Meaningful information security metrics seem to come in as many shapes and sizes as there are CISAs, CISMs, and CISSPs brave enough to weigh in on the subject. There are plenty of risk and security frameworks available to help guide a security team to a reasonable answer to nearly any question posed regarding the appropriate allocation of resources required to reduce a given business risk to a specific level. Likewise, there is plenty of information available on extrapolating meaningful metrics from log analysis, false positives, and recorded incidents. These metrics tell us a lot about the operational characteristics of a security team and how well they are able to process the information that they have available, but very little about the overall state of security of our networks.
The crux of the problem is the typical technical toolsets available. We have firewalls which tell us – with huge volumes of data – which connections were allowed and which were blocked, sandboxes telling us – in painful detail – about the behaviors witnessed upon detonation of unknown payloads, A/V and HIPS tools alerting us to threats that have been stopped on every single client in the network with A/V or HIPS installed.
What about the threats these tools can't identify? Are existing, new, or evolving threats slipping by unnoticed and unremarked on, or bypassing perimeter controls completely and running rampant in your network? The answer increasingly accepted by everyone appears to be "yes." Breach detection has become an important tool in enterprise security, enabling companies to quickly identify, mitigate, and limit the effects of an in-progress attack.
Vectra Networks provides something a little different. Instead of focusing on signatures, payloads, sandboxing, or reputations, the Vectra X-series breach detection platform looks for malicious behaviors on the network in real time. We track these behaviors regardless of OS, device or application, and correlate multiple behaviors over time that could be missed by other solutions.
Now – back to the metrics discussion. Yesterday I could track how many connections were dropped or allowed, how many clients have A/V, how many binaries my sandbox had detonated, and how well my devices faired against a vulnerability scanner. All excellent metrics that have their place in any security framework, but do they really provide a holistic view of the safety of our network – or are they just correlating information that we allow to point us in the direction of the answer we want?
Today, with Vectra's X-series platform, I can show you how many new detections of potentially malicious activity I've seen, baseline that threat, and track these statistics over the last day, week, or month. I can show you what types of detections they are – command & control (C&C), botnets, reconnaissance, lateral movement, or exfiltration – and what level of threat each incident represents as well as how certain we are of the identification of the observed behavior.
With a view of this data in comparison to my typical threat density, I can monitor the "behavioral-risk profile" of my network to determine if changes need to be made in the future, or to judge if changes I've made previously have been effective in reducing the incidence of malicious activity.
I believe this is the start of a new strategy of security reporting – one that can help security teams show concrete results from their efforts, better allocate resources, and show measurable ROI to the business.
The image at the top is a screenshot from the Vectra X-Series platform in a production network. The graph plots new detections of C&C, botnet, reconnaissance, lateral movement, and exfiltration behaviors detected over the previous month. A quick look at the graph shows a significant spike in C&C behaviors shortly after the public announcement of the Heartbleed OpenSSL vulnerability, followed by decreases in new alerts as remediation steps were taken.
To put it another way, Vectra identified threats the rest of the security tools missed, provided the information required to address those threats, as well as directly relevant metrics to measure the success of the changes implemented.
Security that thinks™ indeed.