Blog

Measuring SOC Performance: 5 Questions Every SOC Director Should Be Able To Answer About SOC Performance

Before you can be a great SOC director, you need an effective way to measure SOC performance against current threats. SightGain enables you to collect SOC metrics that are useful, relevant, and actionable. Using our solution, we’ve enabled some SOCs to go from catching less than 20% of malicious activity to over 90% over the course of a couple of months.

Because our platform is designed to test your SOC against real threats in an automated fashion, it opens the door to a practical approach; the platform collects and analyzes data regarding how your people, processes, and technology are responding to actual adversary techniques. This methodology results in contextualized, meaningful SOC metrics, giving you a better understanding of what’s happening in your SOC and providing recommendations to increase the overall security posture.

Specifically, there are 5 key SOC metrics SOC Directors should be paying attention to:

  1. The percentage of adversary techniques missed during testing
  2. SIEM signal-to-noise ratio
  3. The percentage of adversary techniques being addressed via automated means
  4. The speed of responses at each analyst tier
  5. Return on Investment (ROI) for the people, processes, and technology in the SOC

Watch the video below to learn how these 5 SOC KPIs can be used to increase confidence in your SOC performance!

Learn More:

Top 5 SOC Metrics: Measure the Right Things

6 Best Ways to Improve Your SOC Analysts’ Skills

Video Transcript

Timestamps
0:00 Intro
0:31 Measuring SOC Performance: SOC Metrics
1:29 Measuring SOC Performance: Top 5 Metrics SOC Leaders Should Look At
3:16 Measuring SOC Performance: SightGain Readiness Approach
3:41 Review

Security is hard, and the SOC director’s job has many components. You’re in a knife fight every day. So you need the right tools and information to know how well the SOC is performing. SightGain has studied this in-depth and our innovative SightGain readiness platform has enabled some SOC’s to go from catching less than twenty percent of malicious activity at the start of our engagement to over ninety percent in just a couple of months.

0:31 Measuring SOC Performance: SOC Metrics

Up until now, SOC metrics have focused on activity, not necessarily effectiveness. Traditional measures like number of scans, number of blocks, number of tickets closed, and patching statistics have been the coin of the realm. But without context, this is just data, and it does not give insights into the actual performance of your cybersecurity system against the threats that everyone is there to stop.

I remember one large federal customer in particular. They had one of the biggest SOCs in all of the government. They were really proud of themselves in that they were blocking millions of malicious emails, stopping viruses left and right, and had a room full of fancy monitors and reports on overall status.

But do you know what? When we tested them against real malicious tactics, they only caught a small percentage of the things that they should have. So their normal metric showed that they were doing well. However, our tests showed that they had many blind spots. So we help them tune their systems and improve their performance. But organizations just need better metrics to know how their systems are actually working.

1:29 Measuring SOC Performance: Top 5 Metrics SOC Leaders Should Look At

We’re excited to talk about the top five metrics that we think every SOC leader should look at.

First, what percentage of your adversary techniques are we missing? This gets to the heart of effectiveness, and tells you across the mitre attack framework how many of these techniques are you catching, how many are you blocking, how many are you alerting on, and then at the end of the day, how many are you just flat out missing.

Second, what is our SIEM signal-to-noise ratio? When we do tests against the adversary tactics, how much other noise is out there? Is there an alert created for what we tested or not, and what else is happening in relation to that activity? Are we able to provide our analysts and our other systems with the information that they need to take good action based on that information?

Third, what percent of adversary techniques are we addressing through automated needs? So number one talked about effectiveness. This one gets to the heart of efficiency. We can’t really focus on efficiency until we’re effective. But we think as time goes on over the next five years, it’s going to be important to really focus on how much of our system have we automated in order to drive down costs, increase response speed.

Talking about speed brings us to our fourth metric. How fast and how often are responses occurring from tier one to tier three? Are we getting good triage from our tier one, and bringing that information up to the higher level tiers for the appropriate actions?

Finally, number five. What is the return on our investment for people, process, and technology? Are we a SOC that is operating at a high maturity level, or are we still building towards what the key ingredients are? By analyzing the return on investment, we can really identify where we need help[, and then how much that help should cost.

3:16 Measuring SOC Performance: SightGain Readiness Approach

The key to making all of this work is technology that automates testing against adversary tactics. By using these technologies to automate the testing and the ability to go across and proactively evaluate all of those mitre attack techniques, you can really have a robust understanding of how your system is going to respond at the time and place that it is required.

3:41 Review

Ok, so to review, the top five metrics that we recommend SOC directors look at. Number one, what percentage of adversary techniques are we missing. Number two, what’s our SIEM signal to noise ratio. Number three, what percentage of adversary techniques are we addressing through automated means. Number four, how fast and how often are we responding from tier one to tier three. And finally, what’s our return on investment for our people, process, and technology that are making the SOC operate on a daily basis.

Click the link below to find out how Sight Gain can boost your SOC metrics, and subscribe to our YouTube channel to keep pace with all of the innovations that we’re bringing to the market.