-Can we conclude this - there is no system as yet to streamline Security metrics. -No company has defined the " key elements" to report security. Just a IDS, FW, VPN is not the end all. -Tools to automate metric gathering - no work in sight -Metrics aginst a SLA..hmm thats combining tech stuff and commerce.
Where does that leave Thomas Frazier and many others who have similar questions. We should initite addressign these topics. What do you all say ? -Kumar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 27, 2001 4:02 PM To: Pradeep Kumar; Frazier, Thomas; [EMAIL PROTECTED] Subject: RE: What do you use for security metrics I hope I understood the question , I agree with Kumar , the MIS manager which is probably not a technical person will , in a case of a hack into the system , that you were the one in charge of the system , it is your job to alert these things no matter what they cost , or damage production levels, the real tricky part is to know how to put your foot down gently and prevent insecure user actions, as for monitoring , well my freind , this is a 24\7 job , always have your systems monitored , and notify you of serious events .....(I use snort - www.snort.org along with the ruleset called ArcNIDS from www.whitehats.com) and deteremine which events are important enough to be sent to you either by SMS e-mail or any other means . Remember , your system is protected up untill the point you updated it .... Cheers TheOg -----Original Message----- From: Pradeep Kumar [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 8:38 AM To: Frazier, Thomas; [EMAIL PROTECTED] Subject: RE: What do you use for security metrics phew... such an important topic and no replies ? Thomas, I would consider the cipher strength of the gateways and the encryption algorithms being used at the Gateways as a measure amongst others to rate the security. Technical metrics should always override the business metrics. If your site gets compromised, your boss is going to fire you. You cant tell him that " it was the business rules". He would say ( rather, If I were the CEO ) would say " damn, I hired you as my Security advisor, it was your job to emphasize security over business rules". You have to narrow the scope of your work - IDS,Anti Virus -----Original Message----- From: Frazier, Thomas [mailto:[EMAIL PROTECTED]] Sent: Monday, September 10, 2001 1:45 PM To: '[EMAIL PROTECTED]' Subject: What do you use for security metrics Hello, I am sending this question out to this list to see what others are doing in this space. (Adjust for your scenario accordingly) You have an IDS setup, firewalls galore, enterprise anti-virus, regular vulnerability assesments, whatever.... You have a lot of information out there that you can use for metrics to determine the state of security at <insert your company here>. o What are the key elements you report on? o Do you break out the business metrics from technical metrics? o Have you written tools to automate the metric gathering process or is it manual? o Do you have a regular (weekly, monthly, quarterly) report driven by metrics? o Are the metrics compared against an Level of Service agreement you have to support? Thanks, Thomas Frazier Systems Specialist Corporate Information Security ------------------------------ [EMAIL PROTECTED] ------------------------------
