Generating Security Metrics for Analysis

Executive Summary

Principal, Cyber Security
May 2015

Detecting and responding to cyber security threats is an extensive challenge for all IT organizations regardless of their industry.

Simply put, protecting all the valuable online assets of an organization is difficult even with the multitude of modern controls available. Physical security concepts have built up and matured over literally thousands of years, whereas the digital realm has only existed since dawn of the computer age in the 1940s and 1950s.

Organizations need to not only protect the assets; the business process workflows that produce the valuable assets must also be protected.  For example the intelligence Community needs to protect not only the products of analysis and the products produced, but also the sources of the data – where the raw data originates from.  These sources must be protected as a supply chain must be – any injections of inaccurate information in the process can lead to an analysis product that is fundamentally flawed. 

Security metrics can be used to determine and monitor the source of information – that it came from reputable or trusted individuals and can also support subsequent manipulation of that data to produce intelligence products.  Data marking helps differentiate the value or worth of specific data items and serves to focus protection efforts.

The utilization of purposely built and maintained security metrics provides insight to malicious activities.  If baselines defining normal operations can be established, it becomes easier to detect malware or rootkits that may have penetrated network defenses allowing attackers to carry out a range of malicious activities.

Creating this ‘fingerprinting’ of IT operations requires an extensive array of sensors which produce copious amounts of data which in turn supports algorithms to dissect that data and then automation to provide aggregated alerts for more detailed analysis.

Visualization of these vast quantities of raw data facilitates human analysis of suspicious events.  As operational insights mature, these alerts can be continually updated leading to the ‘holy grail’ of cyber security – Continuous Diagnostics and Mitigation (CDM).  The Department of Homeland Security is developing that program for Federal organizations, but all companies can benefit from creating an infrastructure that uses their specific data to operate in a similar manner.