Top 5 SOC Metrics: Measure the Right Things

Your system’s security operation center (SOC) is essential to your organization’s success. It integrates your data with critical systems to help drive your company’s objectives. But, validating your SOC’s performance can be challenging if you don’t know what SOC metrics to monitor. 

Christian Sorensen, Founder and CEO of SightGain, describes and summarizes the key metrics to pay attention to when evaluating your SOC performance.

The Problem With Traditional SOC Metrics

In the past, traditional metrics used to measure the performance of a security operation center included the number of scans, blocks, tickets, staffing levels, and patching statistics available to analyze. However, this traditional approach simply provides data instead of actually measuring performance against current threats. 

Threat Exposure Management platforms tackle this challenge head-on with a threat-based approach that provides actionable insights in a view similar to a “cyber MRI”.

How to Measure SOC Performance Using a “Cyber MRI”

While x-ray technology allows doctors to see bones, it doesn’t allow them to see other systems with the same degree of clarity. Medical Resonance Imaging (MRI) technology enabled doctors to see what was happening in other systems and accurately diagnose and treat problems.

The SightGain Threat Exposure Management platform functions like an MRI, but for your security operations center. It analyzes the performance of your entire cybersecurity system against the threats you’re most likely to face and identifies the causes of any issues detected. Any good performance analysis of your SOC must include details on how your security personnel performs in their ability or inability to respond to cyber threats. This helps to evaluate system-wide performance, identify and diagnose problems, and recommend solutions. 

When implementing threat exposure tools you must test and retest to ensure that performance improvements have been realized.  Here are a few SOC performance metrics that security leaders should understand about their systems.

Important SOC Metrics & KPIs to Measure

When evaluating key security operations center metrics, there are a few you want to be sure to pay attention to.

  1. Percentage of missed threats (effectiveness)
  2. Percentage of threats responded to manually
  3. Percentage of threats that are blocked, detected and reported
  4. Percentage of threats responded to through automated processes (efficiency)
  5. SIEM performance, including accuracy of reporting, the completeness and quality of information it receives, and the quality of alerts it issues to analysts

You can also turn these around and ask them as discovery questions, which we discuss in a seperate article. 

It is important to note that before analyzing the efficiency of the SOC, you need to first t ensure the system is effective.

 The “cyber MRI” approach to SOC performance analysis enables cybersecurity leaders to focus on performance instead of just information about SOC activity. Narrowing-in on  performance is the best way to eliminate risks while also  ensuring the SOC is functioning properly.

To learn more about how you can use the cyber MRI to improve your SOC performance, contact us today to see a demo.

Learn More:

6 Best Ways to Improve Your SOC Analysts’ Skills

SOC Metrics Video Transcript with Timestamps 

0:39 Traditional SOC Metrics

Up until now, SOC metrics have focused on activity, not necessarily effectiveness. Traditional measures like number of scans and blocks, staffing levels, number of tickets, patching statistics, have been the coin of the realm. But without context, this is just data, and it does not provide the actual measures of cybersecurity performance.

We call our approach the cyber MRI. If you think back to medical services before the x-ray, doctors had to go look and feel. Broken bones would often be debilitating. So x-rays when they were invented, doctors could now see the problem, address the problem, and then rescan to ensure that they’d fixed the problem. But x-rays helped the most with bones, and it wasn’t really until the MRI and CT scans were invented, that doctors could look and analyze other systems in the body.

And do so with the same type of fidelity that they had with x-rays. So with MRIs and CT scans, now doctors could understand how all of the systems of the body were working together.

1:38 Cyber MRI

The SightGain readiness platform is like an MRI for your SOC. Where breach and attack platforms like an x-ray give you detailed information about how your technology is doing, they don’t really tell you how the rest of your system and personnel are doing. By including personnel and the automated response telemetry, SightGain can analyze the whole system just like a cyber MRI.

We’ve laid out the anatomy of cyber defense. If you haven’t seen that, go check out the video that we have in the link below.

2:19 How Cyber MRI Works

By testing against malicious tactics, and analyzing the performance of the whole system, you can uncover the true performance of your SOC. By testing the performance of your people, process, and technology against real threats that they should stop. We can uncover the actual performance across your whole system, diagnose the problem, find solutions, implement those solutions, and then re-scan to ensure that the performance has improved. Importantly, we think this has to include the performance of your security personnel, and how they’re able or not able to identify and respond to malicious tactics.

2:46 Critical Information

This lets us build critical information that every SOC director should know. Like what percentage of threats are we missing, and this gets the heart and soul of effectiveness and lets you know how things are working or not.

Likewise, tells you what percentage of threats we’re responding to using a manual process as opposed to automated processes, what percentage of threats are blocked, what percentage of threats are detected and reported. And importantly, what percentage of threats do we respond to using automated means. And this gets to efficiency.

We recommend if organizations focus on effectiveness first and then add in the ability to analyze efficiency as well.

Finally, we’re really able to dig into how the seam is doing. The seam is the central nervous system of your overall operation. And you have to be able to understand if it’s reporting accurately, is it getting good information in, and is it making good alerts for your analysts. Are they able to identify bad activity when it happens, or are they looking for a needle in a really big haystack, or a needle in another pile of needles and being able to tune the seam so that it can identify threats when they occur in an accurate way in a timely manner.

So the cyber MRI really takes a cultural shift in leadership desire to really focus on performance. Whereas in the past, traditional measures for the SOC have shown activity, but not necessarily momentum and inertia. By focusing on the actual performance, you can really eliminate risk and really increase the ability of the SOC to do its primary job, which is to stop threats.

4:21 Recap: Improve SOC Performance

So to recap, in order to improve the performance of the SOC, you have to test against the real thing. Examine the results, and make adjustments to get the most out of your cybersecurity investments.

We recommend first starting with effectiveness, and then evaluate efficiency.

So find out more about how we can improve your SOC by clicking the link below. Please subscribe to our Youtube channel if you want to stay up to date on our upcoming innovations within the SightGain platform.