Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Creating an IT Metrics programme to Safeguard the Network

Cisco : 14 October, 2014  (Special Report)
Sujata Ramamoorthy and Hessel Heerebout of Cisco Systems explain the importance of setting up a unified IT security metrics programme
Creating an IT Metrics programme to Safeguard the Network

The Golden State Warriors basketball team has pioneered the use of metrics to improve its players’ performance. Using statistical analysis, the team discovered an area where they were underperforming. It turns out that players from opposing teams were scoring against star center David Lee 53 percent of the time when he was guarding them within five feet of the basket. This is information so specific that even the most dedicated sports statistician could not have discovered it – instead, it was discovered by examining a group of key metrics together.

Armed with this detailed information, coaches created a training plan to strengthen this area of weakness. As a result, overall team performance improved as well as Lee’s. This example provides insights for network security professionals on the usefulness of metrics.

Good metrics have three primary attributes: consistency, cost-effectiveness and significance. The Cisco Information Security (InfoSec) team applies similar fundamentals to protect Cisco IT infrastructure against attacks. One of its key governance programmes – Unified Security Metrics (USM) – is part of a broader CIO initiative called the Pervasive Security Accelerator (PSA).

The prime directive of USM is promoting continuous improvement, measuring the security posture of an IT service over time and providing a quarterly two-way reporting feedback mechanism to IT service owners and leaders. Increased visibility of these security indicators provides critical system vulnerability intelligence, which can be used for preventative or prescriptive remediation; risk management and security posture assessment; improved security hygiene and operational decision-making activities. More importantly, the introduction of USM represents a paradigm shift at Cisco. Security issues are now handled much more strategically than reactively, and they give organizations like IT expanded operational control and flexibility in managing their security investments, actions and processes.

Appropriate metrics can transform an organization by solving real problems. In addition, metrics do not need to be sophisticated to be meaningful. But they do need to be measured properly. The policies Cisco uses for ensuring hygiene—patching systems, building security in and managing vulnerabilities—have existed for many years. However, when we first started measuring these existing activities, very few teams were doing it well.
Today, with enhanced measurement and reporting activities through USM, we’ve improved our vulnerability on-time closure rate by 70 percent, which shows that expanded visibility motivates people to do their part.

By combining multiple sources of individual data, USM creates higher-value actionable metrics and decision-making capabilities. These outcomes protect Cisco’s organizational processes, data, operational integrity and brand from attacks. For Cisco, that’s a win-win.
Five Key Measurements

Combining multiple sources of individual data is much easier to say than to do. Where do you start? How do you mine data through the use of metrics in order to provide greater insight into your agency’s security posture, while simultaneously using it as a vehicle to protect your most critical assets?

InfoSec’s USM team can mine information from a huge number of data sources, including IT system logs and dashboards. In fact, early research conducted by the team identified 30 different types of meaningful data to track. Comprehensive, yes, but not feasible or sustainable to implement long-term across Cisco. The USM team’s solution centered on the primary outcomes they were trying to achieve, i.e. driving security process improvement behaviors and actions within IT. Subsequently, the list was narrowed down to five key measurements:

1 Deep vulnerability assessment of applications: computes whether penetration testing has been performed on our most critical applications in accordance with Cisco policy and, if post-testing, any open security weaknesses remain
2 Compliance of anti-malware software: quantifies whether malware protection software has been properly installed and is up to date
3 Stack compliance: measures vulnerabilities found on the TCP/IP stack (i.e., network devices, operating systems, application servers or middleware)
4 Baseline application vulnerability assessment: computes whether automatic vulnerability system scans have been performed in accordance with Cisco policy and, if post-scan, any open security weaknesses remain
5 Detecting Deviations: measures the total number of open security exceptions, based on deviations from established security standards and best practices

All of these measurements were readily available, provided good quality data and could be easily collected and correlated to existing IT service delivery success factors. A great starting point, yet how would one translate these measurements into meaningful security metrics? For USM, the data output from these baseline measurements were used to calculate two critical security metrics: First, vulnerability, which reveals how many vulnerabilities exist in the service, and how many are infrastructure versus application related; and second, on-time closure, which answers the question, “Are vulnerabilities closed and compliant with the team’s given Service Level Agreement?”

During the early rollout phase of this programme, IT service owners were not fully convinced that these security metrics would yield quantifiable information. However, when USM discovered that only 15 percent of vulnerabilities were actually closed on time – leaving Cisco exposed – IT service owners stepped up and managed to raise the rate to 85 percent within a year.

As with any programme in its early stages, USM encountered a few bumps in the road but ended up demonstrating value to IT service owners. A year after its launch, these owners have incorporated the metrics we identified into their executive review process. Prior to the programme, InfoSec did not have clarity into its security posture; leaders took it for granted that their IT systems were safe… and that was not entirely the case. Now, however, leaders have much greater clarity and confidence into the security of their systems. That translates to speedy detection and remediation of current threats and an embedded process for anticipating future threats. Such is the power of a well-conceived metrics programme.

(This is part one of a two-part series on the benefits of creating a unified security metrics programme. Part two focuses on measuring the success of the programme.)

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo