And how can SOAR make it easy?
Your security operations team deals with a lot of data.
The problem is that security teams are constantly busy putting out fires and fixing the latest vulnerabilities. Where does the time come from to pull metrics from multiple tools and look at trends? Or even more importantly, how does a CISO show progress and proof of investment to their company leadership?
With the right platform, you can make things easier. Security Orchestration Automation and Response (SOAR) platforms simplify the tracking and reporting process with automation and organize your metrics with a dashboard that helps you understand what’s happening in your SOC environment.
What is SOAR? Learn more in our Beginner’s Guide to SOAR.
In order to begin tracking metrics, it’s key to determine what matters to your organization. For example, some security automation metrics that a SOC director might be interested in are:
Level of Preparedness
Critical incidents won’t happen every day, but you want to be ready when they do. How long does it take your organization to respond to an incident? Do you have a plan that everyone understands and can execute quickly?
Instead of waiting for disaster to strike, ensure that your organization creates incident response playbooks to demonstrate the preparedness and effectiveness of your SOC. These playbooks will map out how to address various incidents and minimize human error that can occur during high-stress events.
Questions to ask that will help identify your level of preparedness include:
Is your technology and tool implementation effective? Look at trends over time by the signal source.
Are there spikes of events from multiple ingest pipelines? How effective is your correlation across your enterprise?
Where are the gaps in controls and how are they affecting your risk management program? Look at the MITRE ATT&CK® Enterprise Framework for tactics and techniques.
What are your residual risks, scores, and priorities? Residual risk is your inherent risk minus your risk control.
Number of Vulnerabilities
Vulnerabilities are weaknesses in your system that attackers exploit to gain access or control. Of course, the goal is to have no vulnerabilities, but third-party vendors and software exploits make that impossible. You should track the following vulnerability metrics:
Vulnerability source: (threat models, code reviews, dependency scans, bug bounties, etc.)
Vulnerability category: (authorization, authentication, input validation, configuration, etc.)
Number of critical vulnerabilities by environment: (endpoints, public & private cloud, etc.)
Number of vulnerabilities that are opened or closed over time
Are they on the CISA Known Exploited List?
Mean Time to Detect (MTTD)
MTTD is the average time between the moment an attacker is inside your network and the time you detect them there. This can be measured using various tools, including packet capture analysis and threat intelligence platforms.
Mean Time to Resolve (MTTR)
It’s also important to look at your security team’s mean time to resolve (MTTR), which signifies how long an organization has been compromised. Resolution times are a major factor in determining the overall impact of an attack on an organization. The longer the resolution, the more damage you can expect.
Dwell time is the duration a threat actor has undetected access in a network until their completely removed. This number should be as low as possible.
First-Party Security Ratings
When you are looking at security metrics, it’s critical to also look at first-party security ratings. These ratings (on scales such as A-F and 1-10) show an organization’s security performance in different SOAR use case areas like phishing, network security, data leaks, etc. Ratings give you a sense of how much better or worse your organization is performing in comparison to internal and industry standards. They give you a good idea about where you need to invest more resources to improve your organization’s cybersecurity posture.
First-party ratings help organizations understand their own relative risk and progress over time. They also help demonstrate value to customers and partners who may be looking at those same ratings right now. It’s easy to pull MoM and YoY progress for non-technical stakeholders.
In the end, it’s important to remember that continuous monitoring and timely incident response are vital to securing your organization. While the exact metrics you should look at will vary based on your specific environment, they remain a crucial way to track the overall health of your security infrastructure and keep tabs on new threats in and beyond your SOC. Low-code security automation platforms are an easy choice to ensure resilience and proactive protection against the next major attack.
Automating Incident Response e-book
Is your cybersecurity team overwhelmed by security alerts? Overcome this challenge with incident response automation.