Five metrics you should be recording for incident response

2 Minute Read

Data analytics have become critical for enterprises in almost all industries as enterprises look to identify trends and make operational adjustments based on actionable information. Security operations is no different; in fact, determining the human resources needed to manage security alerts and pinpointing what adjustments to technology or processes are necessary is crucial to continuously improving SecOps.

In cybersecurity, as with any vertical, it is critical to choose the metrics that make the most sense for your organization. But some incident response metrics, like the five listed below, are relevant to almost every organization:

Five Critical Metrics for Incident Management and Response

  1. Detection success: The effectiveness of your detection solution: Is it detecting most alerts or are the majority reported by users and system administrators? If your security operations team and their tools are not the greatest source of security alerts, you have an issue.
  1. Detection to decision: The time it takes for activity to be detected and processed through the system (detection tool, SIEM, etc.) before it reaches an analyst or automated incident response system to determine if action is required.
  1. Decision speed: The time it takes to make a decision—ensuring the alert was not a false positive, escalation or assignment of tasks. It also refers to the speed at which you get all hands on deck to address an alert once it is available to be processed (human or machine). Decisions are made on every alert and are heavily influenced by the number of alerts ahead in the queue and how much additional research an analyst must conduct.
  1. False positive rates: The percentage of alerts that upon investigation are revealed to not be valid threats. False positives reduce a security team’s confidence in its tools and draws attention away from serious underlying problems. False positive feedback loops should be included in any incident management process, but enterprises must guard against becoming too lenient; the only thing worse than a false positive is a false negative in which a serious threat is overlooked because a tool was turned down too far.
  1. Time to mitigation/containment: The time it takes to see a security concern, identify the impact, determine the course of action and implement it. These numbers can vary widely but over time trends will appear, providing useful insight about where you need to invest for additional protection, remediation and automation capabilities.

Bonus Incident Management Metric

Security vs. administrative tasks: How much time does your staff spend doing the specialized security operations you hired them to do?

If these experts are spending hours on ticket management, email notification and other non-security work, you are not getting optimal return on your capital investment. This incident response metric can be significantly improved by leveraging a security automation and orchestration platform that can automatically resolve high volume, low complexity tasks—essentially administrative—tasks.

So when you have a free second, do a quick check and ask yourself: how many of these incident response metrics are you currently using?

Ready to take your automation to the next level?

So you’re tracking your critical incident response metrics and are looking to level-up. How do you know if you’re ready for a full security orchestration, automation and response (SOAR) solution? Check out this Gartner SOAR Market Guide courtesy of Swimlane!

Download Now

Request a Live Demo