to be able to estimate with some confidence that a Bad Thing™
- has occurred in the past
- is happening right now
- may or will happen in the future
Measurement - collection of events from our environment - can help us with the first task. If we are nimble and quick on our feet then measurements and metrics can even help us with the second task by triggering alarms in an efficient manner.
Sadly, data alone cannot help us with the third. Before we can get there we need enough of the right kinds of data so that we can analyze, correlate, and model.
Something We Do Have
The Center for Internet Security have organized a boat load of knowledgeable people to agree on and promote a collection of measurements and metrics that we can use. They call them the CIS Consensus Information Security Metrics.
There are twenty measurements and metrics listed in the white paper grouped into six different categories - I have include the list below but I encourage you to download the white paper and read through the details. If you do you'll find that they are all things you should be tracking in your security environment today and that they are all "good common sense".
Several of the metrics in the collection are for coverage of key metrics across your organization - that is, they are measures of possible holes in your risk management program. As I've argued before, RISK is better than UNCERTAINTY and uncertainty arises from a lack of data. If you improve your security posture by closing holes revealed by these metrics then you will find yourself moving your organization from the realm of managing UNCERTAINTY and into the realm of managing RISK.
Now, if I could get my hands on a large, anonymized data set that includes these metrics I think we can make some progress toward predictive metrics and models.
-Eric
p.s. Here is that list of categories and metrics. Enjoy!
Incident Management
- Mean time to incident discovery
- Incident rate
- Mean time between incidents
- Mean time to incident recovery
Vulnerability Management
- Vulnerability scan coverage
- Percent of systems without known severe vulnerabilities
- Meant time to mitigate vulnerabilities
- Number of known vulnerable instances
Patch Management
- Patch policy compliance
- Patch management coverage
- Mean time to patch
Configuration Change Management
- Mean time to complete changes
- Percent of changes with security review
- Percent of changes with security exceptions
Application Security
- Number of applications
- Percentage of critical applications
- Risk assessment coverage
- Security testing coverage
Financial
- Information security budget as a percentage of IT budget
- Information security budget allocation
References (10)
References allow you to track sources for this article, as well as articles that were written in response to this article.
-
Response: abstinenser ved rygestopGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
-
Response: เรียนพิเศษที่บ้านGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
-
Response: Free Anti-spywareGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
-
Response: Anti SpywareGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
-
Response: PDF to Word ConverterGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
-
Response: PDF to Word ConverterGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
-
Response: http://Zaizhuli.com/space.php?uid=285604Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into
-
Response: offersGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into
-
Response: domain name searchGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into
-
Response: Domain Name Registrar BestGot reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into
Reader Comments