Security Metrics

Establishing Your Own Metrics: What to Do

by Marcus J. Ranum on July 1, 2014

In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests. There are two ways to start establishing metrics. One is what I think of as the “bottom up” approach and the other being "top down". For best results you might want to try a bit of both, but depending on your organization and your existing processes it might be easier to go...

True White-Knuckled Stories of Metrics in Action: Sylvan

by Marcus J. Ranum on April 2, 2014

In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests. When you start your metrics program, you will find that a great deal of information can be gleaned from existing data that gets stored in various places.... When I was a junior systems administrator just out of college, I worked at a major hospital as a systems analyst in the...

Security Metrics - Why Should You Care?

by Marcus J. Ranum on February 26, 2014

In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests. Most of the complex fields humans engage in develop their own terminology, which then becomes a problem of translation for the expert. One of the fundamental problems for security at the “C-level” is to translate between security's inner language, which tends to be about risk...

Introduction and Welcome - Security Metrics

by Marcus J. Ranum on February 13, 2014

In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests. This is the beginning of a series of postings I'll be doing on security metrics. It's a topic that I don't think we, as a community, have a particularly good grasp of – probably because security, as a field, is only just beginning to professionalize to the point where (in some...

The Critical Security Controls are Getting Traction

by Ron Gula on June 25, 2013

I’ll be honest – my first reaction when I heard about the SANS Consensus Audit Guidelines (CAG), was that our industry didn’t really need yet another framework or standard. But when I read them, I realized this was put together by experienced security professionals who all too often were successful on multiple occasions in breaking into systems during a penetration test at the same customer, or had to perform incident response for the same customer a third or fourth time.

Prove You’re Watching 100% of your Network

by Ron Gula on June 11, 2013

How hard is it for you to prove that you are performing vulnerability scans, network monitoring and log analysis for 100% of your network? If your organization hasn’t automated this process, or it is relying on periodic manual processes, chances are you are blind in some areas and don’t know it.

FUDwatch: Armenia

by Marcus J. Ranum on May 3, 2013

For a field that loves statistics, computer security sure treats them casually. In order to get my humble BA in Psychology, I absorbed my share of course hours in statistics and testing methods, including a set of lectures based upon Darrell Huff's brilliant book, " How to Lie with Statistics " - which I highly recommend. It's fun easy reading satire - those lectures had the effect of making me hyper-skeptical about any large, round, number that's thrown my way. Sometimes, I get the urge to play and this is one of those times. Please don't take anything from this point forward very seriously...

Predicting Attack Paths

by Ron Gula on April 2, 2012

Tenable has published a technical paper titled “ Predicting Attack Paths ” that describes how to leverage active and passive vulnerability discovery technology to identify in real-time Internet facing services, systems and clients on your network that can be exploited in a variety of scenarios.

Using Nessus 5 to Raise the Value of Penetration Testing

by Ron Gula on February 23, 2012

Cross referencing the results of your vulnerability scans with the list of public exploits helps identify likely targets for authorized penetration testing teams. Removing these vulnerabilities significantly raises the value of a penetration test since the team will have to work much harder to find issues that aren’t found through automation. There are many subtle issues to consider when correlating available exploits with vulnerabilities. In this blog entry, we’ll highlight these issues by considering exploit correlation with attacks available from the Metasploit project, Core, and Immunity with the results of a very large Nessus scan of several thousand web servers.

Is that System Managed?

by Ron Gula on November 2, 2011

IT auditors, penetration testers, and incident responders often ask if a system they are analyzing is managed. A managed system is one that is being looked after, updated and maintained by an IT staff of some sort. An unmanaged system is one that is on the network, but perhaps has been forgotten, isn’t authorized or has some other reason for it not to be there or updated by anyone else. Security findings for managed systems and unmanaged systems are reported differently. For an unmanaged system, the recommendation is to make the system managed and bring it into a secured state. For security issues with managed systems, the recommendation is to alter the current management processes to make them more secure. Unfortunately, there is no “under management” test that can easily be automated. This blog entry will describe some of the different types of data that can be gathered from logs, Nessus scanning and Passive Vulnerability Scanner sniffing that can help identify systems with and without management.

Pages