Maybe we should just give up trying to maintain secure
enterprise networks; it’s just too hard. Fully 71% of respondents admitted that
their
networks are exposed to external threats due to misconfiguration issues
present in their security device infrastructure. Verizon reports that 79%
of organizations fail to maintain their PCI compliance from their prior
year’s assessment to the next year’s Initial Report on Compliance. More than 50
percent had no idea how
many of their organizations’ internal hosts were actually exposed to the
Internet.
We know that even in this era of constrained budgets,
enterprises are spending more and more on network security—and yet 75% of
network and security pros agree that the advantage
is still on the side of the attacker. Verizon reposts that security
“erosion” over the course of the year between PCI audits is the case with the
vast majority of enterprises, despite the fact that we know there’s a correlation
between data breaches and lack of PCI compliance.
Maybe it’s time to re-evaluate our priorities. As Dr.
Mike points out, there’s a general consensus that much can be gained by
focusing on the basics—the core controls. If you’re covering 90% of the core
controls, security pros agree it’s better to put effort into getting to 100%
rather than expanding the number of controls.
But if you’re focused on the core controls, how do you know
what percentage level you’re at, and where the areas of exposure are? That’s
where security metrics comes in.
In this case, we’re referring to actionable security
metrics—metrics that provide proactive
security intelligence. Many metrics are available to security pros: number
of patches; number of vulnerabilities; and the number of firewall and router
config changes are good examples of typical metrics. But most of these data
points are without context, or simply serve as busyness measures. They don’t
characterize risk in a meaningful way, nor do they point towards a specific
area that needs attention.
Andrew Jaquith,
in his book Security
Metrics: Replacing Fear, Uncertainty and Doubt, describes the value of security
metrics by contrasting to other business disciplines. For example, freight
companies know their freight cost per mile and loading factors-as well as those
of their competitors. Management can therefore set meaningful objectives and
measure themselves against comparable companies. Choosing to be above, on, or
below an industry average is a question of strategy as well as operational
efficiency. For example, a freight company may be willing to have a lower load
factor than its peers if that's the tradeoff required to offer faster delivery
times (for which it presumably charges a premium).
Similarly, warehousing firms measure and compare their
cost/square foot and inventory turns, and e-commerce companies measure their
website conversion rates. And of course financial metrics have been
standardized and reported on for years. Companies can therefore compare
relevant metrics to those of their peers in order to better evaluate their
internal performance.
Could such a use of metrics apply to security? Yes, but only
if consistently generated within the context of a security framework.
The three pillars of security are visualize, comply and
protect. If we build a framework on those pillars we’ll be able to generate
meaningful security metrics.
Visualize: There is wisdom in Requirement 1 of the
PCI DSS, in the section entitled “Build and Maintain a Secure Network”: the
requirement is to create a network diagram, and keep it current. Why? You can’t
secure what you can’t see. And yet, according to Verizon Requirement
1 has the second-highest erosion factor out of the nine requirements not
specific to planning and checking. When security pros can visualize the network
topology—including groups that clearly identify zones (such as DMZ) and
untrusted sources—they become much more effective in creating effective
segmentation strategies and policies, and maintaining their compliance.
Comply: Compliance refers to PCI, FINRA, FFIEC, SOX
and other regulatory frameworks, of course, but also internal policies, and
best practices from sources such as SANS’ 20 Critical Security Controls, Version 3.0. However, complying
with regulatory and internal policies in most cases is open loop; we perform
security measures in an effort to comply, but other than regulatory audits
we’re mostly in the dark as to how effective our security controls are. What we
need to do is get from open loop security frameworks to closed loop with
feedback controls that allow us to make continuous adjustments in the presence
of security erosion, as shown in the diagram below:
Protect: The fundamental security question is whether
the network is protected. How can we know what’s working, and where additional
focus is required? By developing a security framework that provides security metrics—feedback
controls, from which effective remediation strategies to security erosion can
be devised. Security metrics enable enterprise to answer questions such as:
- What is my overall level of risk, and how does it compare to yesterday, last week, last month and last year?
- How easily can attackers get in?
- How big is my attack surface?
- How much of my infrastructure is undocumented?
- Are investments and actions paying off?
- Where do we need to improve?
- Are we ready for our next audit?
Note that the questions above relate to actual network
security, unlike, say, how many hosts were patched in the last month (busyness
measure) or how many vulnerabilities are being scanned for (no context).
Are these good security metrics? Let's look at Andrew Jacquith's
definition
of a good metric:
- consistently measured, without subjective criteria;
- cheap to gather, preferably in an automated way;
- expressed as a cardinal number or percentage, not with qualitative labels such as high, medium and low;
- expressed using at least one unit of measure, such as "number of hosts directly exposed"; and
- contextually specific—relevant enough to decision-makers so that they can take action.
The security metrics provided in RedSeal 5 satisfy all of
Jacquith’s criteria for good metrics, enabling RedSeal’s customers to
continuously monitor their network through a closed loop process and therefore
address problem areas—and in doing so protect their organization’s hosts and other sensitive assets.
