Security dashboard

Are high-level views the answer to getting managers the cybersecurity status information they need to make decisions?

Cybersecurity used to be one of those low-profile practices that agency executives could safely leave to basement-dwelling techies, but not anymore. With legislation such as the Federal Information Security Management Act (FISMA) and the accompanying raft of compliance issues executives are required to sign off on, information technology security has finally penetrated the corner office.

That leaves IT managers with another problem to solve. How do they provide those executives with the information they need to accurately assess the agency's security status without forcing them to wade through the mass of technical details security professionals are accustomed to using?

The burden on executives can be significant. FISMA requires that each government agency file yearly status reports with the Office of Management and Budget to document how it is implementing security programs. Agencies must also report on specific computer security incidents to OMB and the Homeland Security Department, each of which has different reporting requirements.

A recent survey by systems integrator Intelligent Decisions found that federal chief information security officers spend an average of 3.75 hours a day on security reports required by FISMA. So, presumably, any help is welcome.

Installing dashboards that show an at-a-glance view of an agency's security status is one solution. The dashboards collect data from the same devices that IT security professionals monitor, such as firewalls and patch management systems, and then correlate it with business-related information, such as the status of servers that run key business applications. Dashboards then present the summarized information as simply as possible, using graphics such as red/yellow/green traffic lights, bar graphs or pie charts.

However, some experts say the technology has yet to gel. Although demand for such dashboards is growing and a number of vendors offer them, observers say an understanding of the necessary features has yet to catch up with the technology.

"People love to talk about the need for these dashboards and the metrics that should be applied, but so far, security people have not done a great job of understanding what the business value is of security," said Pete Lindstrom, research director at Spire Security, an industry analyst firm.

He added that one of the main reasons it's been hard to pull these kinds of executive dashboards together is because it's difficult to provide the necessary context.

Security professionals traditionally focus on the systems that have been attacked, how and where the attack happened, what kind of attack it was, and so on. But high-level executives need to know more about how those attacks will affect the organization's overall business flows.

"It's proven very difficult to put that kind of context in place," Lindstrom said.

Some product options

The field of security dashboards is in the early pioneering stage, said Gerhard Eschelbeck, chief technology officer and vice president of engineering at security vendor Qualys. No solution on the market today is ready to deal with those higher-level security needs, he added.

"The biggest lag is in developing specific metrics that make sense and then finding ways to present that data in a meaningful way," he said.

Security tools are adept at identifying specific problems, such as those found on a given computer, and explaining them to IT managers, he said. But how those problems relate to an organization's business processes and prioritizing their effects "is a little more vague," he said.

"There aren't a lot of mature resources out there now for describing the business properties of an enterprise and how security affects them," he said, adding that this kind of view will take time to develop.

But that's not stopping some from trying. For example, security vendor Intellitactics introduced a product this month called Intellitactics SAM, short for security assurance metrics, that it said offers managers more context for judging the effectiveness of security efforts.

The software provides trend analysis by comparing point-in-time measures of security data with previous time periods and computing averages. It can then show how effective security measures have been.

According to the company, executives can use configurable dashboard templates to see a number of views of enterprise security, which allows them to identify areas of high and low performance compared with various targets and measure the progress of security initiatives.

Another vendor, Preventsys, tackles security by casting it as a standard business risk, an approach that it said helps executives adopt a more proactive stance on security threats.

"Being reactive is too late," said Brian Grayek, Preventsys' CTO. "But if you can be proactive and get to the threats as they are coming, then you have a much better chance of stopping an event."

The company offers what it calls, appropriately, a proactive risk dashboard that aggregates data from the same security devices that the IT and security professionals use. Then it shows, through a series of colored pie charts and bar graphs, what vulnerabilities, threats and compliance risks exist, along with potential deviations from a predefined security architecture.

The dashboard also alerts executives to situations that might require action.

It presents the enterprise view Preventsys officials believe executives want, Grayek said.

"Most people are measuring their security today by such things as the number of viruses stopped or spyware removed, but these are operational rather than security measurements," he said. "The real measurement is risk."

Skybox Security also approaches the dashboard issue as a problem of risk evaluation. It uses modeling and attack simulations to calculate possible attack paths on a network and then uses the results to highlight which of the organization's critical assets are exposed to the greatest risk. It also ranks the vulnerabilities by severity.

The Skybox View dashboard presents all of this information as a customizable daily score card that shows executives how well their security defenses are performing.

That approach meets executives' need for a proactive stance on security, said Felix Santos, Skybox's program manager for audit and risk management.

"We put the vulnerabilities in the context of network design and the value of the organization's assets," said Ed Cooper, vice president of worldwide marketing at Skybox. "That means they only have to mitigate a certain number of vulnerabilities," which they can see immediately on the dashboard.

Seeking a better view

The Treasury Department is one government agency that's begun looking for tools that can provide a broad, high-level view of its security.

Of course, a top objective for such a capability is providing a way to more easily produce data for FISMA reports. But generally the goal is to get a sense of what's going on across Treasury, said Ed Roback, the agency's associate CIO for cybersecurity.

"When one of our executives sees on CNN that a worm or virus is spreading, then they'll want to know what's going on at Treasury," he said. "Also, vendors will put out patches from time to time, and management wants to know if those have been deployed and how many of the boxes have yet to be patched."

Roback said an important aspect of a security tool is the ability to move from a high-level executive view into specific areas, such as the security status of a particular bureau and its systems.

Administrators should also be able to configure the tool to give executives in different areas within Treasury a view into their systems' security, he said.

"I think that with current tools we also see that they offer multipurpose capabilities such as asset inventory," Roback said, "and I will certainly be looking to get that kind of thing out of any tools we acquire in order to support the broader IT mission."

Again, the big problem lies in choosing which of the many security-related elements to display on a dashboard.

"The level of abstraction is what you have to simplify," said Chris Michael, a technology strategist at Computer Associates International. "You can't get everything down to single bright colors, so you need to isolate those things that an executive needs to be able to get throughout the day."

And that again brings up the subject of context, Michael said.

That's exactly what makes it so difficult to come up with executive-level security dashboards, Lindstrom said. Their status reports are typically not quantitative, and by design, they do not include any great technical detail.

"It's really hard to dumb this down enough to get it to where it can be put onto a [executive-level] dashboard and still be meaningful," he said.


**********

3 must-have dashboard features

The configuration of executive-level security dashboards depends on the needs of the executives who would use them, but most experts agree that dashboards should have the features described below.

  • Simple views. Dashboards can represent fairly complicated situations, but the view has to be simple enough for busy and often nontechnical executives to instantly understand the network's security status. Red, yellow and green graphics -- such as pie charts, bar graphs or traffic-light buttons -- are preferable. The graphics typically indicate whether the organization complies with certain security policies.
  • Drill-down capabilities. If necessary, executives should be able to drill down from the views presented on the first screen to find details on certain areas of an organization that might be causing noncompliant situations. In some circumstances, executives might want to know what's happening on a particular server or network gateway, for example. Most people agree that dashboards should present no more than two or three levels.
  • Reporting. Not everyone who needs security status data will have access to the dashboard itself, so there should be a variety of ways to get the information to people. Many executives still rely on paper-based documents, so dashboards should have the ability to print reports in a number of formats.

-- Brian Robinson

Building a security dashboard

From a technical standpoint, executive-level or governance dashboards are meant to sit on top of the security architecture that's already in place, so they don't require investments in a new security infrastructure. But they will require new software and work to create, though just how much is a subject for debate.

Rowan Trollope, vice president of security management solutions at Symantec, said he believes it would be hard to put a governance dashboard in place without also having a security information management (SIM) system, which many vendors offer.

"It would be difficult because it's the SIM that does all of the hard work of collecting and correlating the events from all of the various security [data] sources," he said, adding that the SIM database is the first repository that a governance dashboard goes to for its information.

The tools must have some way of collecting data from all sources and getting it into a usable format, but that doesn't necessarily require a SIM, said Stuart McClure, senior vice president of risk management product development at Foundstone, a division of McAfee.

"But whatever solution is used, it should be able to store a large number of data," he said. "After that, you need a flexible interface to that data and then the presentation layer" to deliver the data to the dashboard.

Some experts say the toughest issues in creating a dashboard are not technical. Instead, they involve identifying how cybersecurity risks relate to an organization's workflows and operations. Those capabilities can't be bought in a shrink-wrapped package.

"Security is more than a technical practice," said Mitchell Ashley, chief technology officer at security vendor StillSecure. "It involves individuals and organizations outside [the information technology staff] who have their own servers and infrastructures, and they all have to fit into the compliance structure of the organization."

"Traditionally, there's been a firewall between the two," McClure said. "But for what's needed in these kinds of dashboards, neither side can do it all."

-- Brian Robinson

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.