Over the past two years, risk management has gained a lot of attention in the media and among practitioners. Even though it has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted a pro-active approach to addressing risks. What are the inhibitors to risk management and how can companies overcome them?

Read more ...

s security gains greater visibility in boardrooms and C-suites, security professionals are increasingly asked to provide metrics to track the current state of a company's defenses. But which numbers really matter?

More often than not, senior management doesn't know what kind of questions it should be asking -- and may concentrate too much on prevention and too little on mitigation. Metrics like the mean cost to respond to an incident or the number of attacks stopped by the firewall seem reasonable to a nonsecurity person, but they don't really advance an organization's security program.

Instead, experts recommend focusing on metrics that influence behavior or change strategy.

"What would you do differently now that you have this metric?" asks Caroline Wong, security initiative director at Cigital, a security software and consulting firm. Metrics like mean cost to mitigate vulnerabilities and mean time to patch are helpful if the organization has mature and highly optimized processes, but that doesn't apply to 95 percent of organizations today, she said.

Metrics that measure participation, effectiveness, and window of exposure, however, offer information the organization can use to make plans and improve programs.

Security metric No. 1: Program participation levels

Participation metrics look at coverage within the organization. They may measure how many business units regularly conduct penetration testing or how many endpoints are currently being updated by automated patching systems. According to Wong, this basic information helps organizations assess security control adoption levels and identify potential gaps.

For example, while it would be nice to be able to say an organization has 100 percent of its systems patched within a month of new updates being available, that isn't a realistic goal because patching may introduce operational risk to some systems. Looking at participation helps exclude systems that don't fall under the normal patching rules -- and focuses attention on those that should be patched.

Security metric No. 2: Duration of attack

Dwell time, or how long an attacker is in the network, also delivers valuable insight. Attack duration information helps security pros prepare for, contain, and control threats, as well as minimize damage.

Surveys have shown attackers spend several months on average inside a company's network before being discovered. They spend the time learning the infrastructure, performing reconnaissance activities, moving around the network, and stealing information.

The goal should be to reduce dwell time as much as possible, so the attacker has less opportunity to achieve lateral movement and remove critical data, Douglas said. Knowing dwell time helps security teams figure out how to handle vulnerability mitigation and incident response.

"The longer attackers are in your network, the more information they can obtain, and the more damage they can inflict," Douglas said.

Security metric No. 3: Code defect density

Defect density, or the number of issues found in every thousand (or million, depending on the codebase) lines of code, helps organizations assess the security practices of its development teams.

Context is key, however. If an application is at an early stage of development, then a high defect density means all the issues are being found. That's good. On the other hand, if an application is in maintenance mode, the defect density should be lower -- and trending downward -- to show the application is getting more secure over time. If not, there's a problem.

Security metric No. 4: Windows of exposure

An organization may identify defects in the application, but until they've been addressed, the application remains vulnerable. The window of exposure looks at how many days in a year an application remains vulnerable to known serious exploits and issues. The "goal is to have zero days in a year during which serious defects found are known and have not yet been addressed," Wong said.

Misleading indicators

Management in general likes to focus on security incident prevention, in part due to the legacy notion that organizations can stop all attacks at the perimeter. For example, it might make everyone feel good to see the number of intrusion attempts that were blocked, but there's nothing actionable about that information -- it won't help security teams figure out which attacks were not blocked. "You're not fixing anything," says Joshua Douglas, CTO of Raytheon/Websense.

Mean response time, or how quickly the issue was found and mitigated, is another metric that may be less than helpful. Response time ignores the fact that attackers tend to move laterally through the network. You may fix one issue, but if no one tries to determine what else the attacker may have done, a different system compromised by that same attacker may go unnoticed. Focusing on individual issues alone and not on security as a whole leaves environments vulnerable.

"It's not one and done, it's one and understand," Douglas said.

Another common metric tracked is reduction in vulnerabilities, but it isn't so useful on its own. If a lot of low-level vulnerabilities have been fixed, the organization's risk remains the same while critical issues remain open. Some vulnerabilities mean more than others.

Only 28 percent of executives surveyed in a recent Raytheon/Websense survey felt the security metrics used in their organizations were "completely effective," compared to the 65 percent who felt they were "somewhat effective." Security practitioners need to explain to senior management how to focus on security questions that help accomplish well-defined goals. Otherwise, too much attention is wasted on information that doesn't actually reduce risk or improve security.

"Is that really the best place for you to be spending your limited time and money?" asks Wong.

As security professionals we worry about zero-day exploits - those vulnerabilities known by attackers for which there is no current fix. The zero day, of course, lasts until we assiduously apply patches, waiting for Tuesdays like a kid waiting for gifts on Christmas morning. The gift givers come from many sources – Microsoft, Apple, Adobe, Oracle and any number of other software vendors.

As much fun as it is to wake up to patches waiting to be unwrapped, we don't want the regret of "exploit Wednesday", which is far more embarrassing than becoming a victim of a zero-day exploit. After public disclosure of a zero-day exploit, there is an increase of up to five orders of magnitude (PDF) in the volume of attacks. There are some bad Santas out there, bringing pain instead of gifts, and they're not going through the trouble of trying to access your environment via the chimney when the front door is open.

While there is some protection afforded by a good patch process, it doesn't reduce the time between vulnerability discovery to patch distribution. It's impossible to know for certain what the average vulnerability window is, but estimates put it at 312 days. Zero-day exploits can make anyone feel vulnerable and a bit intimidated, like a small child forced to take a photograph with an enormous bearded stranger.

Why insiders are a growing problem Zero-day exploits get a lot of attention, deservedly so. But insider misuse is a parallel, possibly greater threat, which needs to be revisited.

Typically, we think of the insider threat as coming from malicious privileged users like Edward Snowden. Yet the 2015 Verizon Data Breach Investigation Report (DBIR) indicates that only 1.6% of insider misuse comes from system administrators, citing an effectiveness of controls required by SOX and PCI auditors that has minimized this threat.

What is surprising is that for the first time in the history of the DBIR, regular end users have jumped to the top of the list at 37.6% of all insider misuse incidents, indicating a growing ability for non-privileged employees to abuse their expanding access rights. It makes sense, as an ever-increasing number of workers are provided technology devices and access to applications to perform their tasks.

Malicious insiders are a threat, but not exclusively

It's not just the malicious insider to be concerned with. The same Verizon report indicates that only 55% of insider misuse was related to abuse of privileges, which means the remaining 45% is either related to careless exposure of information, or more ominously, the appropriation of insider credentials by outsiders, as has been reportedly seen in breaches at Anthem and OPM.

In fact, if we broaden the lens of classification of all security incidents in the DBIR report, we see that the top four categories – miscellaneous errors, crimeware, insider misuse and physical theft/loss – add up to 90.4% of all incidents, and have at their core an insider action.

Dealing with the insider threat

Interestingly, mitigation efforts for the insider threat has parallels with zero-day exploit defense:

Insider Threat Risk Reduction Zero-day Exploit Risk Reduction
Reduce the attack footprint by implementing least privileges for users Reduce the attack footprint by configuring services with least privileges and segmenting services and networks
Control access by implementing stronger authentication such as multi-factor authentication and risk-based authentication Control the apps allowed on the network by whitelisting and keep them patched
Invest in user activity monitoring and response processes to detect and disrupt insider threats, and narrow their exploitation time Invest in monitoring technologies and response processes to detect and disrupt threats, and narrow the exploitation time

Insiders have access to the most sensitive information in any organization. Imagine what a rogue elf could do to Santa's operation if he were to disclose the trade secrets of toy manufacturing and distribution that thus far have remained secured in the North Pole. It's worth putting at least as much effort into dealing with the insider threat as we do worrying and defending against zero-day attacks.

Page 2 of 3