Security metrics – what should you actually be tracking?

Crystal Morin
Crystal Morin
Cybersecurity Strategist at Sysdig

Crystal Morin, Cybersecurity Strategist at Sysdig, explains why total visibility, sub-ten-minute response times and ruthless identity hygiene – not a flood of alerts – are the metrics that truly determine whether attackers gain ground or go home.

Today, security breaches aren’t a question of ‘if’, but ‘when’. According to the UK Government’s most recent cybersecurity survey, 43% of businesses and 30% of charities reported a breach or attack in the previous 12 months. This would equate to approximately 612,000 businesses and 61,000 charities across the UK and more than 1,800 attacks every single day.

With organisations constantly targeted by attackers, it’s natural to have questions about whether your security efforts are up to snuff or if you’ll fall victim next. So how do you have better peace of mind? The answer lies in metrics. We’ll review a few key metrics you can use to determine if your security measures are effective and how they can help you deliver better results. These metrics will tell you how well you know your environment, how quickly you can respond to threats, and whether you’re closing the gaps attackers are most likely to exploit.

Step 1: Know your environment and be ready to react

You can’t protect what you don’t know. Effective security starts with how well you know your environment. Without full visibility, you could be overconfident in your security posture. To prevent this, track the percentage of your cloud assets that provide properly configured security logging and monitoring telemetry. The goal is to be at 100% so there are no visibility gaps.

The more telemetry you have, the more likely you are to discover breaches earlier in the attack lifecycle. However, with greater visibility comes an increase in detection alerts and alert fatigue is a real challenge. So how do you know which are the real threats that could lead to significant damage, and which ones are false positives? Track the number or frequency of false positives and continuously improve detections to reduce the percentage.

As you improve detection fidelity, keep in mind attacks happen fast. Not only do you need to see that a potential attack is happening, you need to respond fast enough to stop it before it materialises. Sysdig’s Threat Research team found that cloud attacks can escalate from initial access to data exfiltration in just ten minutes.

Not all security alerts are created equal, of course. Focusing on issues in your critical applications or in systems that are internet-facing and publicly accessible is a start, as these systems are the most challenging to support and most likely to be attacked. At the same time, you should understand how your team responds to those issues that arise. A 10 minute detection and response gives you great opportunity for containment before real damage is done and it’s possible with real-time detection alerting and the use of comprehensive security tools and automation.

Step 2: Prioritise risk management

You should patch your network promptly after software vulnerabilities are discovered to stay ahead of attackers. Unfortunately, there is an insurmountable number of digital system components available and a majority have vulnerabilities being discovered and reported frequently. There are currently more than 275,000 Common Vulnerabilities and Exposures (CVE) entries published, with more than 40,000 added in 2024 alone. Your team can be overwhelmed just due to sheer volume – here’s where smarter vulnerability management comes in.

Filter out the noise by first looking at the high-risk vulnerabilities, like those with known exploits, and move them to the top of the priority list for remediation. From that reprioritised list, focus on the vulnerabilities in packages that are actually in use at runtime, not sitting in a dormant container. As a reportable metric, track the percentage of vulnerabilities in your environment that have known exploits or that are being actively targeted by threat actors.

Alongside vulnerabilities, threat actors look for misconfigurations in your cloud environments – the low-hanging fruit. A misconfiguration is where a deployment either lacks a security control, or where the deployment is not implemented to follow security best practices such as exposed S3 buckets, weak identity and access-management policies, and exposed APIs. Attackers view misconfigurations as an open front door for initial access. Once they’re in, they look for sensitive or proprietary data to steal or use as ransomware leverage, deploy cryptominers, and more.

To establish metrics and gauge improvements, track the percentage of cloud assets evaluated against configuration policies. The goal should be 100%. Then, determine how many of the assets are compliant with the policies and track the time it takes to remediate misconfigurations. The longer a misconfiguration or vulnerability sits, the higher the risk and the larger the window of opportunity for attackers.

Step 3: Identify and remove identity issues

Poor identity management is your greatest risk amplifier. While software vulnerabilities and infrastructure misconfigurations are well-loved by attackers, nearly all security incidents involve an identity component at some point. After all, you need account access to make moves. This could come in the form of stolen credentials, human and machine accounts with excessive permissions, or a lack of security controls.

Overprovisioning identities is a poor practice for both human and machine accounts but it is unfortunately common practice for the sake of convenience. In 2024, we found that 98 % of permissions granted to accounts were unused. In our research this year, we found that there were 40 000 machine identities for every human account and 60 % of the machine accounts had administrator-level access without rotating keys. Identities have been and will continue to be a major attack surface and these statistics show why.

Check your identity and permission usage and turn them into valuable metrics to show risk reduction. Track the percentage of accounts that have not been used in the previous 30 days. Review this metric on a monthly basis and permanently or temporarily (for example in the case of parental leave) remove inactive accounts. Do the same for unused permissions on a 30- or 60-day cadence. Finally, review and remediate high-risk accounts like those with admin privileges or access to sensitive information that do not have security mechanisms in place like multi-factor authentication (MFA) or rotating keys. Ideally, this should be at or near 0% because all accounts should have strong security hygiene.

Conclusion

Good security doesn’t require boiling the ocean. Tune your strategies and effectively answer: Do I know my assets? Do I see all misconfigurations and the vulnerabilities that matter? Am I properly securing identities? Can I respond quickly to a threat?

With the right metrics, you can find security weaknesses to improve and show effective security progress to the business. You already have the data, collect it and analyse it. It’s time to shift from ‘checking boxes’ to actually making security better.

Related Articles

Top Stories