Maintaining a resilient security posture is an ongoing effort for every organization. As reports of data breaches, fraud, and cyberattacks grow increasingly common, it’s important to have strategies in place to mitigate their impact.
Whilst cybersecurity may have once seemed to be a solely ‘online’ problem, the rise of the Internet of Things makes it more relevant than ever. A web application being targeted no longer just means a website is unavailable. It can mean lights go off, cars won’t start, and money goes missing. Here you can see the threats which security directors consider the most important:
An effective way to build the strategies that protect your networks is to have solid, understandable metrics. Understanding what’s happening within your web applications is a vital step toward securing them. Well-defined measurements provide the necessary visibility to do this.
The Benefits Of Cybersecurity Metrics
Keeping an up-to-date selection of cybersecurity metrics requires a lot of investment. So just what benefits does having a dedicated set of cybersecurity metrics deliver?
Many industries have certain requirements that you’ll need to meet. Examples include PCI-DSS 6.6, SOC 2, and HIPAA. Keeping accurate metrics will allow you to gather data to prove that you do. Or, if they reveal you don’t, they enable you to identify the issues that need addressing prior to an audit.
Sometimes, there may not be official requirements. That doesn’t mean there won’t be customer expectations. For instance, if you’re providing call centre software then your customers will expect your application to be available at all times. If you’ve been tracking how much downtime you’ve had over the past year, you can advertise how low this amount is as a selling point.
It can be difficult to track progress on the security of your company. Having a range of metrics available will allow you to choose areas to improve, and to set targets.
See Problems Quickly
By having metrics dating back over a period of time, you can quickly spot changes and trends impacting your organization’s security posture. This means if there is a security breach, you can pinpoint where – and hopefully how – it happened with ease. If you have an average number of five indicators of compromise a month, but after a new update the number climbs to 40, then you know what to look at. You must scrutinize what changed in the update and how it may have caused the increase.
Help With Decision Making
Having data on hand will help you understand what decisions need making. That’s alongside what impact your choices will have. It also makes it easier to convey the important points to decision makers who aren’t as familiar with cybersecurity.
Who’s In Charge?
It’s important to have dedicated job positions devoted to cybersecurity. If you don’t already have a Chief Information Security Officer (CISO), it’s time to hire one. They should be responsible for keeping management informed about the current status of cybersecurity in the company and on a broader scale. Having well-defined metrics also comes into play here. They allow a CISO to present simple information that makes it easier to show a potentially non-tech team where problems lie, and why they should fund solutions.
If you outsource your web development, they might be able to take care of a lot of this for you. You should still have a dedicated staff member, though, who understands cybersecurity, and what these metrics mean.
Every business is unique, meaning there’ll always be unique problems. For instance, an e-commerce site will have to deal with fraud in a way other sites may not. This is why having a dedicated CISO is important, as they can ensure you’re looking into the things most relevant to your company. That said, there are some key metrics that every company should be making use of.
If you have nothing else, you need to have a record of reported vulnerabilities. Having a history of past failings is the best way to figure out what needs improving. Tracking this metric also ensures issues in your application don’t go unnoticed.
Within this general metric you can drill down to get some key data on certain areas, for example:
- Total indicators of compromise in the last month
- Total per application
- Total number of mild, medium, or severe vulnerabilities
- Total number of issues resolved and unresolved
It’s particularly helpful to track that quartet of metrics as they’ll give you a solid understanding of where your strengths and vulnerabilities lie. If you have multiple web applications, but one of them has a much higher number of indicators of attack than the others, then you know you need to investigate. Keeping track of how many vulnerabilities are reported over set periods of time is also vital. It allows you to see if anything has scaled up dramatically – in which case it could be due to a cyberattack, issues introduced with a new patch, or unpatched vulnerability or misconfiguration
It’s also likely that you’re aware of vulnerabilities in your applications. It’s important to keep track of these, and equally vital that this information is stored securely. Vulnerabilities are the open doors to threat actors to attempt to breach your defenses. Identified vulnerabilities can be cross-checked against the National Vulnerabilities Database published by NIST. The MITRE Corporation also published a database of CVEs (common vulnerabilities and exposures).
There are a lot of ways to discover what vulnerabilities your application has – including ethical hacking and automated testing. A great example of how this works and how you can benefit comes from a team of Chinese researchers who looked into cybersecurity risks in Android VoIP. They used “fuzzing” – a method where unexpected or invalid inputs are made – and discovered some key flaws. Those included the ability to transfer calls without permission. Revealing these vulnerabilities may seem strange, but it allowed them to be fixed.
Keep track of your known vulnerabilities and their severity and apply patches when published or otherwise seek to remediate identified vulnerabilities in both your codebase and underlying infrastructure (e.g., AWS S3 buckets and related permissions; open source components) This will allow you to address the most high-risk ones first, rather than by order in an automated report.
Time To Resolution
You should have some idea of how long each incident/vulnerability takes to resolve. Having this information to hand can help you see how fast you respond, and, if it’s too slow, take steps to address that. It also allows you to schedule your staff more efficiently and be aware of whether you may need extra support. Notably, if a particularly damaging breach were to occur.
In such a case, you may have to bolster other business areas, too. For instance, if you use AI in customer service and have to take it offline to resolve an issue, you’ll need to hire more telephone operators to make up for it. Knowing the average fix time means you can hire temps accordingly if needed.
Cost To Resolve
This metric is great when paired with the previous one. As well as understanding how long it takes to address a security issue or vulnerability, you should be able to accurately convey how expensive it was.
When deciding the cost to resolve, you need to consider a variety of factors – not just hours worked. Direct costs such as data recovery and investigation should be included, as should indirect costs like downtime or potential customer loss.
Downtime can happen for a few reasons. The principal two to keep track of are security incidents and security solutions (such as patching a vulnerability). As mentioned above, you should already be factoring downtime into your costs, but it’s worth tracking on it’s own, too.
The amount of downtime can show you how resilient or vulnerable your entire system is. For instance, if you have a low rate of downtime but a higher rate of incidents, you know that those incidents aren’t severe enough to be crippling the application entirely. However, if you have a high rate of downtime but a low rate of incidents, you know that there’s a major problem!
Once you’re familiar with these key metrics, you can start to branch out into some tailored to your specific needs. Earlier, we mentioned how an e-commerce business might encounter more fraud. A metric they may find useful is the origin country of fraudulent purchases, or which products have high rates of fraud. You can see some other common alternatives on the chart below.
Ready To Go?
As you can see, navigating cybersecurity metrics isn’t as tricky as it seems. All you need is an understanding of your goals, and time to build a few months of history. Then, you can easily have access to a personalized set of data that will help you with future security decisions. Ideally, you would build a dashboard of these metrics your key stakeholders can access on demand. Many security offerings publish metrics regularly for visibility.
Just remember, having these metrics shouldn’t be treated as a one time thing. It’s an ongoing process: to get the best use out of them they need to be monitored and kept up to date.