Many people often think that information and network security is
just about technology and how reliable or sophisticated these technologies are.
Additionally, many people ask why after spending tons of money on network and
security gear, their network still gets hacked, information is lost and business
continuity is disrupted. For example, often questions like these run through
their minds: “Am I not buying the right security products? Am I not
configuring or deploying them correctly? Do I have the right staff to run my
network?”
The lack of credible and relevant network security
operational metrics can contribute to this paradigm. The understanding security
operational metrics doesn’t require classes on Nobel Prize-winning theories or
very complicated math that may make the process too complicated to even execute.
You have to understand what you are trying to protect and first establish a high
level process map via your own research. Use common knowledge a broad survey to
validate and identify metrics in each procedure or operational area. For
instance, build a set of metrics for things like, but not limited to, the
following: Incident Management
- - Patch Management
- - Device Compliance
- - Security Device Monitoring
- - Network and Internet Access
- - Device Identity Management
- - User Identity Management
- - User Access
- - Application Robustness
- - User Security Awareness
These are just some examples, the list can be much longer. The goal is to
define a set of subprocesses for each high-level process (or operational area),
then build metrics for each sub-process. More importantly, assemble these
metrics into a model which can be used to track operational improvement.
I will give some examples of metrics you can collect and examine for each of
the processes or operational areas I mentioned.
Operational Metrics for Incident Management
An incident is a chain of events that may signal an attack in your network. It is, of course, very important to have a good methodology to simplify and expedite the detection, mitigation, reporting, and analysis of an incident. All this information can be captured in a case report with a case management tool and escalated to the relevant personnel. So, my question is, how effective are you or your organization in the detection, mitigation, reporting, and analysis of an incident in your network? You should at the very minimum ask the following questions and collect the corresponding metrics.
An incident is a chain of events that may signal an attack in your network. It is, of course, very important to have a good methodology to simplify and expedite the detection, mitigation, reporting, and analysis of an incident. All this information can be captured in a case report with a case management tool and escalated to the relevant personnel. So, my question is, how effective are you or your organization in the detection, mitigation, reporting, and analysis of an incident in your network? You should at the very minimum ask the following questions and collect the corresponding metrics.
- - How long does it take to identify an event?
- - How long does it take to identify an incident?
- - How long does it take to contain or mitigate an incident?
Let’s look at the following figure:
- To – is the time when an event occurs on the network
- Te – is the time when the event is detected on the network
- Ti – is the time when the event is classified as an incident
- Tc – is the time when the incident is contained on the network
More...
blogs.cisco.com
No hay comentarios:
Publicar un comentario