InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
The most valuable server and endpoint security metrics for security teams tend to be those that track detections and vulnerabilities over time, because they help improve the security program overall. Detection of specific indicators of compromise (IoCs)
and malware campaigns are useful in the short term, but rarely valuable over time. In this piece, we examine top server and endpoint security metrics to use for reporting.
For servers, vulnerability metrics encompass vulnerability assessment/reporting and remediation activities, patching in particular. (see Figure 1).
Figure 1: Server Vulnerability Metrics
Vulnerability assessment: critical and high vulnerabilities noted
Weekly (DMZ) and monthly (all)
The number of critical and high vulnerabilities detected in the environment is a critical prevention metric and should be tracked on a monthly basis for all specific segments/zones scanned within the organization.
Mean time to remediate critical and high vulnerabilities
This should be tracked as a general measure of patching/workaround implementation and sense of urgency in operations. Ideally, this would be tracked per segment (DMZ, various internal zones, etc.) to ensure specific areas are being monitored
effectively and teams are meeting remediation SLAs (if those exist).
Increase/decrease in critical/high results (scan comparison)
Bi-weekly and bi-monthly
Scan comparisons can help detect lapses in remediation or new issues appearing in specific segments of the environment
Repeat results per system
Remediation lapses or issues can be found in scan comparisons.
Source: IANS, 2021
Anti-malware and endpoint security metrics are critical for most mature security teams, because these are the most common means of attack (malware) or focal areas for initial ingress by attackers (endpoints). Figure 2 provides EDR metrics to consider.
Figure 2: EDR Metrics
Anti-malware and EDR detects/blocks at endpoints
Weekly with monthly aggregate
Detecting malware targeting end users is a critical metric, and should be tracked over monthly and quarterly baselines.
EDR allow-listing/ IoC alerts
Daily, with weekly/monthly aggregates
Allow-listing alerts/events and IoCs detected at endpoints should be prioritized for monitoring; organizations should track these frequently, because they are often leading indicators of malicious behaviors (perhaps even more so than traditional
Endpoint data loss prevention (DLP) blocks/alerts for critical and high events
Daily, with weekly and monthly aggregates
Endpoint DLP is a highly valuable prevention metric for blocking movement of sensitive data from people’s systems, but it’s also a good detection, because these events may often lead to early-stage investigations (unlike routine
malware alerts, for example).
Percentage of systems with/ without current endpoint protection signatures/updates
Weekly, with monthly aggregates
Endpoint systems must be protected, and any exceptions must be well-documented. Organizations should track the percentage of systems NOT current with EDR/antimalware or allow-listing/ DLP policies and signatures, and use these metrics
to ferret out root cause.
READ: Key Metrics for a CISO Dashboard
In addition to the security metrics outlined above, consider tracking the following server metrics:
For workstations, the previous list may apply, but some additional metrics may include:
Keep in mind, the best security metrics are those that focus on areas that can be improved. When it comes to server and endpoint security, we suggest focusing on tracking security metrics that show change over time – to either showcase improvement
or highlight areas of concern.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
January 20, 2022
By IANS Faculty
How sound is your data governance program? It all starts with the basics. Learn how to establish a solid foundation for your data governance program.
January 18, 2022
Learn how to put a workable data management and governance process in place.
January 13, 2022
Understand how the three lines of defense work and learn how to apply it properly inside your organization.