Every year, many, I think so, set some ambitious goals, for example, to lose weight. Oh, that this is me, we are talking about security. So the goals on IB are put. Suppose to reduce the number of incidents per day from 23 to 18 or 17%. It seems to be a beautiful and necessary goal, but to achieve it, it is necessary to make a number of steps. And since I mentioned weight loss, then let's try to compare these two processes among themselves.
So, we want to lose weight. If you believe numerous fitness experts, the first step on this path will be calculated calories. Yes, it is unpleasant to see that the sandwich-eating sandwich with Doctoral sausage contains almost half of the entire daily calorie norm. It is believed that this not only forms the habit of us, but also plays a psychological role, which seems to see the many extra calories, we will begin to worry about it and try to reduce their number. But it is necessary necessary.
The same problem and metrics IB. When we start counting all our shoals, missed spam, missed phishing, unpaspsized vulnerabilities, admitted leaks, downtime, dangerous designs in the application code, unlocked ports on ITU, etc., then we begin to form a conditional complex of inferiority. And if we still decide to visualize all incidents in the form of dashboards and reports on IB, then the situation will become even worse. In essence, we will be asked in our uniformity. And if the results from the application for power control see only you (somehow few people use the "Share" function in such applications), IB reports see your guide and it begins to ask questions we are very afraid.
I think that is why I do not often see well-implemented projects for the measurement and visualization of IB (and bad too). And last year I took part in the top ten projects for designing or auditing SOCOs (Cisco is actively engaged in such projects). They do not like to show the results of their work, which in IB are not always such positive.
But back to the measurements of your "bad behavior" (in whether eating, or in IB). It is unpleasant to realize that we do something wrong, but it is necessary and it is from this that the implementation of the IB measurement program begins. However, it is also important to know what and how to measure. Let's go back to weight loss. Here we consider calories, but is it important? It is important to assume that specifically we ate and how much these calories were "bad" or "good". And also the conditions under which we eaten it all. Suppose we reduced our 500 calorie diet. Okay? It seems yes. You can write it to your asset. And if we have reduced activity on the same "500 calories"? It turns out nothing in essence and has not changed. On the chart, it will look beautiful, but in reality ... And I don't take the situation yet in the calculation when someone consciously manipulates the numbers.
With incidents all the same. In itself, the decline in the number of incidents does not mean anything. The reason for this may be:
- Reducing the coating zone monitoring
- Revision of the concept of incident
- Hiding incidents.
And you can also have a decrease in the total number of incidents, but the growth of critical incidents. And finally, you may simply attack you, which indicates the decline in the activity of attackers, but not about the quality of your protection system. And yes, it may be the result of your work and outsourcing Soc, as well as other divisions of the company (for example, IT). Therefore, just one digit does not mean anything - it is necessary to understand its environment, as well as compare it with other collected or calculated numbers.
And therefore it is so important to measure sufficiently many different indicators, of which, then choose the desired - for different tasks, at different periods of time, for different target audiences. After all, metrics are different - operational, tactical and strategic. And in some cases, with a large number of levels of the IB hierarchy in the organization, there may be executive-metrics, etc. Therefore, the launch of the IB measurement program must be remembered that it is necessary
- Measure everything. Later
- Measure the right things. Later
- Take the right things
But start with the measurement of everything (well, or much).
And here I approached the time for which this long note was written. I decided to succumb to the trendy reference, called the Hithabization of IB (in Russian), and launch a new Telegram channel by IB metrics (Cyber Security Metrics). I will share a single metric of IB every day with its brief description, formulas, data sources, restrictions, etc. In fact, this is, of course, not a guithabization, but how to call it, I do not know. At first I thought to close the metric catalog immediately and lay it on GitHub, but the time to do it immediately and everything, no. But in parts it seemed to me quite lifting task. On the day on the metric - by the end of the year there will be 250 different metrics from different domains IB - response to incidents, management of vulnerabilities, Red Team, Privacy, Finance management, IB monitoring, compliance, etc. Unlike its current channel "Post Lukatsky", the new I have included the opportunity for comments and discussions so that you can discuss every metric, share experiences, etc.
So welcome to the new Telegram channel, which will be a regularly filled metric catalog on IB.
Source - Blog Alexei Lukatsky "Business without danger."
More interesting material on cisoclub.ru. Subscribe to us: Facebook | Vk | Twitter | Instagram | Telegram | Zen | Messenger | Icq new | YouTube | Pulse.