The IA Professional's Toolkit Part 4

The long view of security strategies for your network.

A common comment from engineering and technical personnel is that if we can't measure something, we can't manage it effectively.

Security consultant Gordon Merrill continues his series on fundamental management tools for information assurance (IA) professionals in general and IA security consultants in particular. His insights and recommendations will also help clients choose consultants wisely and judge their performance appropriately.

* * *
As a security professional, you may be tasked with gathering data that will become part of a senior officer's presentation to upper management. If you are an external consultant, you will probably not have full access to the company information technology (IT) services as you find and analyze the data you need to create appropriate security metrics; you need to convince client personnel to find the data for you. Part of the task is knowing the full scope of the project before you begin planning what metrics to gather. It may be as easy as looking at data they are already gathering and finding that the staff don't realize that there are valuable metrics hidden within.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A common comment from engineering and technical personnel is that if we can't measure something, we can't manage it effectively.

Security consultant Gordon Merrill continues his series on fundamental management tools for information assurance (IA) professionals in general and IA security consultants in particular. His insights and recommendations will also help clients choose consultants wisely and judge their performance appropriately.

* * *
As a security professional, you may be tasked with gathering data that will become part of a senior officer's presentation to upper management. If you are an external consultant, you will probably not have full access to the company information technology (IT) services as you find and analyze the data you need to create appropriate security metrics; you need to convince client personnel to find the data for you. Part of the task is knowing the full scope of the project before you begin planning what metrics to gather. It may be as easy as looking at data they are already gathering and finding that the staff don't realize that there are valuable metrics hidden within.

You may also need to look at how they report any metrics already used in-house. Do they use the top-down approach or the bottom-up approach, as described in a 2006 paper on security metrics by S. C. Payne published in the SANS Security Essentials collection? The top-down method starts by determining what they need to report based on the company goals and how they can prove they are meeting them. The bottom-up approach looks at the resources they have available (e.g., logs, applications, and funds) and constructs the report using what they have. Ideally, the top-down approach is the best; however, as a consultant who is not an employee in the client's company, you may often find yourself having to work under contract limitations that force you to cope with what you have without the option of having the client spend more money to collect more data.

Metric reporting

Supposing the bottom-up approach is all you have available to you, what can you use for data and what can you manage to extract from the data? Most of your data in this case will come from log files. Find out how logging is configured; if necessary, as Scott Berinato suggests in a 2005 paper published in CSO Magazine, ask the IT team to reconfigure their current logging to provide the widest range of information you can use in your security analysis. 

The key to logging for metrics is to save everything possible within the limits of storage: you cannot go back and get what you did not gather. If necessary, it may be cost effective to buy some inexpensive off-the-shelf high-capacity disk storage units for your work; a 2TB USB/Firewire IOMEGA external drive cost only around $350 in 2009; the 1.5TB unit version cost $200 at that time. Providing the team with an easy-to-use disk may soften the resistance to increased volume of log files.
In addition to collecting expanded log files, you may need to invest in a log analysis tool for the operating system in question that helps you find what you need from logs by appropriate filtering and search capabilities. Searching Google using "log file analysis tools" as the search string brings up a number of articles and data sheets about products worth examining.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.