Ask many SoC managers or business leaders how they measure the success of their security operations capabilities, and they will tell you it's the MTTD and MTTR.
For any of you that haven’t come across these terms, they stand for Mean Time To Detect and Respond. These are effective metrics of part of the outcome of a SOC.
Others measure capabilities such as total number of events processed, and of course at the most rudimentary level we all track, when it was that the last bad thing that happened.
The question I would like to pose is what are the right metrics for the next generation SOC, as today I see so much focus on MTTD+R, for which I’m going to break some other metrics into some key groups:
Whilst MTTD+R look at the time to find and resolve, most SOCs are broken into different teams, either split by capabilities (tiers) or specialisms (threat/risk types).
Whichever you follow, funnel metrics should be a part of your daily controls. What are funnel controls? This is the time and volume typically used to monitor the effectiveness of each stage of alerting.
This can be aspects such as time to identify, time to triage, and time to analyse–or it may be how much is dealt with by automation, how much requires human inspection, and how much requires more specialist skills. The point being here is to be clear on how you measure the journey as well as the outcome.
One of the biggest challenges I see for any SOC analyst is having the confidence to apply change. You may see this as trivial but the human brain is wired to be at least 2X more concerned about getting it wrong (losing effectively) as they are about getting it right.
As such, every SOC team should be looking at how they ensure the fidelity of the information they make decisions based upon. This should be assessed at every level possible, for example:
One of the key aspects of the Cybereason Defenders Council mission is in further defining the concept of Defend Forward for the private sector. Defend Forward is an approach which focuses in part on how we can take the fight to the adversary versus the more reactive security posture the industry has taken in the past.
This is not about hacking back or offensive activities most would rightly consider illegal. This is about how we change the economics of cybersecurity–a grail that many have focused on over the years.
For me the first real example of success I saw was with the Cyber Threat Alliance (CTA) when the membership came together to collaborate on analysis of CryptoWall v3.
The point being here, if you understand the attack with enough depth (in Cybereason parlay this is the MalOp - the full context of a malicious operation end to end), then you could look at what factors remain constant and which change over time. For example, in that scenario we saw over 4000+ different binaries being used in less than 100 campaigns.
Now the simple reality is that, in times of crisis, we will always take the expedient option to put in a blocking control. But do we then come back and assess its longevity?
To have confidence we can block the attack, we will have invested time and resources to build out the MalOp, and as such we should track our blocking controls to see which have the greater longevity against the adversary.
Effectively, this is taking the battle to the adversary by increasing their costs to succeed much greater as they have to significantly change their attack versus the Defender’s costs which remain static.
This is an easy step we can all take to Defend Forward. For many this may mean taking a two step process, the quick blocking control and then follow on with a more more strategic control. In other instances this may all happen as one action.
There is so much to cover on the subject of SOC modernisation, and naturally many look to the great new tools and capabilities that are coming to market. However, I would also challenge everyone to look at our metrics for success:
The examples of metrics I have given are far from exhaustive, and I am a believer in different metrics for different organisations based on their risk appetitive, industry and technology reliance. But, hopefully the examples given at least challenge your thought processes as to what other metrics would help you on the journey to a NextGen SOC.
Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.