We trust measurements to let us know where we stand on so many crucial subjects. Security should fall under that same umbrella. In an article for VentureBeat, Ashok Sankar discusses the challenges of selecting the proper metrics to measure security effectiveness.
On paper, it might make sense to go with number of breaches in a year as a starting metric. But if there are 30 breaches in one year, followed by 25 breaches the next year, the second year is not a better year if one of those 25 breaches nabbed valuable intellectual property. As Sankar says, “It’s like adding up the number of broken windows in a bank with a wide-open vault.” Three metrics that come recommended instead are average time to respond, time to repair, and dwell time.
Those first two sound pretty intuitive, but dwell time is especially insidious. Sankar likens it to walking around a retail store. If you visit the store, you may retain a few details about where things are located, but if you spend a week or months there, you will know the layout much better. Likewise, the greater the dwell time, the greater the danger the intruder now represents. Sankar continues:
According to the 2015 threat report from Mandiant, attackers spent a median of 205 days inside a company’s network before being discovered. That’s nearly 30 weeks combing through your information for vulnerabilities, identifying critical information, mapping your network, and determining any anomalies or adverse actions. Imagine the damage an attacker could inflict given that amount of undetected time.
When incorporating dwell time into a larger security plan, IT should be given an appropriate budget to find the right tools for detecting intrusions, analyzing intruder actions, and kicking out those criminal jerks. Once this is accomplished, you will have real, useful numbers to inform your security efforts. You can read the original article here: http://venturebeat.com/2015/05/25/finding-the-right-metrics-to-rate-your-security/