Metrics For Your Information Security Solutions

Recently, on one of the security mailing lists a query was posted as to what metrics should be produced from a Data Leakage Prevention Solution, an Intrusion Prevention System, and from the Firewalls being managed by the security team.

Here’s the response I sent in which is being shared for a larger audience:

Basically, what management wants to know is how effective the security solutions are working in your environment. So something along the lines of the following metrics should work:

Data Leakage Prevention
– Number of incidents raised by the DLP
– Of these, how many were false positives
– Of the remaining, some analysis of number of incidents by business department, severity, type of file leaked
– For the incidents taken up for investigation, what is the current status per incident
– Policy changes made

Intrusion Prevention System

– Top 10 source IP addresses
– Top 10 target IP addresses
– Top 10 attack signatures
– Of which potential false positives
– IPS rules changed (added, dropped, modified)
– IP addresses added to whitelist

Firewall metrics
– Firewall changes made
– Of which, number of unauthorized changes
– Number and names of admin accounts on firewalls
– Multiple failed logins
– Unused rules, unused objects
– Number of redundant and shadow rules
– Number of rules which violate firewall configuration standards
– You could also use tools such as Nipper, Algosec, Firesec (our proprietary tool, excuse the marketing plug) to carry out real-time firewall analysis and prepare a configuration status across each firewall based on your customized policy
If you have an SIEM (Security Incident and Event Management) system in place, you could also look at integrating these devices and building reports in such a way, that many of these metrics are produced automatically.

1 Comment

Leave a Comment