Communicating Security Program Effectiveness · 2017-02-17 · accurate metrics will help IT security gain the trust of management and help show the value the security program brings

Communicating Security Program Effectiveness SMART Metrics and SecurityCenter Continuous View June 8, 2016

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

2

Table of Contents

I. Introduction ............................................................................................ 3

II. Understanding Metrics......................................................................... 3

III. Measuring What Matters ...................................................................... 3

IV. SMART Metrics ........................................................................................ 4

Specific Metrics .............................................................................................................. 4

Measurable Metrics ....................................................................................................... 4

Actionable Metrics......................................................................................................... 4

Revelant Metrics ............................................................................................................ 4

Timely Metrics ................................................................................................................ 4

V. Effectively Communicating Metrics .................................................. 4

VI. Using Tenable and SMART Metrics to Tell Your Story .................. 5 Assurance Report Cards ............................................................................................... 5

Dashboards ..................................................................................................................... 8

Reports ........................................................................................................................... 10

VII. Conclusion ............................................................................................. 13

VIII. About Tenable Network Security ................................................... 13


3

I. Introduction “How secure are we?” is a question most information security professionals dread, because it’s almost impossible to accurately answer. Without the proper tools to measure the security processes and functions in place within your organization, the answer to this question is typically just a best guess. Business leaders and IT alike are looking for more concrete measurement of the security risks facing their organization.

An organization’s security policies, processes, and controls are typically dictated by best practices, industry standards, customer requirements, and compliance and regulatory demands. But once these are in place, how do you know that they are being effective? Are the budget and resources allocated to security programs actually making you more secure?

SMART (Specific, Measurable, Actionable, Relevant, and Timely) security metrics can help provide the answers to these questions.

This paper explores some of the challenges information security professionals face when selecting and presenting security metrics to business leaders. Specific criteria and reporting technologies can guide the decision-making process to ensure metrics are accurate and relevant, distill a clear picture of an organization’s security risk, and provide actionable information for improving security efforts.

II. Understanding Metrics

Metrics are a system or standard of measurement using at least two reference points and a predetermined baseline. Security metrics measure the effectiveness of an organization’s security programs and processes. SMART Metrics are metrics that are Specific, Measurable, Actionable, Relevant, and Timely.

III. Measuring What Matters “What gets measured gets managed” is a well-known cliché used in the business world. It is actually a shortened version of a quote from the late management consultant and author, Peter Drucker, which states, “what gets measured gets managed – even when it’s pointless to measure and manage it, and even if it harms the organization.” When you see Drucker’s words in their entirety, it becomes clear that his message included a warning that most information security professionals would be well-served to heed. Failure to do so can lead to costly, unintended consequences for not only a security program, but the security of the organization as a whole.

Board members and other executive-level decision-makers within an organization generally look at metrics provided by the IT security team to understand the security posture of their organization. These metrics serve as a basis for actions and funding decisions that directly impact security programs. Metrics that are irrelevant or inaccurate can divert attention away from areas of security that need the most focus, increasing risk exposure. Over time, irrelevant or inaccurate metrics can also lead management to lose trust in the information they receive from IT security leaders within the organization, and in the security program itself.

One key to delivering successful security metrics is understanding that, due to time and resource limitations, there are only so many things that can be measured well. With an almost unlimited amount of data available, having defined criteria, such as SMART Metrics, helps IT security professionals identify the most valuable


4

information to their organization. Choosing metrics that are SMART allows IT security professionals to provide leaders with information that influences them and drives them to action.

IV. SMART Metrics SMART Metrics are metrics that are Specific, Measurable, Actionable, Relevant, and Timely. They find meaningful ways to inform and influence the audience without burdening the decision-makers with useless data. SMART Metrics help ensure that you are measuring the right things at the right time.

Specific Metrics

Specific metrics should provide clear, informative, and actionable intelligence to an intended audience. Metrics are designed to facilitate decision-making and to shed light on areas of an organization that are either improving or need improvement. If the metrics are too ambiguous, the intended message may be confusing or misunderstood, which can result in management making an incorrect decision or no decision at all.

Measurable Metrics

A measurable metric is one that can be represented or quantified numerically. Qualitative metrics are an analysis of descriptive data, whereas quantitative metrics are an analysis of numerical data. Qualitative metrics are more difficult to collect, less precise, and open for interpretation. Quantitative metrics are objective and the data is factual. Measurable security metrics allow you to track progress over a period of time to determine if your security program is moving in the right direction. Any changes in the security program may be more easily detected with the use of measurable metrics.

Actionable Metrics

When selecting which metrics to use, ask the question “does the data for this metric help drive action?” If the answer is no, there is no point in collecting that data. If a metric is not actionable, then it holds no value. Actionable metrics give you an indication that something needs improvement or needs to be addressed, but the metrics themselves do not provide the solution. They are a starting point for investigation.

Relevant Metrics

Relevant metrics provide pertinent information to help decision-makers improve upon the security posture of an organization. Relevant metrics also show security is providing value to the business and it is aligned with the organizational goals. A metric may be specific, measurable, actionable, and timely, but if it is not relevant to your organization, it is not needed.

Timely Metrics

Timely metrics are those that are up-to-date and able to be collected quickly. Metrics gathered as close to real-time as possible are more likely to facilitate a change in process. Historical data can also be useful, as it may be a good indicator of future behavior, and can be a good starting point in building a baseline for metrics programs. Metrics should, however, be forward-looking. Typically, the newer the data, the more useful it will be.

V. Effectively Communicating Metrics Historically, there has been a disconnect in the communication between the technology and business worlds when discussing security metrics. Security professionals are more likely to present metrics as they relate to operational performance, while business leaders typically want to see how metrics relate to cost. The onus is


5

on the security professional to learn how to relay the information in ways that are more easily understood by the business leaders.

To be effective, metrics should always tell a story. That story’s purpose is to influence the audience, and either drive them to action or reaffirm actions that were previously taken. In order for the story to be understood and acted upon, it has to be told in the listener’s language. Security professionals who learn the art of presenting metrics in ways that business leaders can appreciate and comprehend should find themselves in demand for years to come.

Another key to making any metric, including SMART Metrics, successful is deciding how to tell the story. How the story is told, and what details are included, is largely dependent upon who the audience is and what is most important to them. The metrics that mid-level management find useful would, generally, not have the same effect or benefit to the CISO. The metrics each audience is presented with should be tailored to help guide decision-making in their respective areas.

When presenting metrics, the information needs to be reliable and accurate. One of the quickest ways for decision-makers to lose trust in information provided to them is inaccuracy. Consistently reliable and accurate metrics will help IT security gain the trust of management and help show the value the security program brings to the organization.

For more information about SMART Metrics, see the “Using SMART Metrics to Drive Action” eBook from Tenable.

VI. Using Tenable and SMART Metrics to Tell Your Story Even when defined objectives, documented controls, and SMART Metrics are in place, IT security leaders often fall short in terms of delivering relevant, easily understood security metrics to business executives and the board. One drawback of metrics is that they have traditionally been analyzed and presented in numerical lists or tables. While information presented in this fashion may work well for more technical IT security professionals, business executives typically find it easier to process the same metrics-based information when is presented in more visually-appealing formats. Tenable’s SecurityCenter Continuous View™ (SecurityCenter CV™) can help IT security professionals tell their story when presenting security metrics. Through the use of Assurance Report Cards™ (ARCs), dashboards, and reports within Security Center CV, security professionals now have the ability to provide the decision-makers within their organization clear, concise, and up-to-date information in formats they can easily understand.

Assurance Report Cards

Assurance Report Cards (ARCs) are part of SecurityCenter CV, which collects data from multiple sensors to provide advanced analysis of vulnerability, threat, network traffic, and event information and deliver a continuous view of IT security across your environment. ARCs enable CISOs and other security professionals to measure, analyze, and visualize the security posture of their IT enterprise at any time. Report results are delivered in an intuitive report card format. ARCs are evaluated on a continuous basis, using customer defined security policies, allowing security teams to identify the gaps where policies are failing to meet business objectives. ARCs correspond to customer-defined business objectives, and rely on multiple policy statements to evaluate the underlying controls.


6

ARCs visually represent SecurityCenter CV’s measurement and analysis capabilities, providing security leaders with a mechanism for continuously demonstrating security assurance. The report card format outlines the success of high-level business objectives for security, which are each supported by multiple underlying SMART Metrics. Although ARCs summarize the status from potentially hundreds of controls, they retain the underlying data so it can be readily examined when needed. Business leaders can trust the metrics presented in ARCs, because measurement is performed against comprehensive data collected through a unique combination of active scanning, agent scanning, integrations with third-party systems, passive listening, and host data activity monitoring.

Active Scanning: Active scanning examines the devices on the network, running processes and services, configuration settings, and vulnerabilities. Periodically scanning the network, servers, desktops, and applications helps prioritize security efforts to mitigate threats and weaknesses. However, active scans may miss transient devices, mobile devices, and cloud services that are not present or disconnected during a scan.

Agent Scanning: With companies encouraging and enabling employee mobility, corporate devices aren’t always connected to the corporate network when active scans take place. Agent scanning makes it possible to scan these and other transient devices. Once installed, agents can run credentialed scans without needing ongoing host credentials. Scanning with agents has minimal network impact, enabling large-scale concurrent scanning so organizations can quickly and efficiently get scan results.

Intelligent Connectors: Integrations with third-party systems improve efficiency and provide context by leveraging existing infrastructure and investments, as well as systems of record, to build an intelligent fabric of information. Tenable analyzes this information to prioritize threats and weaknesses, using a wide range of data sources, including Active Directory, configuration management databases (CMDBs), patch management systems, mobile device management (MDM) systems, cloud platforms, endpoint management platforms, and threat intelligence feeds.

Passive Listening: With increasing mobile and transient network devices, it is important to have a system in place that continuously monitors traffic, devices, applications, and communications across environments. Knowing when hosts come online and taking a zero-touch approach to assess them, Tenable enables powerful, yet non-disruptive, continuous monitoring of your network.

Host Data: Tenable enables hosts to play a part in their own security hygiene, reporting on changes in their state and security posture. This is important, because most organizations can only run scans periodically. For example, if an organization scans every 19 days, they miss what happens in between.


7

Without having to run scans, Tenable analyzes host activity, users, and changes, to provide context around vulnerabilities, malicious activity, and anomalous behavior.

Working together, these unique sensors gather vulnerability, configuration, and real-time threat information from hundreds of different assets, including operating systems, network devices, virtual infrastructure, databases, mobile devices, web servers, and embedded systems. They also gather information about network and system activity to identify suspicious traffic and anomalies.

Analysis is initially performed by Tenable’s more than 79,000 plugins that identify assets, detect vulnerabilities, assign severities, evaluate configurations, and discover protected/proprietary data at rest and in motion. SecurityCenter CV then applies filters, queries, and conditional logic to perform additional analysis.

SecurityCenter CV comes with numerous pre-defined, customizable Assurance Report Cards. In addition to the pre-defined ARCs, customers can create ARCs to meet the specific needs of their security program. Each ARC can be automated to report on a scheduled basis. Those ARCs can then be presented to executives for an up-to-date status relative to their organization’s security standards and compliance requirements so the executives can quickly understand their cyber risk and compliance posture.

ARCs correspond to control objectives. Take, for example, the pre-defined Windows Servers ARC. Each ARC’s pass/fail status is evaluated by examining its underlying policy statements, which are typically conditional tests that evaluate to true or false. Example policy statements are: No systems have vulnerabilities that are known to be exploitable Greater than 95% of systems have no unpatched vulnerabilities where patch was published over 30 days ago Greater than 95% of Anti-Malware settings are compliant with standards and policies Greater than 95% of systems are running no unsupported software Greater than 95% of Logging settings are compliant with standards and policy Greater than 95% of Data Protection settings are compliant with standards and policies Greater than 95% of Secure Configuration settings are compliant with standards and policies ARCs are extremely flexible. These conditions are pre-defined for this particular ARC, but new conditions can be added, or these can be edited or removed to meet the specific requirements for each organization. An ARC will only pass if all of its underlying policy statements evaluate to True. In the above example, all seven conditions must be met for the ARC to pass.


8

SecurityCenter CV comes pre-installed with numerous Assurance Report Cards. Five of these are executive ARCs that directly relate to Tenable’s Critical Cyber Controls.

Tenable security experts distilled recommendations from the following standards into five Critical Cyber Controls that make it easy for organizations to draw from industry best practices published by the following organizations:

Council on CyberSecurity: The Critical Security Controls for Effective Cyber Defense

NIST: Framework for Improving Critical Infrastructure CyberSecurity

National Campaign for CyberHygiene

PCI Data Security Standard (PCI DSS)

Dashboards

Tenable also allows organizations to quickly visualize the overall security and compliance posture of their network through the use of customizable dashboards within SecurityCenter CV. The dashboards give a snapshot of the scanning, vulnerabilities, and event information, along with instant analysis of important data anomalies and the ability to drill into the underlying metrics for further evaluation.

SecurityCenter CV offers the ability to select from numerous pre-defined dashboard templates, create custom dashboards, or import newly developed dashboards as they become available from Tenable. A dashboard can be created or customized to display information in different formats and configurations, allowing them to be easily understood by multiple audiences. Once dashboards are created, they can be easily shared with various SecurityCenter CV users/groups, such as executives, allowing them to track the status of the organization’s security posture.


9


10

Reports

Tenable also provides the ability to deliver informative and timely reports to the decision-makers within an organization. Depending on the intended audience, the reports can range from extremely detail-oriented to very high-level summaries.

With multiple report templates and a user-friendly report creation interface, SecurityCenter CV’s report generation process is extremely flexible and simplified. The numerous report templates Tenable provides are based on industry standards, and reports are available in standard PDF, RTF, and CSV formats. For specialized reporting needs, additional DISA ASR, DISA AFR, and CyberScope options can be enabled by the SecurityCenter CV administrator. Reports can be scheduled and automatically emailed, shared to one or more specified SecurityCenter CV users, and/or published to one or more sites upon completion.

The excerpt from a Monthly Executive Report below is an example of a pre-defined report in SecurityCenter CV. It is just one of many reports Tenable offers to convey security metrics in a language that business executives can easily understand.


11


12

VII. Conclusion Collecting data for the sake of data collection does not benefit anyone – not IT leaders, not business leaders, and certainly not the organization. The benefit of metrics becomes clear when data is used to measure performance in a way that is meaningful to the business. With so much information readily available, security professionals can be overwhelmed when determining which data is needed. Using criteria such as SMART Metrics can help alleviate some of that burden by offering guidance for better metrics.

Having good (SMART) metrics is only half the battle, though. Learning how to present those metrics to the decision-makers within your organization is crucial to success. Delivering metrics in a way that tells the audience a story in the language they speak ensures the lessons being conveyed are understood. Providing management with consistently reliable and accurate metrics in this manner enables them to make more informed decisions for the organization. Some of the areas those decisions should positively impact are risk exposure, compliance standings, accountability, and profitability. Improvements in those areas should show the benefit of the metrics program and demonstrate that security is providing value and in alignment with business objectives.

Tenable offers solutions to help security professionals deliver metrics in the language business leaders speak. Tenable’s SecurityCenter CV allows customers the flexibility to create or customize Assurance Report Cards, dashboards, and reports to provide up-to-date SMART Metrics in visually-appealing formats that business executives understand. These ARCs, dashboards, and reports give executives the insights they need without burdening them with unnecessary information, allowing them to make quick, informed decisions.

VIII. About Tenable Network Security Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable’s customers range from Fortune Global 500 companies, to the global public sector, to mid-sized enterprises in all sectors, including finance, government, healthcare, higher education, retail and energy. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.

http://tenable.com/

Documents

Communicating Security Program Effectiveness · 2017-02-17 · accurate metrics will help IT security gain the trust of management and help show the value the security program brings