The Register® — Biting the hand that feeds IT

Feeds

Better metrics needed for security, says expert

Awash in bad data

By Robert Lemos, SecurityFocus, 16th March 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

BOSTON — The security industry has done a poor job of finding ways for companies to measure their security, but that does not mean that collecting data is not valuable, the former head of the U.S. Department of Homeland Security's cyber group told attendees at the SOURCE Boston conference on Thursday.

Amit Yoran, CEO of security firm NetWitness and the former director of the National Cyber Security Directorate at the DHS, criticized today's risk management practices. The security industry is awash in bad data, and companies that attempt to use the metrics could take the wrong actions, he said.

"When you are trying to boil a very complex topic into ... a discrete number to management, you end up driving organizational behavior toward bad metrics," Yoran said.

Yet, foregoing data collection is not the right path, either.

"Rather than say, 'Don't measure any data, because it will backfire,' we need to measure everything," he said. "Once you have the metrics, you can analyze the data in different ways," and find those that actually help the company minimize risk.

The process requires that executives work with their security group to find the right way to measure security for that specific company, he said.

"The security culture has to be set by the executives," Yoran said. "Set the expectations that a lack of due care is not going to be tolerated."

This article originally appeared in SecurityFocus.

Copyright © 2009, SecurityFocus

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (4)
Latest Comments
Anonymous Coward

Re: need to measure everything

But isn't the real problem that what you are actually trying to measure is what you are NOT doing, so that you can identify it and do something about it. Of course if you could measure it, then you would know about it, and knowing about it you would have done something about it.

Or not, depending on your local implementation of the PHB.

0
0
Daniele Futtorovic

Gosh

"[...] Former head of the U.S. Department of Homeland Security's cyber group [...]: 'we need to measure everything'"

Why am I not surprised?

0
0
Tom Paine

The problem with risk management

Fundamentally, the whole metrics racket is a hiding to nothing when it comes to security. Suppose you have a webserver, and for the ease of the example, let's say your company does all it's business through this system. It has a bug. Should you patch it? Well, you can put a number on amount of business lost through downtime when patching (yes yes, no clustering here, we're in Gedankensville, OK?) You might even people to put a wet finger in the air and come up with some sort of guesstimate about how much it would cost you in lost business and reputational damage should you arrive at work one day to find your front page replaced by Fleshbot (although I'd argue that value is entirely theoretical, and anyway is probably a hell of a lot less than you might like to think it is - especially if you're the person trying to diddle the numbers so you get a bigger budget next year.) One thing you absolutely /cannot/ do, though, is put any sort of probability value on the chances of getting pwned /through that specific vulnerability/, per day. That's the sort of numbers the insurance business like to crunch to work out your car insurance premium, and why middle-aged me pays less to insure my 250 BHP turbo-nutter-bastard mobile than a 22 yo with a hot hatch, set of alloy wheels, Haynes manual and a bodykit :) )

Given that the final number at the bottom of the page that's supposed to allow you to rank your systems, the stuff you could do to secure them, and how much you should spend to do so are based on garbage - and we've all seen what lousy risk management based on garbage input can do to the world economy - it follows that one should beware of snake-oil salesmen bearing metrics.

Mine's the one with the "kick me" note stuck on the back by the Sales Director...

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19