I receive a lot of security operations (SecOps) inquiries from Forrester's security and risk clients. A question I often get is, “What are the core metrics that SecOps should track?”
According to Forrester data, 17% of security decision makers believe the inability to measure the effectiveness of security programs is their biggest security challenge. Metrics are difficult. It is also difficult to use them effectively. Even if you have the right metrics, knowing how to track and leverage them requires a combination of process improvement experts and security technology experts.
Because we get a lot of questions about this topic, we've released two new studies on SecOps metrics.
- Essential List of Security Operations Metrics — A list of SOC metrics that are worth tracking (aka “giving people fish”).
- 5 Steps to Improving Metrics in your Security Operations Center — Engage in the process of getting better SOC metrics (aka “teaching people to fish”).
Bucket security operational metrics by altitude and goals
SOC metrics fall into one of three sophistications:
- Strategic indicators. These metrics are reported to management and the board of directors.
- Operational metrics. These metrics can be reported to the CISO and direct reports.
- tactical indicators. These metrics can be reported to members of the SecOps function.
Tactical metrics stack up to operational metrics, which in turn stack up to strategic metrics. These metrics and elevations must be tied to at least one security operational objective. The most common goals that security operations teams should use include, of course, detection quality, response speed and accuracy, and improving the analyst experience. Each goal has a set of metrics worth tracking, as shown in the diagram below. butThis isn't just a list of metrics to track; you need to know how to use them. The most basic part of this is lining up your metrics.
There is no one SOC metric to rule them all
The most important thing to know is that a single metric (orphan metric) is a useless metric. Metrics are only useful when used alongside other related metrics. For example, simply measuring detection accuracy is meaningless. Poor detection accuracy can be both good and bad. However, detection accuracy becomes even more insightful when considered alongside mean time to detection (MTTD). for example:
- MTTD is small and detection accuracy is lowThis indicates that there may be room to improve the detection accuracy, although it does not significantly affect the MTTD. Increasing the MTTD and waiting until more context is obtained before starting an alert will improve detection accuracy.
- High detection accuracy due to large MTTDThis indicates that there may be room to reduce the MTTD without significantly changing the detection accuracy. By issuing alerts in fewer contexts (or different contexts) he can reduce MTTD and improve detection accuracy.
But wait. There are other SecOps metrics to consider.
MTTD and detection accuracy are just two of the many SOC metrics we recommend tracking. Learn more in Required List of Security Operations Metrics.
The original article is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the views and opinions of CDOTrends. Image credit: iStockphoto/z_wei