I published this article on LinkedIn on Monday 3rd July 2017, and I’ve copied it here for you.

If you don’t know what you have, how can you measure it?

We read a lot these days about equipment and training to help combat cyber attacks and reduce risks, but I don’t see much about today’s topic. It’s really good that you have controls in place, with defence in depth etc, but how do you know they’re working?

It seems to me that we often forget to take into account the requirement to measure key components on our systems, so that we know when things are working well and when they’re not. This isn’t about audit, which gives you a snapshot, a point in time view. This is about consistent, regular (possibly even real-time) monitoring and reporting on systems.
The first step in this process is to identify what matters to you most – in many, if not all, cases this will be the data your systems hold. 
Then, look at the controls you have in place, and think about what information would give you assurance that your controls are effective. 
For example, if you have highly sensitive data on all your laptops, knowing which devices are not encrypted might be a really key measurement for you. In this instance, you may decide it is unacceptable for any laptops to be unencrypted, or you may decide you’re happy with a tolerance of 5% or 10%.
One of the fundamental features of reporting is knowing what you have, where it is, and what software is loaded on it. If we look at the recent ransomware outbreaks of Wannacry and Petya, we know that these malware packages make use of specific vulnerabilities which were addressed by specific patches. If your inventory is up to date, you can check for the devices missing those specific patches, and target them immediately, rather than checking every single machine. The same held true with Heartbleed and other outbreaks of a similar nature. 
Some would say that regular reporting on critical patches which have not been installed is a waste of time: personally, I think it’s a good metric and invaluable in deploying resources effectively. You should already have a patch schedule, but does it take into account Critical patches? If not, time to start thinking about being proactive with them and pushing them out outside the patch schedule.  
Similarly, you will probably want to know what devices have aged (out of date) antivirus signatures: if they’re not within a couple of days release then in this day and age you’re running a risk. Report / alert on devices where this is the case, or where AV isn’t running at all. (While you’re at it, you might want to investigate ways of determining whether AV is running but not scanning anything – I have seen this on several occasions.)
You will also probably want to baseline the traffic profile coming into and out of your network so that you know what looks normal, making it easier to spot unusual activity. Pay attention to the days and times that traffic is present: if you get a lot of traffic at 3 in the morning, why is that? 
Finally, when presenting this information to your senior management, don’t leave it as raw figures. Present it in terms of risk and impact, from a financial and reputational viewpoint. That makes it easier to understand why something needs to be done and should help with getting additional resources to address those risks. 

If you don’t measure what you have, how can you improve it?

Advertisements