Key Server and Endpoint Security Metrics to Track

November 30, 2021 | By IANS Faculty

The most valuable server and endpoint security metrics for security teams tend to be those that track detections and vulnerabilities over time, because they help improve the security program overall. Detection of specific indicators of compromise (IoCs) and malware campaigns are useful in the short term, but rarely valuable over time. In this piece, we examine top server and endpoint security metrics to use for reporting. 

Server Vulnerability Metrics   

For servers, vulnerability metrics encompass vulnerability assessment/reporting and remediation activities, patching in particular. (see Figure 1). 

Figure 1: Server Vulnerability Metrics

Metric

Category

Measurement Frequency

Additional Information

Vulnerability assessment: critical and high vulnerabilities noted

Prevention

Weekly (DMZ) and monthly (all)

The number of critical and high vulnerabilities detected in the environment is a critical prevention metric and should be tracked on a monthly basis for all specific segments/zones scanned within the organization.

Mean time to remediate critical and high vulnerabilities

Prevention

Monthly

This should be tracked as a general measure of patching/workaround implementation and sense of urgency in operations. Ideally, this would be tracked per segment (DMZ, various internal zones, etc.) to ensure specific areas are being monitored effectively and teams are meeting remediation SLAs (if those exist).

Increase/decrease in critical/high results (scan comparison)

Prevention

Bi-weekly and bi-monthly

Scan comparisons can help detect lapses in remediation or new issues appearing in specific segments of the environment

Repeat results per system

Prevention

Bi-weekly and bi-monthly

Remediation lapses or issues can be found in scan comparisons.

Source: IANS, 2021


Endpoint Detection and Response Metrics 

Anti-malware and endpoint security metrics are critical for most mature security teams, because these are the most common means of attack (malware) or focal areas for initial ingress by attackers (endpoints). Figure 2 provides EDR metrics to consider. 

Figure 2: EDR Metrics

Metric

Category

Measurement Frequency

Additional Information

Anti-malware and EDR detects/blocks at endpoints

Prevention/ detection

Weekly with monthly aggregate

Detecting malware targeting end users is a critical metric, and should be tracked over monthly and quarterly baselines.

EDR allow-listing/ IoC alerts

Prevention/ detection

Daily, with weekly/monthly aggregates

Allow-listing alerts/events and IoCs detected at endpoints should be prioritized for monitoring; organizations should track these frequently, because they are often leading indicators of malicious behaviors (perhaps even more so than traditional antivirus).

Endpoint data loss prevention (DLP) blocks/alerts for critical and high events

Prevention/ detection

Daily, with weekly and monthly aggregates

Endpoint DLP is a highly valuable prevention metric for blocking movement of sensitive data from people’s systems, but it’s also a good detection, because these events may often lead to early-stage investigations (unlike routine malware alerts, for example).

Percentage of systems with/ without current endpoint protection signatures/updates

Prevention

Weekly, with monthly aggregates

Endpoint systems must be protected, and any exceptions must be well-documented. Organizations should track the percentage of systems NOT current with EDR/antimalware or allow-listing/ DLP policies and signatures, and use these metrics to ferret out root cause.

Source: IANS, 2021

 

READ: Key Metrics for a CISO Dashboard

 

Server Detection Metrics 

In addition to the security metrics outlined above, consider tracking the following server metrics: 

  • Unknown executables detected: Daily 
  • Unusual kernel drivers/activity: Daily 
  • Suspicious registry activity: Daily 
  • Failed logon/access attempts: Daily 

For workstations, the previous list may apply, but some additional metrics may include: 

  • Access attempts to privileged executables like PowerShell: Daily 
  • Abnormal file detection/access (Word, PDF, Excel, etc.): Daily 
  • Network access attempts to/from workstation peers: Daily 

Tracking Server and Endpoint Security Metrics

Keep in mind, the best security metrics are those that focus on areas that can be improved. When it comes to server and endpoint security, we suggest focusing on tracking security metrics that show change over time – to either showcase improvement or highlight areas of concern. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2021 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.