The most valuable server and endpoint security metrics for security teams tend to be those that track detections and vulnerabilities over time, because they help improve the security program overall. Detection of specific indicators of compromise (IoCs)
and malware campaigns are useful in the short term, but rarely valuable over time. In this piece, we examine top server and endpoint security metrics to use for reporting.
READ MORE: Reporting Meaningful Security Metrics to Leadership and the Board
Server Vulnerability Metrics
For servers, vulnerability metrics encompass vulnerability assessment/reporting and remediation activities, patching in particular. (see Figure 1).
Figure 1: Server Vulnerability Metrics |
Metric | Category | Measurement Frequency | Additional Information |
Vulnerability assessment: critical and high vulnerabilities noted | Prevention | Weekly (DMZ) and monthly (all) | The number of critical and high vulnerabilities detected in the environment is a critical prevention metric and should be tracked on a monthly basis for all specific segments/zones scanned within the organization. |
Mean time to remediate critical and high vulnerabilities | Prevention | Monthly | This should be tracked as a general measure of patching/workaround implementation and sense of urgency in operations. Ideally, this would be tracked per segment (DMZ, various internal zones, etc.) to ensure specific areas are being monitored
effectively and teams are meeting remediation SLAs (if those exist). |
Increase/decrease in critical/high results (scan comparison) | Prevention | Bi-weekly and bi-monthly | Scan comparisons can help detect lapses in remediation or new issues appearing in specific segments of the environment |
Repeat results per system | Prevention | Bi-weekly and bi-monthly | Remediation lapses or issues can be found in scan comparisons. |
Source: IANS, 2021 |
Endpoint Detection and Response Metrics
Anti-malware and endpoint security metrics are critical for most mature security teams, because these are the most common means of attack (malware) or focal areas for initial ingress by attackers (endpoints). Figure 2 provides EDR metrics to consider.
Figure 2: EDR Metrics |
Metric | Category | Measurement Frequency | Additional Information |
Anti-malware and EDR detects/blocks at endpoints | Prevention/ detection | Weekly with monthly aggregate | Detecting malware targeting end users is a critical metric, and should be tracked over monthly and quarterly baselines. |
EDR allow-listing/ IoC alerts | Prevention/ detection | Daily, with weekly/monthly aggregates | Allow-listing alerts/events and IoCs detected at endpoints should be prioritized for monitoring; organizations should track these frequently, because they are often leading indicators of malicious behaviors (perhaps even more so than traditional
antivirus). |
Endpoint data loss prevention (DLP) blocks/alerts for critical and high events | Prevention/ detection | Daily, with weekly and monthly aggregates | Endpoint DLP is a highly valuable prevention metric for blocking movement of sensitive data from people’s systems, but it’s also a good detection, because these events may often lead to early-stage investigations (unlike routine
malware alerts, for example). |
Percentage of systems with/ without current endpoint protection signatures/updates | Prevention | Weekly, with monthly aggregates | Endpoint systems must be protected, and any exceptions must be well-documented. Organizations should track the percentage of systems NOT current with EDR/antimalware or allow-listing/ DLP policies and signatures, and use these metrics
to ferret out root cause. |
Source: IANS, 2021 |
READ: Key Metrics for a CISO Dashboard
Server Detection Metrics
In addition to the security metrics outlined above, consider tracking the following server metrics:
- Unknown executables detected: Daily
- Unusual kernel drivers/activity: Daily
- Suspicious registry activity: Daily
- Failed logon/access attempts: Daily
For workstations, the previous list may apply, but some additional metrics may include:
- Access attempts to privileged executables like PowerShell: Daily
- Abnormal file detection/access (Word, PDF, Excel, etc.): Daily
- Network access attempts to/from workstation peers: Daily
READ: Reporting on Information Security Metrics That Matter to Executive Leadership
Tracking Server and Endpoint Security Metrics
Keep in mind, the best security metrics are those that focus on areas that can be improved. When it comes to server and endpoint security, we suggest focusing on tracking security metrics that show change over time – to either showcase improvement
or highlight areas of concern.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.