I take a lot of inquiry questions from Forrester’s security and risk clients about security operations (SecOps). A common question I get is, “What core metrics does SecOps need to track?”
Forrester data indicates that 17% of security decision-makers consider the inability to measure the effectiveness of their security program as a top security challenge. Metrics are hard. Using them effectively is also hard. Even if you have the right metrics, it requires a combination of a process improvement specialist and a security technology expert to know how to track and get use out of them.
Because of the volume of questions we get on this topic, we just released two new pieces of research about SecOps metrics:
- The Essential List Of Security Operations Metrics — a list of SOC metrics worth tracking (aka, “give a person a fish”).
- Five Steps To Better Metrics In The Security Operations Center — tackles the process for getting better SOC metrics (aka, “teach a person to fish”).
Bucket Security Operations Metrics By The Altitude And Goal
SOC metrics fall into one of three altitudes:
- Strategic metrics. These metrics are reportable to executives and the board.
- Operational metrics. These metrics are reportable to the CISO and direct reports.
- Tactical metrics. These metrics are reportable to the members of the SecOps function.
Tactical metrics roll up into operational metrics, which roll up into strategic metrics. These metrics — and altitudes — must be tied to at least one security operations goal. Some of the most common goals that security operations teams should use are, of course, detection quality, response speed and accuracy, and improved analyst experience. Each goal has a series of metrics worth tracking, as shown in the figure below. But this is not just a list of metrics to track — you need to know how to use them. The most fundamental part of this: juxtaposing metrics.
There Will Never Be One SOC Metric To Rule Them All
The most important thing you need to know is that a singular metric (a metric in a vacuum) is a useless metric. A metric is only useful when juxtaposed against another related metric. For example, measuring detection accuracy alone is meaningless. Low detection accuracy could be good or bad. Detection accuracy becomes much more insightful, however, when juxtaposed against mean-time-to-detect (MTTD). For example:
- A low detection accuracy with a small MTTD is a sign that there may be room to improve detection accuracy while not significantly affecting MTTD. Increasing MTTD and waiting to get more context before initiating an alert can improve detection accuracy.
- A high detection accuracy with a large MTTD is a sign that there may be room to reduce MTTD while not significantly altering detection accuracy. Reducing MTTD by alerting with less context (or different context) can improve detection accuracy.
But Wait, There Are More SecOps Metrics To Consider!
MTTD and detection accuracy are just two of many SOC metrics that we recommend tracking. We go into more detail in The Essential List Of Security Operations Metrics.
Forrester clients can schedule an inquiry or guidance session with me to discuss security operations or SOC metrics further.