Home > Security

Computerworld - Metrics can have a very interesting effect. You just have to present them properly.

I spent the past week deciding which metrics I want to collect and present to the CIO on a quarterly basis, and how I will present them. I'm using Microsoft SharePoint to collect my metrics and will export the results to an Excel spreadsheet so that I can create some interesting pivot tables and charts. The idea is that I simply have to input the data, and the resulting presentation will be automated. I can even incorporate the Excel charts into PowerPoint so that I only have to open the presentation each quarter and the data will be updated automatically. And, if I can pull it off, I can have some of the metrics automatically populate my SharePoint list. Gotta love automation!

To begin with, I'm conducting discovery scans on the entire enterprise to identify the total number of devices (beginning with PCs and servers) connected to the network. I'm using Nessus to conduct these scans, since it's a fairly robust independent tool. The price is reasonable for a one-year license, and it lets us scan our entire address range. I'm also using Altiris, which is a Symantec tool that we use for software distribution and reporting. And finally, there's Symantec AntiVirus Server for reporting on antivirus compliance.

Initial results are alarming. Our company has about 3,000 workers (including contractors). You would think that a discovery scan of desktops would yield about 3,000 unique desktop-class PCs, with workers who are not in the office offset by those who have more than one PC. Our result: 4,200 PCs! Next, I generated a report to see how many of those PCs have the Altiris Agent installed so that we can control the configuration. Only 2,400. This means there are 1,800 PCs whose integrity we can't vouch for. And any unmanaged resource represents risk.

I did the same for servers. I obtained all the IP address spaces for each data center and remote office and conducted discovery scans of all resources that looked like they were running a server operating system. The result: 1,200 servers (including virtual machines). Next, Altiris reported only 800 servers, leaving 400 that we know nothing about. And 30 of those servers are in our DMZ!

Besides reporting the ratio of managed to unmanaged devices, I will be reporting on how many of those devices are in compliance with our patch management policy. We apply Microsoft patches one month after they are released, giving us time to test different environments and applications. I'll also report on the number of resources that are in compliance with our antivirus/spyware policy, meaning they have the most updated software and pattern file.

And finally, I'll report on security events. Why? Because I need to show the direct correlation between security events and lack of compliance in order to drive change. I guarantee that unless you have other compensating controls in place, such as IPS or other activity-blocking infrastructure, incidents rise when resources aren't patched or in compliance with antivirus policy.

My plan is to report to the CIO every quarter on the number of managed and unmanaged devices, and the data related to patches, antivirus and incidents. This will make him aware of the status of the environment (after all, the CIO is ultimately responsible for IT) and hopefully drive change in our risk exposure. Will I be the most popular guy in the room? Probably not. Are these metrics relevant? Absolutely. And until we implement network access control to interrogate each and every device that is attached to our network, we will continue to have issues in this area.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in the discussions about security! computerworld.com/blogs/security

Read more about Security in Computerworld's Security Topic Center.