I receive a lot of security operations (SecOps) inquiries from Forrester's security and risk clients. A question I often get is, “What are the core metrics that SecOps should track?”
Forester data shows that 17% of security decision makers believe the inability to measure the effectiveness of security programs is their biggest security challenge. Metrics are difficult. It is also difficult to use them effectively. Even if you have the right metrics, knowing how to track and leverage them requires a combination of process improvement experts and security technology experts.
Because we get a lot of questions about this topic, we've released two new studies on SecOps metrics.
- Key list of security operational metrics — A list of SOC metrics worth tracking (aka “giving people fish”).
- 5 steps to improve your security operations center metrics — Work through the process of getting better SOC metrics (aka “teaching people to fish”).
Bucket security operational metrics by altitude and goals
SOC metrics fall into one of three sophistications:
- Strategic indicators.These metrics are reported to management and the board of directors.
- Operational metrics.These metrics can be reported to the CISO and direct reports.
- tactical indicators.These metrics can be reported to members of the SecOps function.
Tactical metrics stack up to operational metrics, which in turn stack up to strategic metrics. These metrics and elevations must be tied to at least one security operational objective. The most common goals that security operations teams should use include, of course, quality of detection, response speed and accuracy. Improved analyst experience. Each goal has a set of metrics worth tracking, as shown in the diagram below. but This isn't just a list of metrics to track; you need to know how to use them. The most basic part of this is lining up your metrics.
There is no one SOC metric to rule them all
The most important thing to know is that a single metric (orphan metric) is a useless metric. Metrics are only useful when used alongside other related metrics. For example, simply measuring detection accuracy is meaningless. Poor detection accuracy can be both good and bad. However, detection accuracy becomes even more insightful when considered alongside mean time to detection (MTTD). for example:
- MTTD is small and detection accuracy is low This indicates that there may be room to improve the detection accuracy, although it does not significantly affect the MTTD. Increasing the MTTD and waiting until you have more context before starting an alert will improve detection accuracy.
- High detection accuracy due to large MTTD This indicates that there may be room to reduce the MTTD without significantly changing the detection accuracy. By issuing alerts in fewer contexts (or different contexts) he can reduce MTTD and improve detection accuracy.
But wait. There are other SecOps metrics to consider.
MTTD and detection accuracy are just two of the many SOC metrics we recommend tracking.I will explain further in Key list of security operational metrics.
Forrester clients can: Schedule an inquiry or guidance session If you would like to discuss security operations and SOC metrics in more detail, please contact me.