Measuring team effectiveness
|Mean Time to
|Average time the SOC takes to
detect an incident.
|How effective the SOC is at processing
important alerts and identifying real
|Mean Time to
|Average time that transpires
before the SOC takes action
and neutralizes the threat.
|How effective the SOC is at gathering
relevant data, coordinating a response,
and taking action.
|Number of security incidents
detected and processed by
|How busy the security environment is and
the scale of action the SOC is managing.
|Number of incidents by type:
web attack, attrition (brute force
and destruction), email, loss
or theft of equipment, etc.
|The main types of activity managed
by the SOC, and where preventative
security measures should be focused.
|Number of units processed per
analyst — alerts for Tier 1,
incidents for Tier 2, threats
discovered for Tier 3.
|How effective analysts are at covering
maximum possible alerts and threats.
|Number of events that enter
the SIEM, alerts reported,
suspected incidents, confirmed
incidents, escalated incidents.
|The effective capacity of the SOC at each
level and the workload expected for
different analyst groups.
|Number of alerts by dept, team, site.||How effective the detection solution is.
If the SOC is not the greatest
source of alerts you have a problem.
|The time it takes for activity
to be detected and processed
through the system to determine
if action is required.
|How effective analysts, detection tools,
SIEM, etc. are.
|The time it takes to make a
decision: includes the time needed
to get all hands on deck.
|Decisions are made on every alert and
are heavily influenced by the number of
alerts ahead in the queue and how much
additional research an analyst must conduct.
|The percentage of alerts that
upon investigation are revealed
to not be valid threats.
|False positives can reduce a security team’s
confidence in its tools and draws attention
away from serious underlying problems.
False positive feedback loops are to be
included in the process, and the only thing
worse than a false positive is an overlooked
|The time it takes to see a security
concern, identify the
impact, determine the course of
action and implement it.
|These numbers can vary widely but over
time trends will appear, providing
useful insight about where you need to
invest for additional protection,
remediation and automation capabilities.