Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The most valuable server and endpoint security metrics for security teams tend to be those that track detections and vulnerabilities over time, because they help improve the security program overall. Detection of specific indicators of compromise (IoCs)
and malware campaigns are useful in the short term, but rarely valuable over time. In this piece, we examine top server and endpoint security metrics to use for reporting.
For servers, vulnerability metrics encompass vulnerability assessment/reporting and remediation activities, patching in particular. (see Figure 1).
Figure 1: Server Vulnerability Metrics
Vulnerability assessment: critical and high vulnerabilities noted
Weekly (DMZ) and monthly (all)
The number of critical and high vulnerabilities detected in the environment is a critical prevention metric and should be tracked on a monthly basis for all specific segments/zones scanned within the organization.
Mean time to remediate critical and high vulnerabilities
This should be tracked as a general measure of patching/workaround implementation and sense of urgency in operations. Ideally, this would be tracked per segment (DMZ, various internal zones, etc.) to ensure specific areas are being monitored
effectively and teams are meeting remediation SLAs (if those exist).
Increase/decrease in critical/high results (scan comparison)
Bi-weekly and bi-monthly
Scan comparisons can help detect lapses in remediation or new issues appearing in specific segments of the environment
Repeat results per system
Remediation lapses or issues can be found in scan comparisons.
Source: IANS, 2021
Anti-malware and endpoint security metrics are critical for most mature security teams, because these are the most common means of attack (malware) or focal areas for initial ingress by attackers (endpoints). Figure 2 provides EDR metrics to consider.
Figure 2: EDR Metrics
Anti-malware and EDR detects/blocks at endpoints
Weekly with monthly aggregate
Detecting malware targeting end users is a critical metric, and should be tracked over monthly and quarterly baselines.
EDR allow-listing/ IoC alerts
Daily, with weekly/monthly aggregates
Allow-listing alerts/events and IoCs detected at endpoints should be prioritized for monitoring; organizations should track these frequently, because they are often leading indicators of malicious behaviors (perhaps even more so than traditional
Endpoint data loss prevention (DLP) blocks/alerts for critical and high events
Daily, with weekly and monthly aggregates
Endpoint DLP is a highly valuable prevention metric for blocking movement of sensitive data from people’s systems, but it’s also a good detection, because these events may often lead to early-stage investigations (unlike routine
malware alerts, for example).
Percentage of systems with/ without current endpoint protection signatures/updates
Weekly, with monthly aggregates
Endpoint systems must be protected, and any exceptions must be well-documented. Organizations should track the percentage of systems NOT current with EDR/antimalware or allow-listing/ DLP policies and signatures, and use these metrics
to ferret out root cause.
READ: Key Metrics for a CISO Dashboard
In addition to the security metrics outlined above, consider tracking the following server metrics:
For workstations, the previous list may apply, but some additional metrics may include:
READ: Reporting on Information Security Metrics That Matter to Executive Leadership
Keep in mind, the best security metrics are those that focus on areas that can be improved. When it comes to server and endpoint security, we suggest focusing on tracking security metrics that show change over time – to either showcase improvement
or highlight areas of concern.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.