Research Papers

Fact-Based Network Security: Metrics and the Pursuit of Prioritization

By Mike Rothman

What should you do right now? That’s one of the toughest questions for any security professional to answer. The list is endless, the priorities clear as mud, the risk of compromise ever present. But doing nothing is never the answer. We have been working with practitioners to answer that question for years, and we finally got around to documenting some of our approaches and concepts.

That’s what “Fact-Based Network Security: Metrics and the Pursuit of Prioritization” is all about. We spend some time defining ‘risk’, trying to understand the metrics that drive decisions, working to make the process a systematic way to both collect data and make those decisions, and understanding the compliance aspects of the process. Finally we go through a simple scenario that shows the approach in practice.

Here’s an excerpt from the introduction, just to whet your appetite a bit:

Security programs at most businesses are about as mature as a pimply-faced teenager, which is problematic given the current state of security. Attackers only have to get it right once, and some of them now hack more for Lulz than financial gain. How do you defend against an adversary who is more interested in pantsing you than stealing your stuff? But not all attackers fall into that category. You may also deal with state-sponsored adversaries – with virtually unlimited resources. So you need to choose your activities wisely and optimize every bit of available resource just to stay in the same place. Unfortunately, far too many organizations don’t choose wisely.

These organizations treat network security like Whack-a-Mole. Each time a mole pops above the surface, they try to smack it down. Usually that mole squeals loudest, regardless of its actual importance. But this means they spend a large chunk of time trying to satisfy certain people, hoping to get them to stop calling – and unfortunately that is much more about annoyance and persistence than the actual importance of their demands. Sound familiar? Responding to the internal squeaky wheels clearly isn’t a good enough prioritization scheme. Neither is the crystal ball, hocus pocus, or any other unscientific method. Clearly there must be a better way.

We would like to thank RedSeal Networks for sponsoring this research.

Download: Fact-Based Network Security: Metrics and the Pursuit of Prioritization (PDF)