Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
69
6.2
Statistical Analysis across Incidents
Statistical overviews are the way to identify lessons from the large pool of data about incidents. These
overviews can be very useful in identifying vulnerabilities and discovering longer-term trends in the
evolution of threats, especially with the failure-prevention objective in view. However, our research
has revealed that at present, they are far less common than the individual follow-ups. Several scheme
organizers recognized value of statistical analyses and either plan to add longer-term analysis of
incident trends, or expressed interest in doing so.
CERT-FI
Finland
: "The most interesting observations can be made by looking at the statistics
over a longer period of time.
...
In addition to looking at yearly trends and categories of
incidents, we like to scale the total number of incidents against the number of existing
broadband subscriptions. We reason that the number of incidents should correlate with the
number of computers brought online."
17
There is a difference between the ways statistical updates may be used in cybersecurity and network
faults areas. In cybersecurity, regular especially daily updates on attacks, as we know them from
CERTs, can prove of direct relevance to the stakeholders. If the summaries enlist, e.g., the kinds of
malware that caused incidents, they may serve as threat alert or an update on current status of
threats. Obviously, these overviews in cybersecurity can only be produced with an automated tool.
In the network faults area, more in depth analysis seems necessary, usually released quarterly to
annually. Our research pointed to several conditions that need to be in place in order to seek for
trends and correlations in the data on causes of incidents, outage times, speed of recovery, etc.:
Enough reports to analyze,
Richness of data,
Resources to perform analysis.
To increase the number of reports submitted to a level that enables valid statistical processing, it is
possible to expand the scope of the reporting scheme, to lower thresholds, or simply to add data from
other sources. In both cybersecurity and network faults areas, it is useful to consider using additional
sources, too. Our respondents particularly recommended using honeypots and sensor networks that
identify malware, botnet activity, spam, etc., and collecting data from automated network
management software tools used by the service providers.
INTECO CERT
Spain
: In addition to the voluntary reports submitted by the service providers,
INTECO CERT uses also end-user reports, surveys, periodic scanners, and data from honeypots
and security sensor networks.
To ensure data rich enough to allow statistical analyses, it seems necessary to work towards enriching
the reporting formats and tuning them to the kind of analysis that is intended. For instance, the
reporting format should eventually contain classification of the incident causes. The organizers should
bear in mind that some information may only be available from ex-post reports.
17
Thomas Grenmann of CERT.FI at