Effective management of varying performance indices in information security can mean the difference between a practical and efficient project and a complete waste of money.
Although managers have been following KPIs for quite some time now, in information security, this is an uncommon and still developing practice to track cyber security metrics.
So, here are some suggestions for cybersecurity metrics that can and should be tracked to ensure the efficiency of your security projects.
Mean-Time-to-Detect and Mean-Time-to-Respond
Mean Time To Identify (MTTI) and Mean Time To Contain (MTTC) for US companies indicates that the Detect and Respond Phases are suffering. In fact, the MTTC in 2017 was 208 days and the MTTI was 52 days. At the same time, likelihood of incurring a mean breach cost of $2.25M is almost 28% over the next 24 months for U.S. companies.
Poor performance in MTTI and MTTC is a huge contributor to breach costs. These should be your two most important KPIs when measuring information security. It's also a good KPI for CISOs to measure and show their Board for long-term improvement. Everyone on the security team should prioritize improving these two KPIs.
Number of systems with known vulnerabilities
Knowing the number of vulnerable assets in your environment is a key cybersecurity metric to determining the risk that your business incurs. Managing updates and patches is a complex process, but very important to avoid loopholes that can be exploited in your environment. A vulnerability scan that includes all the assets will indicate what needs to be done to improve the security posture of your company. A vulnerability management program not a nicety, but a necessity.
Number of SSL certificates configured incorrectly
An SSL certificate is a small file that certifies the ownership of a cryptographic key to the website or company with which data is being exchanged, guaranteeing the authenticity of the transaction. Monitoring the security requirements for each certificate, as well as ensuring that they are properly configured on servers, prevents them from falling into the wrong hands and that your company's digital identity is not used to steal user information.
Volume of data transferred using the corporate network
If your employees have unrestricted access to the internet through the corporate network, monitoring the volume of traffic allows you to identify misuse of company resources. When downloading software, videos, movies and applications a user can leave the door open for botnets and malware to invade their environments, even more, if the downloads are from websites known to be dangerous.
Number of users with "super user" access level.
Best practices in information security management include full control of users' level of access to company resources, it is necessary for an employee to only access data, systems, and assets that are necessary to their work. Identifying the access levels of all network users allows you to adjust them as needed by blocking any super user or administrator that does not make sense.
Number of days to deactivate former employee credentials
By monitoring these cybersecurity metrics, you can define whether the Human Resources and IT teams are working in tune. In an ideal scenario, the access of users terminated from the company should be canceled immediately. Keeping them active is a tremendous risk, as it leaks sensitive information and can lead to compromised devices.
Number of communication ports open during a period of time
As a general rule, avoid allowing inbound traffic for NetBIOS (UDP 137 and 138, TCP 135-139 and 445). Be observant of outbound SSL (TCP 443): a session that stays active for a long time could be an SSL VPN tunnel that allows bi-directional traffic. Any common ports for protocols that allow remote sessions, like TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) should be monitored for a length of time.
Frequency of review of third party accesses
Often, IT managers grant access to third parties in their networks to complete a project or activity. It is important to monitor whether the access is canceled at the end of service provisioning. Failure to do so endangers your environment if the third party decides to come back and extract data or carry out other malicious activity – for instance, they may come under the employ of a competitor. Possibly worse, if the 3rd party’s network is breached, you could expose your network to the same threat.
Frequency of access to critical enterprise systems by third parties
Creating a mapping of critical systems for the company and knowing the users that access them are imperative in the security context. Monitoring attempts to access servers or applications that should not be targeted by unauthorized users may indicate misconduct and intentions to compromise your environment.
Percentage of business partners with effective cybersecurity policies
You must maintain strict control and monitor the cybersecurity metrics of the companies that provide services for your business. Giving access to your environments to this outsourced company can be a huge risk if it does not have effective policies for its safety in the first place. It is not too much to say that if your company invests in security but has third parties connected to your systems that do not, you have no security at all.
Oldair Barbosa is a consultant with CIPHER's Governance, Risk and Compliance team.