To help security leaders strategically manage their defensive posture, we have created a framework that spans relevant security layers from the start of an attack to its resolution. When applied, this framework helps organizations:
- Align security layers from end-to-end,
- Assess which security layers are working and which are not,
- Focus on performance metrics that matter,
- Drive resource allocation and investment in the areas that yield the highest risk reduction,
- Reduce the frequency of security incidents and prevent major data breaches.
The framework consists of four critical phases supported by robust intelligence flows.
In this post, we recommend defenses and key performance indicators for Phase 1: Prevent.Phase 1: Prevent
The objective of the Prevent phase is to minimize the risk of an attack payload being delivered to the targeted user’s inbox and being executed.
Security measures applied in this phase include those designed to block email and web-based attacks in-line. Email and web content filtering tools as well as payload analysis systems (e.g. advanced malware protection and network sandboxing tools) that operate in near real-time can prevent payload delivery via spear phishing. Security awareness training that focuses on spear phishing reduces user propensity to click URLs or attachments. When an advanced attack succeeds in evading preventative security tools, effective security awareness training reduces the risk of the delivered payloads being executed by users.
Sample Key Performance Indicators
To manage the Prevent phase and assess effectiveness, consider the following key performance indicators. Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option.
Percentage of phishing emails delivered
How many phishing emails are being blocked compared to the number that reach user inboxes? This indicates how effective your content filtering and payload analysis tools are at automatically stopping attacks in-line.
False positive and negative rates
How many legitimate emails are being blocked? How many phishing emails are going unblocked? This indicates how accurately your email security tools identify and block attacks. Generally, decreases in false positive and false negative rates are an indication of improvement. Growing rates would indicate that current tools need to be better tuned or additional controls should be considered.
Phishing email click rate
How many phishing emails are being clicked or opened? What is the click rate? This indicates how well your phishing awareness training program reduces your employees’ propensity to fall victim to phishing emails. No amount of awareness training will completely eliminate users clicking on phishing emails. Each organization will have a floor for this KPI that indicates peak performance. An effective phishing awareness training program will consistently reduce the percentage of phishing emails clicked until the organization’s floor is reached.
Up next in this blog series is “Detecting Spear Phishing Attacks that Slip Past Defenses”
The full framework with recommended defenses and example KPIs can be downloaded at http://info.phishlabs.com/the-cisos-guide-to-spear-phishing-defense. A one-page reference card is also available at http://info.phishlabs.com/hubfs/White_Papers/Spear_Phishing_Defense_Framework.pdf