UEM-09: measure the number of security incidents involving active malware on a host protected by the chosen anti-malware/virus service

[pritikin]

This is a proposed effectiveness metric from Walt Williams

UEM-09-M1 To test for effectiveness, measure the number of security incidents involving active malware on a host protected by the chosen anti-malware/virus service. If this number is not zero, the control is not effective.

[mosi-k-platt]

See this concern about SLOs of 100%

[yehia3]

Ideas from the conversation:

1. The age of the malware in the calculation
2. Context is the malware capture within SLA against the malware vendor
3. Not enough to have an anti-malware, we have to measure the effectiveness of the anti-malware tool ensure minimum zero day attacks/threats
4. If the anti-malware solution is working as expected - how much malware is found?
5. Assume the number of malware detected daily is constant, the malware reporting needs to be constant.
6. this idea might need to go to different control than UEM-09 as it only require to install. Metric ID TVM-10-M1 however measures the vulnerabilities found. UEM-9 might not be the correct control for this proposed metric to be SEF-06-M3
7. The goal of metric inherently to be effective

Next step: Circle back to it in the future.

[pritikin]

1/12 group discussion

A threshold of 80% might be too low. What might what matters here is the raw # of incidents that require human intervention; because that can be quickly overwhelmed.

1% might be thousands of incidents.

Discussion is that measuring the SLA of incident closure would not help here and might be problematic because "it discourages analysis of the causes"... resulting in more incidents of that kind. Because you didn't close. It measures the ability to close the cases not to address the root causes. This may encourage the wrong behavior.

this argues for having both this metric (as described) and the existing SLA metric around ability to close cases.

[pritikin]

Current proposed metric:

- id: UEM-09-issue75
  primaryControlId: UEM-09
  relatedControlIds:
  - TVM-10
  - SEF-06
  metricDescription: This metric reports the number of security incidents involving active malware on hosts protected by the chosen anti-malware/virus services.
  auditGuidelines: (Using as notes) If this number is not zero, the control is not effective. Based on issues discussion we're setting a SLO recommendation of kinda high. From the CCMv4 Auditing guidelines, "1. Examine the organisation’s anti-malware policy. 2. Determine if such controls are in place and evaluated as effective."
  expression:
    formula: "(NumIncidents / NumHosts)*100" 
    parameters:
      - id: 
        name: NumIncidents
        description: Number of active malware incidents on hosts
      - id:
        name: NumHosts
        description: Number of hosts protected by the organizations standard anti-malware solution
  sloRecommendations:
    sloRangeMin: 99% [action item: talk to some vendors and get their recommendation]. Check CIS benchmarks or DoD in search of some guidelines. 

[yehia3]

Below are few malware SLOs from other catalogues . It supports @pritikin proposal -

---

Referencing iso 27004:2016 (monitoring) here is the malware and malicious code monitoring SLOs

---

Referencing MEDINA publication "Continuously certifiable technical and organizational measures and catalogue of cloud security metrics-v1"

Referencing CIS monitoring guide: