Metrics For Your Information Security Solutions

Recently, on one of the security mailing lists a query was posted as to what metrics should be produced from a Data Leakage Prevention Solution, an Intrusion Prevention System, and from the Firewalls being managed by the security team.

Here’s the response I sent in which is being shared for a larger audience:

Basically, what management wants to know is how effective the security solutions are working in your environment. So something along the lines of the following metrics should work:

Data Leakage Prevention
– Number of incidents raised by the DLP
– Of these, how many were false positives
– Of the remaining, some analysis of number of incidents by business department, severity, type of file leaked
– For the incidents taken up for investigation, what is the current status per incident
– Policy changes made

Intrusion Prevention System

– Top 10 source IP addresses
– Top 10 target IP addresses
– Top 10 attack signatures
– Of which potential false positives
– IPS rules changed (added, dropped, modified)
– IP addresses added to whitelist

Firewall metrics
– Firewall changes made
– Of which, number of unauthorized changes
– Number and names of admin accounts on firewalls
– Multiple failed logins
– Unused rules, unused objects
– Number of redundant and shadow rules
– Number of rules which violate firewall configuration standards
– You could also use tools such as Nipper, Algosec, Firesec (our proprietary tool, excuse the marketing plug) to carry out real-time firewall analysis and prepare a configuration status across each firewall based on your customized policy
If you have an SIEM (Security Incident and Event Management) system in place, you could also look at integrating these devices and building reports in such a way, that many of these metrics are produced automatically.

K K Mookhey

K. K. Mookhey (PCI QSA, CISA, CISSP, CISM) is the Founder Director at Network Intelligence ( as well as the Founder of The Institute of Information Security ( He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients in India such as the top 4 private bank, the top 4 public sector banks, the top 5 IT companies, and some of the largest industrial conglomerates. Internationally, he has done consulting and audit engagements for United Nations organizations, numerous Banks and manufacturing firms in the Middle East, as well as various government entities. He has published numerous articles, two books, presented at numerous conferences such as Blackhat, OWASP Asia, ISACA, Interop, and Nullcon.
Share This

1 Comment

Leave a Reply

Your email address will not be published.