Blog

Top 5 SOC Metrics: Measure the Right Things

Your system’s security operation center is essential to your organization’s security operations. It integrates your data with your company’s critical systems and helps to drive your company’s objectives. But, how do you validate your SOC’s performance? Watch the video below as Christian Sorensen explains the five key metrics for evaluating your SOC performance.

Traditional SOC Metrics

In the past, traditional measures of the performance of a security operation center involved looking at the number of scans, blocks, tickets, staffing levels, and patching statistics. However, the traditional approach simply provided data instead of measuring performance. However, the previous approach did not provide context and did not measure actual performance against current threats. SightGain tackles this challenge head-on with a threat-based approach that provides a view similar to a cyber MRI.

What is Cyber MRI?

You can understand SightGain’s cyber MRI through a comparison with the advancements in medicine over the last 100 years. While x-ray technology allowed doctors to see bones, it didn’t allow them to see other systems with the same degree of clarity. Medical Resonance Imaging (MRI) technology brought to the field of medicine and doctors’ abilities to make accurate diagnoses. MRIs enabled doctors to see what was happening in other systems and accurately diagnose and treat problems.

The SightGain Readiness platform functions like an MRI for your cybersecurity system by analyzing the performance of your entire cybersecurity system against the most likely threats you face and identifying causes of any issues identified. Any good performance analysis of your SOC must include an analysis of how your security personnel performs in their ability or inability to respond to cyber threats. This helps to evaluate system-wide performance, identify and diagnose the problems, and recommend solutions. Customers implement these solutions and then retest to ensure that performance improvements have been realized. This approach is a step increase in capabilities to evaluate SOC performance and enables us to look at the five key performance metrics that SOC directors should understand about their systems.

Five Key SOC Metrics

The five key performance metrics that you should know include the following:

  1. Percentage of missed threats (effectiveness)
  2. Percentage of threats responded to manually
  3. Percentage of threats that are blocked, detected and reported
  4. Percentage of threats responded to through automated processes (efficiency)
  5. SIEM performance, including accuracy of reporting, the completeness and quality of information it receives, and the quality of alerts it issues to analysts

It is important to note that before analyzing the efficiency of the SOC, you should first ensure the system is effective.

SigthGain’s cyber MRI approach to SOC performance enables cybersecurity leaders to focus on performance instead of just information about SOC activity. Focusing on performance allows organizations to eliminate risks while ensuring the SOC is functioning properly.

To learn more about how you can use the cyber MRI to improve your SOC performance, contact us today at (719) 582-6278.

Learn More:

Understand Your Cyber Production Performance

6 Best Ways to Improve Your SOC Analysts’ Skills

The Real Truth About Cybersecurity Readiness

Video Transcript

Timestamps
0:00 Intro
0:39 Traditional SOC Metrics
1:38 Cyber MRI
2:19 How Cyber MRI Works
2:46 Critical Information
4:21 Recap: Improve SOC Performance

Security operation center is the central nervous system of your security operations. It’s where all the security data comes together and connects to your critical systems, as well as the support systems that drive your business objectives. So it’s important that they’re working well.

In order to know that your SOC is working well, you need the right information. With SightGain’s innovation data, that information is now available.

0:39 Traditional SOC Metrics

Up until now, SOC metrics have focused on activity, not necessarily effectiveness. Traditional measures like number of scans and blocks, staffing levels, number of tickets, patching statistics, have been the coin of the realm. But without context, this is just data, and it does not provide the actual measures of performance.

We call our approach the cyber MRI. If you think back to medical services before the x-ray, doctors had to go look and feel. Broken bones would often be debilitating. So x-rays when they were invented, doctors could now see the problem, address the problem, and then rescan to ensure that they’d fixed the problem. But x-rays helped the most with bones, and it wasn’t really until the MRI and CT scans were invented, that doctors could look and analyze other systems in the body.

And do so with the same type of fidelity that they had with x-rays. So with MRIs and CT scans, now doctors could understand how all of the systems of the body were working together.

1:38 Cyber MRI

The SightGain readiness platform is like an MRI for your SOC. Where breach and attack platforms like an x-ray give you detailed information about how your technology is doing, they don’t really tell you how the rest of your system and personnel are doing. By including personnel and the automated response telemetry, SightGain can analyze the whole system just like a cyber MRI.

We’ve laid out the anatomy of cyberdefense. If you haven’t seen that, go check out the video that we have in the link below.

2:19 How Cyber MRI Works

By testing against malicious tactics, and analyzing the performance of the whole system, you can uncover the true performance of your SOC. By testing the performance of your people, process, and technology against real threats that they should stop. We can uncover the actual performance across your whole system, diagnose the problem, find solutions, implement those solutions, and then re-scan to ensure that the performance has improved. Importantly, we think this has to include the performance of your security personnel, and how they’re able or not able to identify and respond to malicious tactics.

2:46 Critical Information

This lets us build critical information that every SOC director should know. Like what percentage of threats are we missing, and this gets the heart and soul of effectiveness and lets you know how things are working or not.

Likewise, tells you what percentage of threats we’re responding to using a manual process as opposed to automated processes, what percentage of threats are blocked, what percentage of threats are detected and reported. And importantly, what percentage of threats do we respond to using automated means. And this gets to efficiency.

We recommend if organizations focus on effectiveness first and then add in the ability to analyze efficiency as well.

Finally, we’re really able to dig into how the seam is doing. The seam is the central nervous system of your overall operation. And you have to be able to understand if it’s reporting accurately, is it getting good information in, and is it making good alerts for your analysts. Are they able to identify bad activity when it happens, or are they looking for a needle in a really big haystack, or a needle in another pile of needles and being able to tune the seam so that it can identify threats when they occur in an accurate way in a timely manner.

So the cyber MRI really takes a cultural shift in leadership desire to really focus on performance. Whereas in the past, traditional measures for the SOC have shown activity, but not necessarily momentum and inertia. By focusing on the actual performance, you can really eliminate risk and really increase the ability of the SOC to do its primary job, which is to stop threats.

4:21 Recap: Improve SOC Performance

So to recap, in order to improve the performance of the SOC, you have to test against the real thing. Examine the results, and make adjustments to get the most out of your cybersecurity investments.

We recommend first starting with effectiveness, and then evaluate efficiency.

So find out more about how we can improve your SOC by clicking the link below. Please subscribe to our Youtube channel if you want to stay up to date on our upcoming innovations within the SightGain platform.