Identifying relationships between security metrics

摘要

A security metrics system receives security information data for a network system of computers and metric definitions from metric sources. Each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system. The system calculates each metric definition for a plurality of times and selecting metric definitions that are related to the performance of and are indicative of one or more other metric definitions as candidates to be key performance indicators.

主权项

1. At least one non-transitory, machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
receive security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time; receive a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system; calculate, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system; compare the scores for each metric over the period of time to identify one or more relationships between the plurality of metric definitions; select a set of metric definitions from the plurality of metric definitions as candidates to be key performance indicators for security of the network system based on the one or more relationships between the plurality of metric definitions, wherein each key performance indicator is to represent a state of the network system and is to be indicative of one or more other metric definitions; cause the set of metric definitions to be presented at a user interface as suggested candidates for selection as key performance indicators for the network system; identify user selection, through the user interface, of one or more of the set of metric definitions as key performance indicators for the network system; and define the selected one or more of the set of metric definitions as new key performance indicators for the network system based on the user selection.