Anyone who went to business school leaves with a single lesson drilled into them — everything should be measurable. In business, if you’re spending money, you need to be able to quantify the benefit. Regardless of whether it’s marketing, advertising, inventory, operating costs, or long-term investments, if you can’t measure it, you usually don’t do it.
But what about security? It’s a $50 billion-plus-a-year industry with piles of metrics intended to show its effectiveness. Yet few organizations can say with any certainty that their security is working or that they have made substantial progress to warrant continued investments.
So, in an environment where breaches are inevitable and executive careers hang in the balance, how do organizations measure the effectiveness of their security? It’s fairly standard to count the number of breaches and alerts, as well as downtime resulting from a breach, among other numbers. But does that make any sense? For example, if the number of breaches goes down from 400 in 2014 to 300 in 2015, yet one attacker in 2015 makes off with valuable intellectual property, is the number of breaches a good metric to judge the success of your security program? On the surface, it looks compelling, but it’s counting the wrong thing. It’s like adding up the number of broken windows in a bank with a wide-open vault.
Counting alerts and breaches just doesn’t show the whole picture. So what should you do?
Fortunately, there is an insurgent group of qualitative approaches that go beyond mere counting to help organizations understand the true state of their networks. The metrics can include average time to respond, time to repair, and dwell time.
Average time to respond takes a look at how quickly a security team was able to respond to a breach or issue and mollify the risk. The lower the time, the better. Similarly, time to repair helps clarify how quickly, and accurately, a security risk is mediated.
Dwell time, or how long an attacker is in your network, is to me the most important metric in this group. And the industry is beginning to embrace it for good reason.
The longer attackers are in your network, the more information they can obtain, and the more damage they can inflict.
Think of it this way: If you walk through a retail store once, you may have some recollection about where the store displays its more valuable items. But if you spend a full day, a week, or even a month or more, you will have detailed knowledge of every asset on the premises, where it’s kept, how it’s secured, and how close it is to the nearest exit. For an attacker, there is no substitute for good intelligence. So the longer an adversary spends in your network, the better their intel will be.
According to the 2015 threat report from Mandiant, attackers spent a median of 205 days inside a company’s network before being discovered. That’s nearly 30 weeks combing through your information for vulnerabilities, identifying critical information, mapping your network, and determining any anomalies or adverse actions. Imagine the damage an attacker could inflict given that amount of undetected time.
Dwell time is more than just a number. As part of a comprehensive plan, it can provide real insight that your organization can use to not only prepare and plan but also contain and control threats and minimize damage. The plan should include a budget to arm your IT teams with the right tools to more quickly detect intrusions, analyze intruder actions and impact, and employ ejection techniques to force them out.
This approach will result in an honest assessment of your security posture — not just a meaningless number.
But, ultimately, paying attention to these more qualitative metrics could also be the difference between the success and failure of your security program.
Original Article by Ashok Sankar
