I was at a CISO summit in Atlanta and one of the CISOs gave a presentation on creating a security awareness program. He was able to get good support throughout the organization eliciting the help of the marketing department, legal department and other groups. His team created videos about laptop theft and password sharing that featured a character called the Data Thief. Yet, they we challenged on how to measure it’s effectiveness. They ended up creating a number of surveys that they used to get some sense of the effectiveness of the program. According the the survey overall, security awareness rose throughout the organization. In a conversation with him afterwords I asked him if they’d thought about using log data for more specific metrics. He said one of the things that he wanted to measure was physical access “tailgating” — where one person follows another into a building without badging in. I remembered a conversation I’d had with one of our security engineers who had mentioned creating a correlation in Splunk that could create an alert if someone logged onto the local network without their being a record of having badged into the building. The absence of a badge record and the presence of a local network log-in would mean someone tailgated. For a data center the lack of a badge record and a successful local access on a server would also be an event worth follow up. Repeated unauthorized attempts should also be followed up.
Another part of the program they created supported safe surfing practices — monitored surfing to known malicious websites. This one was more straight forward. Proxy logs could be monitored and trended to know whether the employees have heeded safe surfing warnings. A significant uptick in bad surfing habits could mean it’s time for another warning announcement.
Splunk and its correlation capabilities can represent system data in ways that can measure and trend the effectiveness of a security awareness program. Anonymous dashboards can be added to a companies intranet site indicating the success of the program.