Source: The Red Canary Blog: Information Security Insights Author: Brian Donohue URL: https://redcanary.com/blog/threat-detection/cybersecurity-metrics/
-
ONE SENTENCE SUMMARY: Security operations centers should prioritize accuracy, volume, and timeliness metrics, carefully defining and consistently measuring them to avoid misleading interpretations.
-
MAIN POINTS:
-
Security metrics vary widely; clearly defined metrics ensure consistency and usefulness.
-
SOC metrics typically focus on accuracy, volume, and timeliness.
-
Mean-based metrics are problematic due to susceptibility to extreme outliers.
-
Median metrics offer a more accurate representation of typical SOC performance.
-
Definitions of detection, response, and mitigation significantly impact metric results.
-
Clarifying when measurement begins and ends is crucial to meaningful SOC metrics.
-
Time-to-detect can vary based on whether threats are identified or confirmed threats published.
-
Response metrics must define precisely when a response action officially occurs.
-
Publicly reported SOC metrics are hard to interpret without underlying context and definitions.
-
Dwell time differs from breakout time; the latter may be a more critical security metric.
-
TAKEAWAYS:
-
Clearly define and standardize measurement terms for SOC metrics.
-
Favor median over mean to avoid misleading results from outliers.
-
Clarify exactly when measurement “clocks” start and end for consistent metric tracking.
-
Consider both dwell time and breakout time when evaluating threat response effectiveness.
-
Always question and contextualize publicly reported SOC metrics to avoid misinterpretation.