Open pritikin opened 1 year ago
See this concern about SLOs of 100%
Ideas from the conversation:
Next step: Circle back to it in the future.
1/12 group discussion
A threshold of 80% might be too low. What might what matters here is the raw # of incidents that require human intervention; because that can be quickly overwhelmed.
1% might be thousands of incidents.
Discussion is that measuring the SLA of incident closure would not help here and might be problematic because "it discourages analysis of the causes"... resulting in more incidents of that kind. Because you didn't close. It measures the ability to close the cases not to address the root causes. This may encourage the wrong behavior.
this argues for having both this metric (as described) and the existing SLA metric around ability to close cases.
Current proposed metric:
- id: UEM-09-issue75
primaryControlId: UEM-09
relatedControlIds:
- TVM-10
- SEF-06
metricDescription: This metric reports the number of security incidents involving active malware on hosts protected by the chosen anti-malware/virus services.
auditGuidelines: (Using as notes) If this number is not zero, the control is not effective. Based on issues discussion we're setting a SLO recommendation of kinda high. From the CCMv4 Auditing guidelines, "1. Examine the organisation’s anti-malware policy. 2. Determine if such controls are in place and evaluated as effective."
expression:
formula: "(NumIncidents / NumHosts)*100"
parameters:
- id:
name: NumIncidents
description: Number of active malware incidents on hosts
- id:
name: NumHosts
description: Number of hosts protected by the organizations standard anti-malware solution
sloRecommendations:
sloRangeMin: 99% [action item: talk to some vendors and get their recommendation]. Check CIS benchmarks or DoD in search of some guidelines.
Below are few malware SLOs from other catalogues . It supports @pritikin proposal -
Referencing iso 27004:2016 (monitoring) here is the malware and malicious code monitoring SLOs
Referencing MEDINA publication "Continuously certifiable technical and organizational measures and catalogue of cloud security metrics-v1"
Referencing CIS monitoring guide:
This is a proposed effectiveness metric from Walt Williams
UEM-09-M1 To test for effectiveness, measure the number of security incidents involving active malware on a host protected by the chosen anti-malware/virus service. If this number is not zero, the control is not effective.