How effective are your controls? How effective should they be? These are two of the most important, and often overlooked, questions in information security. Third Defense consultants have helped build some of the best metrics programs in the world. If you’re new to measuring, we’ll help you define a pilot program to demonstrate value. We focus on outcome based metrics programs. How many incidents occur at your organization, how many are acceptable to the business, and which metrics correlate to incidents?
Third Defense works with your leadership, security team, and control owners to define a sustained process to identify the optimal set of metrics, target values, and communicate results effectively to demonstrate value. Engagements last between one to three weeks, depending on the scope of metrics and the amount of data accessible through automation. As a tools and consulting company, we’ll also work with you to automate data collection as needed.
Keys to success include the ability to document and categorize historical incidents to develop a baseline. We’ll also work with you to include metric evaluation during root cause analysis to identify leading indicators and appropriate target values.
The following is a short list of some of our favorite IT security metrics to reduce incidents:
- # of Final Security Review bugs
- # of Post-production application bugs
- # of Security Regressions
- # Patch & configuration vulns (via scanner) not mitigated within predefined timeframes
- % Employee termination within policy
- % Role/Access verification
- % critical systems monitored for security
- % assessed per policy
- # of overdue findings
- # of duplicate incidents
- # Emergency or unplanned changes
- % of changes with a regression
One of the most valuable metrics is also the easiest to maintain: tracking the age of scanner-based vulnerabilities. Vuln scanners enable you to classify devices and identify patch and configuration vulnerabilities cost effectively. Unfortunately many organizations don’t have the ability to easily determine if remediation occurs within agreed upon timeframes.
Third Defense works with your scanning teams to determine appropriate scanning coverage, configuration, network enumeration, and vuln severity levels. If you haven't defined remediation timeframes by asset class and severity, we’ll work with you and your operations team to identify appropriate tolerances. Because vuln scanners do not provide visual reports on vulnerability age, Third Defense developed a simple tool to receive scans, age vulns, and report on past due items.
Third Defense is a different kind of consulting company because we have dedicated developers building tools to support our customers. In addition to developing tools for our SaaS suite, we offer custom development engagements to support our services. Need help incorporating asset inventory into your vuln database? Help developing secure authentication, designs, or coding practices? Need a custom solution to automate a process? We take pride in not only developing security related applications, but doing it securely.