Cisco Blogs


Cisco Blog > Security

Making Your Metrics Program Effective Beyond Just Charts and Numbers

Editor’s Note: This is the third part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program (USM). In this installment, we discuss the effectiveness of the USM program at Cisco.

Information security is all about risk reduction, and risks are notoriously difficult to measure -- ask any insurance salesman or actuary. So how do we handle this conundrum for a security metrics program that hasn’t even reached its second anniversary yet?

Peter Drucker, noted business management author, once said, “Efficiency is doing the thing right. Effectiveness is doing the right thing.” Even at this early stage of the USM program, we can see four clear indicators demonstrating we’re doing the right things to improve Cisco’s security posture across the IT organization and Cisco. They include the creation of newly defined partnerships, leveraging existing IT risk management frameworks, developing well-defined feedback mechanisms, and gaining increased support and visibility at the CIO level.

Read More »

Tags: , , , , ,

March 2014 Threat Metrics

The median rate of web malware encounters in March 2014 was 1:260, compared to a median rate of 1:341 requests in February. At least some of this increased risk appears to have been a result of interest in the NCAA tournaments (aka March Madness), which kicked off during the second week of March in the United States.

Mar2014rate

In February 2014, web malware encounters from sports and video sites were in the 18 and 28 spot, respectively. During March 2014, web malware from sports- and video-related sites jumped to the number 7 and 8 spots, respectively. The presumed longer time spent viewing sports-related content may have been a factor in a 1% decrease in the total volume of web requests in March coupled with a corresponding 18% increase in terabytes received.

Mar2014catall

The ratio of unique non-malicious hosts to unique malware hosts decreased by 1%, at 1:4841 in March 2014 compared to 1:4775 in February. The ratio of unique non-malicious IP addresses to malicious unique IP addresses also dropped from 1:1351 in February 2014 to 1:1388 in March. There was also far less volatility in the rate of unique malicious IP addresses throughout March compared to February.

Mar2014hosts

Java encounters dropped from 9% of all web malware encounters in February 2014 to 6% in March. At 43% of all Java encounters, Java version 7 exploits were the most frequently encountered, with 26% targeting Java version 6, and 32% targeting other versions of Java.

 

Mar2014java

Web malware encounters from mobile devices decreased 24% from February to March 2014. In March 3.6% of all Web malware encounters resulted from mobile device browsing, compared to 4.7% in February. Conversely, web malware encounters from non-Android and non-iOS devices doubled for the period, from 0.1% in February to 0.2% in March. The cause of this increase was not due to any specific device, but rather an across-the-board increase affecting all non-Android and non-iOS devices.

Mar2014mobile

At 18%, advertising was the most common vector of mobile device encounters, followed by business-related sites at 13% and video-related sites at 11% of mobile device encounters. For comparison purposes, in February 2014, sites in the business category were the most common vector of mobile device encounters (20%), followed by advertising (13%) and personal sites (8%). Video came in fourth in February, at 7%.

Mar2014catmob

Pharmaceutical & Chemical remained at 1100% of median risk for web malware encounters in March 2014, the same rate experienced in February. Companies in the Entertainment vertical experienced an increase from 321% in February to 643% in March. The Energy, Oil & Gas vertical increased from a rate of 276% in February to 397% in March.

To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.

 

Mar2014vert

Following a 73% increase from January to February, spam volumes increased another 45% in March to an average of 207 billion spam messages per day.

Mar2014spamvol

The top five global spam senders in February 2014 were the United States at 8%, followed by the Republic of Korea at 5%, Russian Federation at 3%, China at 2%, and Ukraine at 1%.

Tags: , , , , ,

Security Metrics Starting Point: Where to Begin?

Editor’s Note: This is the second part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program. In this second installment, we discuss where to begin measuring.

H. James Harrington, noted author of Business Process Improvement, once said “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” Good piece of wisdom, but where do you start? How do you mine data through the use of metrics in order to provide greater insight into your organization’s security posture, while simultaneously using it as a vehicle to protect your most critical assets?

For Infosec’s Unified Security Metrics (USM) team, there’s plenty of statistical data sources available to mine information from, particularly from IT system logs and dashboards. In fact, early research conducted by the team identified 30 different types of meaningful data to track. Comprehensive, yes, but not realistically feasible, nor sustainable to implement long-term across Cisco. The USM team’s solution centered on the primary outcomes they were trying to achieve, namely, driving security process improvement behaviors and actions within IT. Subsequently, the list was narrowed down to five key measurements:

  • Stack compliance: measures vulnerabilities found on the TCP/IP stack (i.e. network devices, operating systems, application servers, middleware, etc.)
  • Anti-malware compliance: quantifies whether malware protection software has been properly installed and is up-to-date
  • Baseline application vulnerability assessment: computes whether automatic vulnerability system scans have been performed in accordance with Cisco policy and, if post-scan, any open security weaknesses remain
  • Deep application vulnerability assessment: computes whether penetration testing has been performed on our most business-critical applications in accordance with Cisco policy and, if post-testing, any open security weaknesses remain
  • Design exceptions: measures the total number of open security exceptions, based on deviations from established security standards and best practices

Read More »

Tags: , ,

No Curve Ball Here, Unified Security Metrics Deliver Meaningful Results

Editor’s Note:  This is the first part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program. In this first installment, we discuss the value of security metrics at Cisco.

What does the film Moneyball have in common with security metrics? Turns out—plenty. In Moneyball, the storyline focuses on the Oakland A’s baseball team’s quest to assemble and field a competitive team.  Fiscally constrained, their general manager uses a new approach towards scouting, analyzing and securing players through the use of metrics.

The general manager’s hypothesis was that player performance statistics, such as stolen bases and runs batted in (RBIs) focus on speed and contact.  But other metrics, such as on-base percentage and slugging percentage have a greater influence on the team’s main goal—scoring runs and winning games.

Skeptics scoffed at the data’s reliability as a consistent performance indicator but, much to everyone’s surprise, the data held its own and the A’s became a viable competitor.  By keeping their eyes squarely focused on the real problem—protecting and safeguarding their franchise’s future—the A’s used simple, meaningful metrics to manage risk, guide their operating and decision-making practices, and strengthen their brand. Read More »

Tags: , ,

Our Unofficial Top Ten Cyber Trends for 2014

(I pulled this list together with the help of my colleague Martin Chorich. Or maybe it was the other way around. )

Every year, publications ranging from supermarket tabloids to serious academic journals issue forecasts for the coming year. Those with foresight hold on to these articles and read them again the following December for a good laugh, as we all know how accurate they can be. With that in mind, and following a long week of staring into a well and inhaling the fumes, we offer the following unofficial 2014 guide to trends for cyber security practitioners. These should not be construed in any way as representing Cisco expectations of future market or business conditions. As for their true value, this article and about $4.50 will get you a double mocha latté at a national coffee chain.

1. Changes in the Global Framework Governing the Internet – It is no secret that government policies around the world have had trouble keeping pace with the cultural and economic changes enabled by the Internet. At the same time, the Internet would not be the juggernaut it is without its borderless and unregulated nature. The Internet has developed around a multi-stakeholder model led by the Internet Corporation for Assigned Names and Numbers (ICANN). In recent years, some stakeholders have called for a more government-centric model of Internet governance. In 2014, this conversation will intensify. Debate topics will include whether governance of the Internet should change, and what sort of new governing bodies might find consensus, as stakeholders consider the risks of Internet balkanization and the potential stifling effects of mounting regulatory requirements.

Read More »

Tags: , , , , , , ,