Written by Chris Peterson, Forbes
According to a 2019 survey from The Conference Board of more than 800 international CEOs and 600 C-suite members, cybersecurity is cited as the top external concern. The Conference Board also notes (via CIO Dive) that malicious cyber activity cost the economy up to $109 billion in 2016.
CEOs and boards that seek to meaningfully reduce their risk of experiencing high-impact cyber incidents such as data breaches must invest in a security operations center (SOC) with a primary mandate of delivering enterprisewide threat detection and response. Furthermore, the SOC’s threat detection and response program must be viewed as a business-critical operation, requiring continuous investment, improvement and measurement across the following six interrelated subcomponents: centralized visibility, threat discovery, threat qualification, threat investigation, threat mitigation and incident recovery.
Boards should ask their CEOs — and thus CEOs should ask their CISOs — to provide operational measurement and metrics across these subcomponents with the intent of understanding current operational capabilities and related risks. As with most business operations, these subcomponents can be realized in a variety of ways based on unique organizational considerations, technology selection and available budget.
However, regardless of how these capabilities are realized, consistent measurement and reporting across an established set of metrics will help CEOs to understand the operational capability of their SOC toward enterprise threat detection and response — and whether budgetary investments are realizing expected gains.
The following are some foundational metrics that can provide a starting point for CEOs wanting to better understand the state of their organizations’ security operations and cybersecurity risk. These metrics are taken from my company’s own security operations maturity model.
PROMOTEDT-Mobile BRANDVOICE | Paid ProgramAutonomous Taco Trucks? Meet The Small Business With A Big Vision For MobilityAnaplan BRANDVOICE | Paid ProgramDitch the Budgeting Headache – Drive Growth InsteadEverbridge BRANDVOICE | Paid ProgramPeace Of Mind In A Risky World
Visibility And Analytics Metrics
A SOC’s threat detection and response capabilities are rooted in its ability to see into the IT and OT environment and leverage analytics to support detection and response efforts. The ability to measure and trend these capabilities is important as improvements or degradations have downstream consequences.
1. Centralized Forensic Visibility (CFV): This metric measures the estimated percent of the IT/OT infrastructure across which centralized forensic visibility exists and search and machine-based analytics can be applied. This metric can be broken down into further submetrics that evaluate the type of central visibility currently realized.
2. Centralized Machine Analytics Visibility (CMAV): This metric measures the estimated percent of the IT/OT infrastructure across which machine analytics is being applied actively for threat discovery and alarm prioritization. CMAV is closely related to CFV, as the ability to apply centralized machine analytics is dependent on centralized forensic visibility.
Workflow metrics focus on the speed of people, enabled and empowered by technology. These metrics measure the speed of SOC staff and the effectiveness of your technology investments. The primary value of these metrics is realized once trend lines can be established. It is important that a consistent measurement methodology is employed to ensure the veracity of measured results. It is important that trend lines can be trusted to indicate whether true improvements have been realized. Given that the speed of threat adversaries continues to increase, organizations should seek to see quarterly improvements for each of the following metrics.
3. Alarm Time to Triage (TTT): This metric measures latency in a team’s ability to immediately inspect a threat indicator (e.g., an alarm). It helps organizations understand the level of real-time responsiveness to threats.
4. Alarm Time to Qualify (TTQ): This metric measures the amount of time it takes an indicator (e.g., an alarm) to be fully inspected and qualified. It can aid a company in spotting bottlenecks and help understand the SOC’s capacity for qualifying threats.
5. Threat Time to Investigate (TTI): This metric measures the amount of time it takes a qualified threat to be fully investigated. Like TTQ, it helps point out bottlenecks and understand the SOC’s capacity for investigating threats.
6. Time to Mitigate (TTM): This metric measures the amount of time it takes an incident to be mitigated and immediate risk to the business to be eliminated. This metric helps organizations understand how quickly the SOC can implement mitigations that stop or slow down an active threat.
7. Time to Recover (TTV): This metric measures the amount of time it takes for the full recovery around an incident to be complete. Measuring TTV helps organizations understand how quickly the security team and other involved groups can completely recover from an incident.
8. Incident Time to Detect (TTD): This metric measures the amount of time it takes a confirmed incident to initially be detected. This is an important metric because it identifies how long it took to spot threats that resulted in incidents.
9. Incident Time to Response (TTR): This metric measures the amount of time it takes a confirmed incident to have been investigated and mitigated. This is a key measure of security operations effectiveness that shows the amount of time it took to analyze and mitigate threats that resulted in incidents.
To establish a meaningful set of metrics on your enterprise’s threat detection and response capabilities, consider the following steps:
• Develop a go-forward framework by which your enterprise threat detection and response operational capability can be consistently described for the next three to five years.
• Develop and agree on an initial set of metrics that span your defined operational capabilities. Ensure there is transparency and consistency in how each metric will be measured.
• Invest in the ability to capture and record these initial metrics on a quarterly basis.
• Once you can reliably and consistently capture initial metrics, begin producing a quarterly report of metrics, and add trends once you have a few quarters’ worth of data.
• Improve the frequency by which metrics can be captured and reported for external (e.g., board) and internal (e.g., CEO, CISO) audiences. For some metrics (e.g., workflow), striving for daily measurement and reporting may be warranted.