Measuring the Effectiveness of Your Security Controls
By: Carolyn Crandall, CMO
Performing regular assessments to determine the efficacy of security programs is foundational to understanding the reliability of programs, security gaps, compliance issues, and whether security technology is ending up as “shelfware”. To gain continued program support and funding, information security teams are expected to evaluate and report, on a regular basis, the performance of their existing security systems and on the impact of their security controls.
Organizations making investments in new security technology are also under scrutiny to demonstrate that these purchases are performing according to expectations and are delivering the expected value. Unfortunately, providing metrics on security measures and ROI is not always that easy to calculate.
There are, however, several measures that can be implemented to help gauge the effectiveness of security controls and protect against putting organizations and their critical assets at risk. Some of these include:
False Positive Reporting
One way to measure the effectiveness of security controls is by tracking False Positive Reporting Rate (FPRR). Analysts are tasked with sifting out false positives from indicators of compromise before they escalate to others in the response team. “Despite the implementation of automated filtering, the SOC team must make the final determination as to whether the events they are alerted to are real threats,” Greg Boison, director of Homeland Security at Lockheed Martin says. “The reporting of false positives to incident handlers and higher-level management increases their already heavy workload and, if excessive, can de-motivate and cause decreased vigilance.” A high FPRR will generally indicate the need for more accurate detection technology and better tuning of analytics tools. With Attivo technology, alerts are engagement-based and are substantiated with the event information required to block an attack and quarantine an infected system. These high-fidelity alerts can reduce the workload of analysts and mitigate the risk that a real alert not be missed amongst a mass of noise. Efficacy measurements can include alert volume, alert accuracy, and trending of time to respond and remediate.
Incident Response Volume
Tracking the total number of incident response cases opened against those closed and pending is another method of measuring the success of security controls. By monitoring the organization’s incident response volume, CISOs can better identify how well incidents are being found and addressed. To accelerate investigation and improve incident response operations, Attivo Networks recently added ThreatOps™ to its ThreatMatrix™ Deception and Response Platform. The new ThreatOps solution is designed to accelerate incident response by automatically taking disparate attack information to correlate and display it within one dashboard where attacks can be scored and playbooks created. The playbooks can then be used to create repeatable processes, simplifying incident response. Through 3rd party integration with prevention systems (Firewall, NAC, End-point, SIEM), attacks will automatically be blocked and quarantined, expediting response actions and preventing the attack from continuing to spread through the network. Additionally, the solution empowers customers to threat hunt for forensic artifacts in other parts of the network and confirm that they have eradicated the attack.
Ongoing vulnerability assessment and penetration (pen) testing are both critical components to protecting an organization’s critical assets and information. In addition to identifying network level vulnerabilities with tools like Nessus or Microsoft Baseline Security analyzer, understanding the attack paths that an attacker can take to penetrate an organization based on misconfigurations or exposed credentials can play a key role in attack prediction and avoidance. Attivo recently announced two offerings, ThreatPath and attack time-lapsed replay, which provide valuable insight into attack predictability. The ThreatPath solution provides a topographical map of misconfigured end-points and shows where exposed credentials are vulnerable. This information, along with a time-lapsed replay of the lateral movement of attackers, can be used to prevent attacks by closing vulnerabilities seen with specific end-points and in-the-network infrastructure.
Conducting periodic pen testing provides insight into security infrastructure effectiveness and is a valuable resource to answering the question of whether your network is secure and how you know. According to an article in SearchSecurity by Kevin Beaver, “How Often Should Businesses Conduct Pen Tests?”, there is no one-size-fits-all when it comes to how often one should conduct penetration testing, but instead, the frequency depends on how often is necessary to keep security risks low. Many organizations have found deception technology to be a valuable resource for the Pen Testing Blue Teams. Deception has proven to be instrumental in detecting attacks such as stolen credentials, man-in-the-middle, and advanced threats that are known to evade prevention devices and often result in a security audit failure. Attivo Networks ThreatMatrix solution and its forensic reporting can not only detect the activities of a Red Team, but also dramatically slow down their efforts, and help the Blue Team create the reports required to substantiate the findings of Red Team activity and to demonstrate the security resilience of the network.
Executive and Board Satisfaction
This decade marked the first time executives very publically lost their jobs based on security breaches. Not surprisingly, this got the attention of every CEO and Board member in the country. According to Bay Dynamics® report, How Boards of Directors Really Feel about Cyber Security Reports, 26 percent of board members surveyed cited cyber risks as the highest priority. Creating executive summaries that track the performance of security programs and productivity can improve communications and often help secure budgets for ongoing programs and enhancements. While more than three in five board members say they are both significantly or very “satisfied” and “inspired” after the typical presentation from IT and security executives about the company’s cyber risk, the majority (85 percent) believe that IT and security executives need to improve the way they report to the Board, according to the same report. Basic security programs will include metrics on the number of incidents and demonstrate that these incidents were addressed and that further risk has been mitigated.
Continually measuring the effectiveness of security controls is essential for an organization’s security teams. Establishing metrics to baseline threat activity, hosting regular assessment of security controls, and reviewing incident response programs are not only good practice but can also yield metrics that are instrumental in building senior executive confidence in an organization’s security infrastructure and in securing the required budgets to maintain a solid defense.
Mike Chapple of University of Notre Dame put it in Computer Weekly that, “measures may be ignored, bypassed or incorrectly implemented, and organizations may not realize how ineffectively any given IT security control may be managed or implemented, resulting in higher levels of risk exposure.” We have entered an era where we know that threats can and will enter the network. It is now more a matter of gaining visibility into these threats before harm can occur. Having the right security controls in place and having ways to measure their effectiveness can be considered basic hygiene and in other cases, a Board-driven requirement. Regardless of the driving motivation, having the right processes and reporting in place to track efficacy will build confidence in security programs and when needed, can be used to help secure the funding needed for additional investment. I welcome you to also read 7 Tips for Getting Your Security Budget Approved by Kelly Sheridan at darkreading.com