miércoles, 26 de octubre de 2011

Entender las métricas operacionales de seguridad (CISCO)

Many people often think that information and network security is just about technology and how reliable or sophisticated these technologies are. Additionally, many people ask why after spending tons of money on network and security gear, their network still gets hacked, information is lost and business continuity is disrupted. For example, often questions like these run through their minds: “Am I not buying the right security products?  Am I not configuring or deploying them correctly? Do I have the right staff to run my network?
The lack of credible and relevant network security operational metrics can contribute to this paradigm. The understanding security operational metrics doesn’t require classes on Nobel Prize-winning theories or very complicated math that may make the process too complicated to even execute. You have to understand what you are trying to protect and first establish a high level process map via your own research. Use common knowledge a broad survey to validate and identify metrics in each procedure or operational area. For instance, build a set of metrics for things like, but not limited to, the following: Incident Management
  • - Patch Management
  • - Device Compliance
  • - Security Device Monitoring
  • - Network and Internet Access
  • - Device Identity Management
  • - User Identity Management
  • - User Access
  • - Application Robustness
  • - User Security Awareness
These are just some examples, the list can be much longer. The goal is to define a set of subprocesses for each high-level process (or operational area), then build metrics for each sub-process. More importantly, assemble these metrics into a model which can be used to track operational improvement.
I will give some examples of metrics you can collect and examine for each of the processes or operational areas I mentioned.

Operational Metrics for Incident Management
An incident is a chain of events that may signal an attack in your network. It is, of course, very important to have a good methodology to simplify and expedite the detection, mitigation, reporting, and analysis of an incident.  All this information can be captured in a case report with a case management tool and escalated to the relevant personnel. So, my question is, how effective are you or your organization in the detection, mitigation, reporting, and analysis of an incident in your network? You should at the very minimum ask the following questions and collect the corresponding metrics.
  • - How long does it take to identify an event?
  • - How long does it take to identify an incident?
  • - How long does it take to contain or mitigate an incident?

Let’s look at the following figure:

  • To – is the time when an event occurs on the network
  • Te – is the time when the event is detected on the network
  • Ti – is the time when the event is classified as an incident
  • Tc – is the time when the incident is contained on the network
Measure the time that takes your organization for each step and try to understand how to reduce it and be more effective.



No hay comentarios: