Focus and actions

increase as you
Volume of information
increases as you
Key Metrics: Cloud and Enterprise
move up the
pyramid.
move down the
pyramid. I

A verage Vendor P

# of Security P

# of Vendors
EXECUTIVE
Security Rating Incidents Reported with Cyber Incident
FOCUS
Strategic Objectives Early stage programs Early stage programs Early stage programs
DESCRIPTION DESCRIPTION DESCRIPTION
TYPE IMPLEMENTATION This is the average vendor security rating from a solution such as # of Security Incidents Reported is the number of security incidents that have This is the number of vendors that have a reported cyber incident over a
KPIs Balanced Scorecard SecurityScorecard, Bitsights, UpGuard or similar tools. been reported over a period of time. period of time.
HOW TO CALCULATE HOW TO CALCULATE HOW TO CALCULATE
AVERAGE (SUM of all vendors security rating/total number of vendors rated) ABSOLUTE VALUE (Number of security incidents over a period of time) ABSOLUTE VALUE (Total number of vendors that reported a security incident
WHAT IT HELPS SHOW/IDENTIFY WHAT IT HELPS SHOW/IDENTIFY in a given priod)
This helps inform the organization of the security posture of vendors that This helps inform the organization about how many times an attacker WHAT IT HELPS SHOW/IDENTIFY
are critical to the organization delivering its services. breached your information assets or networks. This metric helps inform This helps inform the organization of the number of vendors that have
OPERATIONAL leadership on the return on investment on cybersecurity tools and processes. experienced a cyber incident over a period of time which may indicate a
weakness within the supply chain.
FOCUS TYPE IMPLEMENTATION
P Phishing Attack Success I Cloud Spend Trends
I Average Exposure Window
Analysis and Trends Metrics Security Dashboard
Advanced programs
Early stage programs
DESCRIPTION Advanced programs
Phishing Attack Success is the reported percentage of phishing simulation DESCRIPTION
attacks that were successful over a period of time. Cloud Spend Trends is a report on whether or not cloud resources have DESCRIPTION
increased or decreased over time. The Average Exposure Window is meant to show how long the
HOW TO CALCULATE vulnerabilities are known about prior to them being remediated.
ABSOLUTE VALUE (Total employees that failed phishing test/Total HOW TO CALCULATE
employees X 100) ABSOLUTE VALUE (Current cloud spend – Past cloud spend HOW TO CALCULATE
[over a period of time]) AVERAGE (Vulnerability Closed date – Vulnerability Published date)
TECHNICAL WHAT IT HELPS SHOW/IDENTIFY
This helps inform the organization whether or not users are trained and WHAT IT HELPS SHOW/IDENTIFY WHAT IT HELPS SHOW/IDENTIFY
informed on cybersecurity best practices. incident. This helps inform the organization whether or not cloud spending has It helps track performance against the policy standards for various
FOCUS TYPE IMPLEMENTATION changed over a period of time which may indicate a potential compromise or vulnerabilities. The goal is to have this as close to Mean Time to Resolve as
Data Measures Charts and Graphs development resources that increase the blast radius of a potential incident. possible.

R Vulnerability Remediations
P Vulnerabilty Churn Rate 
V ulnerability Reopen Rate
Past Due Date D
AC T I O N K E Y Advanced programs
Advanced programs
DESCRIPTION
by XXX
DESCRIPTION Vulnerabilty Churn Rate is the rate that vulnerabilities are being closed as Advanced programs
I P D R The remeidations that are not meeitng corporate policy requirements for
remedation efforts that have not been granted an exception
well as new vulnerabilities being opened DESCRIPTION
HOW TO CALCULATE Number of vulnerabilities within the environment that are being re-opened
IDENTIFY PROTECT DETECT RESPOND HOW TO CALCULATE ABSOLUTE VALUE (New Vulnerabilities – Closed Vulnerabilities [over specific for any reason. (XXX can be specific systems, applicaiton, business owners,
(current date – first discovered date) > policy requirement (or if available, period of time e.g., monthly]) administrators)
leverage due date field) WHAT IT HELPS SHOW/IDENTIFY HOW TO CALCULATE
WHAT IT HELPS SHOW/IDENTIFY It shows if the vulnerability management program is making headway or is Number of vulnerabilities that were previously closed
Any remediation effort not meeting corporate requirements helps to losing the battle. WHAT IT HELPS SHOW/IDENTIFY
show if there is a problem system or component, or potentially unrealistic Identifies vulnerabilities that were felt to be addressed that no longer are,
remediation timeframes. that normally point to a remediation system problem or a unique system
R Mean Time to Resolve
I Exclusions Advanced programs  ybersecurity Awareness
C
P
Training Results
DESCRIPTION
Early stage programs Mean Time to Resolve is the average time it takes the organization from
DESCRIPTION discovering a vulnerability until the vulnerability is remediated.
Exclusions are the number of exemptions granted and the timeframes HOW TO CALCULATE Early stage programs
assocaited with the excemptions. AVERAGE (Vulnerability Closed date – First Discovered date) DESCRIPTION
HOW TO CALCULATE WHAT IT HELPS SHOW/IDENTIFY This is a percentage of new employees that have completed cybersecurity
Number of vulnerabilities being excluded/exempted from

Key Metrics:
This informs the organization how long it is taking from the time a awareness training within 30 days of hire.
rememdiation efforts vulnerability is discovered until it is remediated. It can provide insights when HOW TO CALCULATE
WHAT IT HELPS SHOW/IDENTIFY new vulnerabilities arise and/or how long until these are validated findings ABSOLUTE VALUE (Total employees that completed security awareness
There needs to be a central repository for tracking and managing these using normal processes. training/Total employees X 100)

Cloud and Enterprise

exclusions, so stakeholders and VM participants can monitor them over time,
WHAT IT HELPS SHOW/IDENTIFY
and risk managers can determine if any categories of exclusions need to be
This helps inform the organization whether or not their cybersecurity
reported on as a risk finding.

I
 ulnerability
V onboarding and training program is being implemented effectively.

AND Scanner Coverage

P Administrator’s Density Early stage programs D Mean Time to Detect
Vulnerability Advanced programs
DESCRIPTION
DESCRIPTION
Vulnerability Scanner Coverage is the percentage of the system within your
organization that is regularly scanned for vulnerabilities.
Advanced programs
DESCRIPTION

Management
Administrator’s Density is the percentage of employees with Mean Time to Detect is the average time it takes the organization to
administrator access. HOW TO CALCULATE
discover a vulnerability from when it is first published, or the asset is added
Assets being scanned for Vulnerabilities/Total Assets to the network.
HOW TO CALCULATE
WHAT IT HELPS SHOW/IDENTIFY

Maturity Model
ABSOLUTE VALUE (Total administrators/Total employees X 100) HOW TO CALCULATE
Knowing if systems are not regularly scanned is crucial to understanding
WHAT IT HELPS SHOW/IDENTIFY AVERAGE (Vulnerability Publish date – Vulnerability Discovered date)
the risk to the business and trend reports will not be as meaningful until
This helps inform the organization on whether or not there are a large coverage is stable. WHAT IT HELPS SHOW/IDENTIFY
number of administrators as it relates to the total number of employees This metric gives you information on the exposure that the organization has
in the organization. This metric can prove if the orgnization is not due to vulnerabilities that exist but have not yet been discovered.
following a principle of least privilege.
For Cyber Leaders of Today and Tomorrow P Patch Age
D Intrusion Attempts
P Patch Velocity Advanced programs
DESCRIPTION
Advanced programs
sans.org/cybersecurity-leadership Advanced programs
Patch Age of a system is the number of days since the last patch was applied.
HOW TO CALCULATE DESCRIPTION
DESCRIPTION ABSOLUTE VALUE (The number of days which have elapsed since the last time Intrusion Attempts display the number of intrusion attempts over a period of
Patch Velocity counts patches applied per day. a patch was installed on the system) time.
sans.org/cybersecurity-leadership HOW TO CALCULATE HOW TO CALCULATE
WHAT IT HELPS SHOW/IDENTIFY
ABSOLUTE VALUE (Patches applied on each date when the host was patched) This helps inform the organization of whether patching has happened ABSOLUTE VALUE (The number of intrusion attempts over a period of time)
@secleadership SANS Security Leadership WHAT IT HELPS SHOW/IDENTIFY recently. Stakeholders can understand the number of days which have WHAT IT HELPS SHOW/IDENTIFY
This helps inform the organization how many patches were applied on each elapsed since the last time a patch was installed on the system. A low Patch This helps inform the organization on what the overall number of threats
date when the host was patched. It can serve as a way to measure how Age does not necessarily mean that the system is fully patched, but it does the business faces at any given time. This metric can help prove that
MGTPS_METRICS_v1.1_0321 frequently patching is happening in the environment. indicate that some patching activity has taken place recently. cybersecurity threats continue to exists and are growing all the time.
 Vulnerability Management Maturity Model
LEVEL 1
Initial
Policy & Policy and standards are undocumented
or in a state of change.
Standards
Prepare
Context Contextual data (e.g., asset details,
ownership, relationships) are available
from multiple data sources with varying
degrees of accuracy.
Automated Infrastructure and applications are
scanned ad-hoc or irregularly for
vulnerability details, or vulnerability
details are acquired from existing
data repositories or from the systems
themselves as time permits.
Identify
Manual Manual testing or review occurs when
specifically required or requested.
External External vulnerability reports and
disclosures are handled on a case-by-case
basis.
Prioritization Prioritization is performed based on
CVSS/Severity designations provided by
identification technology or indicated in
reports.
Analyze
Root Cause Root cause analysis is performed based
on out-of-the-box information such as
Analysis standard remediation/patch reports or
other categorized reports (e.g., OWASP
Top 10 category).
Metrics & Simple, point-in-time operational metrics
are available primarily sourced from out-
Reporting of-the-box reports leveraging minimal
customization or filtering.
Communicate
Alerting Alerting is either not available or
only available within security-specific
technologies.
Change Changes related to vulnerability
management activities pass through the
Management same workflow as any other change.
Treat Patch Patches are applied manually or
scheduled by admins and end-users.
Management
Configuration Configuration requirements are not well-
defined and changes are either applied
Management manually or the automatic application
of configurations is only available for a
subset of platforms.
SEC557: Measure what matters, not what’s easy.
Agile development, DevOps, cloud technologies, and virtualization have enabled
Continuous organizations to build and deploy systems at a terrifyingly fast rate. The old and cumbersome
Automation for manual ways to test security and compliance can’t keep up. You need to understand and use
the same tools and techniques that your developers and engineers are using, and you need
Enterprise and to be able to generate results quickly and often - without slowing down your organization.
SEC557 teaches professionals tasked with ensuring security and compliance how to stop
Cloud Compliance being a roadblock and work at the speed of the modern enterprise. 30 Hands-On Labs
Contextual Information
Contextual information is key to helping us prioritize our
vulnerability backlog and to understand where we might need more
focus or help. Some examples of contextual information include:
LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
Managed Defined Quantitatively Managed Optimizing Patch Available
for Vulnerability Vulnerability
Remediation
Deadline INFORMATION COLLECTED Numbers
Is a patch and/or date patch
Policy and standards are defined in specific
areas as a result of a negative impact to the
Policy and standards have been carefully
selected based on best practices and recognized
Adherence to defined policy and standards is
tracked and deviations are highlighted. Training
Automated, proactive controls enforce policy
and standards and provide input to regular
INFORMATION COLLECTED available
INFORMATION COLLECTED
Number of instances of this
Date to meet SLA for
program rather than based on a deliberate security frameworks and are updated as of personnel on requirements is required at updates and training requirements. remediation
HOW IT HELPS
Helps tailor metrics
vulnerability
selection of best practices or standards from needed to fulfill the program’s mission. least annually. HOW IT HELPS
HOW IT HELPS and reports to actionable
recognized frameworks. Employees are made aware of standards and Enables tracking compliance, Helps identify difficult to
items – highlights resolve vulnerabilities and
training on requirements is available. nearing deadline, compensating controls prioritize larger groups
or past remediation requirements
deadline of vulnerabilities
There is a central repository of contextual
data that has some data for most systems and
The central repository requires that certain
contextual information be tracked and
Reports show compliance with contextual
information requirements and processes are
Automated or technology-assisted processes
and procedures exist to both create and remove
applications. updated for each system and that it is based in place to identify non-compliant, missing, or systems and applications and associated VULNERABILITY CONTEXTUAL
on program needs. retired systems and applications. attributes from the central repository, or Vulnerability
data are correlated and reconciled with other Criticality INFORMATION Vulnerability
systems that contain information about tracked INFORMATION COLLECTED Publication Date
systems and applications. Severity of vulnerability Vulnerability INFORMATION COLLECTED
(e.g., CVSS) Discovery Date Publication date of
HOW IT HELPS INFORMATION COLLECTED vulnerability
Gives a basic risk-based Date first discovered within
The process, configuration, and schedule for
scanning infrastructure and applications is
There are defined and mandated organization-
wide scanning requirements and configurations
Scanning coverage is measured and includes
the measurement of authenticated vs.
Scanning is integrated into build-and-release
processes and procedures and happens
prioritization until more environment
HOW IT HELPS
Older vulnerabilities may
granular analysis HOW IT HELPS be more likely to have
defined and followed for certain departments for infrastructure and applications that set unauthenticated scanning (where applicable), automatically in accordance with requirements. can be done
or divisions within the organization. Available a minimum threshold for all departments the types of automated testing employed, false Scanning configurations and rules are updated Enables calculating mean-time an exploit – it enables
technology may vary throughout the or divisions. Technology is made available positive rates, and vulnerability escape rates. based on previous measurements. to discovery, also highlights calculating exposure
organization. throughout the organization through enterprise asset inventory issues. window
licensing agreements or as a service. Permits calculating
remediation timelines
Environment
(e.g., Production,
Manual testing or review processes are Manual testing or review occurs based on Deviations from manual testing or review Manual testing or review processes include Development, Testing) Asset Function
established and some departments and reasonable policy-defined requirements requirements are tracked and reported. focused testing based on historical test data INFORMATION COLLECTED INFORMATION COLLECTED
divisions have defined requirements. that apply to the entire organization and is and commonalities or threat intelligence. What environment is the What service/process is
available as a service where not specifically device located in? Asset this asset supporting
required by policy. Criticality (e.g., backend services,
HOW IT HELPS
e-commerce, finance,
Environments dictate INFORMATION COLLECTED
human resources)?
remediation requirements Is the asset part of a
Basic vulnerability disclosure policy (VDP) and
contact information published, but backend
More comprehensive VDP in place, along with
terms and conditions for external vendors and
Compliance with VDP and terms and conditions
is tracked and measured and information is
A mature external testing and research program
is in place with specific goals and campaigns
and timeframes critical process or hosting HOW IT HELPS
critical data? Helps tailor risk scores based
processes and procedures not documented. security researchers, that outlines rules of used to streamline processes and evaluate that may only be available to specific vendors Ownership on business services and
HOW IT HELPS
engagement, tracking, and feedback processes. vendors and researchers. or researchers. processes
Information Enables company specific
(e.g., Business, System context to be added to
risk and prioritization
Asset
Manager, Application,
Dependencies
Prioritization also includes analysis of other
available fields such as whether or not exploits
Prioritization includes correlation with the
affected asset, asset group, or application to
Generic threat intelligence or other custom
data, which may require additional products
Company-specific threat intelligence,
or other information gathered from the
System Administrator Team, results
INFORMATION COLLECTED
Development Team)
What services, language
or malware exist or confidence scores. account for it’s criticality in addition to the
severity designation. This may require light
or services, are leveraged to perform
prioritization.
operating environment, is leveraged to
preform prioritization. This information may
INFORMATION COLLECTED ASSET libraries, or frameworks are
to moderate customization depending on
architecture and design.
require human analysis or more extensive
customization.
Name, position, or group responsible
HOW IT HELPS
CONTEXTUAL using or linked to this device?
HOW IT HELPS
Permits vulnerability data INFORMATION System interdependencies
breakdown for actionable identify if asset criticality
reporting and metrics
Data are lightly customized to apply less
granular or more meaningful groupings of data
Data are also identified, grouped, and/or
filtered by department or location to enable
Data are also identified, grouped, and/or
filtered by owner or role. This may require
An executive dashboard is in place and includes
the highest-risk root cause impediments,
Hosted change is needed
Asset Applications
than CVE, CWE, or Top 10 identifiers to facilitate identification of location- or group-based more extensive customization and ongoing exclusions, project cost projections, etc. This will Compliance
root cause analysis. deficiencies. This may require light to maintenance. require more detailed analysis and customization Location INFORMATION COLLECTED
Requirements
moderate customization depending on to become meaningful and should integrate with Applications running
INFORMATION COLLECTED
on the server INFORMATION COLLECTED
architecture and design. existing executive business intelligence tools. Internal or external facing Are there any compliance
HOW IT HELPS
HOW IT HELPS
Indicates dependencies requirements for this device?
Enables correlation
between system and HOW IT HELPS
with severity to layer
Filtered reports are created to target specific
groups or prioritize findings. Specific divisions or
Reporting requirements, including all required
program, operational, and executive metrics
Reports and metrics include an indication of
compliance with defined policy and standards,
Custom reporting is available as a service
or via self-service options, or feedback is additional data into
applications; may
increase associated
Identifies regulatory
requirements for scanning,
risk calculations
departments have defined their own reporting and trends, are well-defined and baseline treatment timelines, and bug bars. Correlation regularly solicited and reports are updated to asset criticality remediation and reporting
requirements, including both program and reports are consistent throughout the with other security or contextual data sources reflect changing needs. Automated outlier and more stringent than
corporate standard
operational metrics, and generate and release organization and tailored or filtered to the allows for more meaningful grouping, improves trend analysis along with exclusion tracking is
the corresponding reports at a defined interval. individual departments or stakeholders. accuracy, and allows for identification of faulty performed to identify high/low performers and timelines
or inefficient design patterns. highlight systemic issues/successes. Active Attacks
Occurring in the THREAT
Wild or Directed at
Integrations exist and alerts are being sent for Alerting is available for most stakeholders in Visibility and both timing and detail of Data are analyzed to develop a standard or Outside Entities CONTEXTUAL Exploit
specific divisions or departments or for users their technology of choice. response to alerts is measured and tracked. automated response to alerts for common Availability
of specific non-security technologies already issues that can be tied to a common response.
INFORMATION COLLECTED
Are specific vulnerabilities or
INFORMATION INFORMATION COLLECTED
being leveraged by some stakeholders. technologies being exploited Is there an exploit available
in the wild? Active attacks for this vulnerability?
HOW IT HELPS
Occurring or HOW IT HELPS
Threat intelligence shows Directed at Company Allows organizations
Some changes related to vulnerability
management activities have a custom workflow
Most changes related to vulnerability
management activities follow a custom
Changes related to vulnerability management
activities along with success rates are tracked.
Metrics from vulnerability management change
activities are used to modify requirements or if existing vulnerabilities INFORMATION COLLECTED to prioritize items
or are treated as standard changes. workflow or are treated as standard changes. Timing is also measured for different stages of streamline future change requests. At least are riskier due to
adversary activity
Are specific vulnerabilities or
technologies being exploited within our
with a known
attack vector
the change or subtasks related to the change. some standard changes are automated.
operational environments or our partners?
Inclusion in HOW IT HELPS
Malware Kits Leverages threat intelligence
There is a standard schedule defined and
technology is available for some divisions or
All departments are required to patch within
a certain timeframe and technologies are
Patch management activities are tracked along
with compliance with remediation timelines
Data from patch management activities,
security incidents, and threat intelligence are INFORMATION COLLECTED
showing active exploration for
departments or for some platforms to automate available to assist with testing and applying and the success rate. used to right-size remediation timelines and Are the exploits known to be vulnerabilities; prioritizes
remediation efforts
patch testing and deployment. patches for all approved platforms. identify process or technology changes. within malware kits?
HOW IT HELPS Tags
Inclusion in a worm or INFORMATION COLLECTED
Configurations are defined for some divisions or
departments or for specific platforms.
Configurations are defined for all supported
platforms and technologies are available to
Deviations from configuration requirements
and associated service impacts are measured
Data from the configuration process along with
security incidents and threat intelligence are
malware kit may prioritize Tags created/stored for
these vulnerabilities
automate or validate configuration changes for and tracked. leveraged to strengthen or relax requirements higher
this asset
all platforms. as needed. VPC/VNET/ HOW IT HELPS
VLAN/Zone Able to store any required or
custom defined information
Information
INFORMATION COLLECTED Source Image
MGT516: Stop treating symptoms. Cure the disease. How are we segmenting
this asset within the cloud?
INFORMATION COLLECTED
Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest What image was used to
Managing Security security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities CLOUD HOW IT HELPS
In the absence of asset details,
create this asset?
Vulnerabilities: for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of
CONTEXTUAL HOW IT HELPS
network information may
new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which Source image helps identify
indicate accessibility
Enterprise all organizations must deliver systems, applications, and features to both their internal and external customers, security INFORMATION details or asset
where remediation is
required and
may seem unachievable. This course will show you the most effective ways to mature your vulnerability management environment.
determines
and Cloud program and move from identifying vulnerabilities to successfully treating them. 16 Cyber42 and lab exercises accumulated risk.