Measuring team effectiveness
SOC
| Metric | Definition | Meaning |
|---|---|---|
| Mean Time to Detection (MTTD) |
Average time the SOC takes to detect an incident. |
How effective the SOC is at processing important alerts and identifying real incidents. |
| Mean Time to Resolution (MTTR) |
Average time that transpires before the SOC takes action and neutralizes the threat. |
How effective the SOC is at gathering relevant data, coordinating a response, and taking action. |
| Total cases per month |
Number of security incidents detected and processed by the SOC. |
How busy the security environment is and the scale of action the SOC is managing. |
| Types of cases |
Number of incidents by type: web attack, attrition (brute force and destruction), email, loss or theft of equipment, etc. |
The main types of activity managed by the SOC, and where preventative security measures should be focused. |
| Analyst productivity |
Number of units processed per analyst — alerts for Tier 1, incidents for Tier 2, threats discovered for Tier 3. |
How effective analysts are at covering maximum possible alerts and threats. |
| Case escalation breakdown |
Number of events that enter the SIEM, alerts reported, suspected incidents, confirmed incidents, escalated incidents. |
The effective capacity of the SOC at each level and the workload expected for different analyst groups. |
SIRT
| Metric | Definition | Meaning |
|---|---|---|
| Detection success |
Number of alerts by dept, team, site. | How effective the detection solution is. If the SOC is not the greatest source of alerts you have a problem. |
| Detection to decision |
The time it takes for activity to be detected and processed through the system to determine if action is required. |
How effective analysts, detection tools, SIEM, etc. are. |
| Decision speed |
The time it takes to make a decision: includes the time needed to get all hands on deck. |
Decisions are made on every alert and are heavily influenced by the number of alerts ahead in the queue and how much additional research an analyst must conduct. |
| False positive rates |
The percentage of alerts that upon investigation are revealed to not be valid threats. |
False positives can reduce a security team’s confidence in its tools and draws attention away from serious underlying problems. False positive feedback loops are to be included in the process, and the only thing worse than a false positive is an overlooked false negative. |
| Time to mitigation/ containment |
The time it takes to see a security concern, identify the impact, determine the course of action and implement it. |
These numbers can vary widely but over time trends will appear, providing useful insight about where you need to invest for additional protection, remediation and automation capabilities. |