MTTR is bad for SecOps. See why –
In the security industry, mean time to resolution (MTTR) is a commonly used metric. Although it may be useful to a business’s risk function. It doesn’t belong in security operations (SecOps).
In the first instance, let’s clarify what reporting vs. metrics is. In reporting, activity is measured, and no specific action is driven. Reporting can include the number of alerts or incidents, the number of false positives, or the number of analysts on staff in a security operations center (SOC). A SOC’s metrics, on the other hand, provide insight into how it operates and help identify areas where it can be improved. These metrics provide the business with confidence that the service is being provided by the security operations organization. When a metric fails to drive change and inform the business. Then it’s one worth ignoring.
MTTR is a bad metric because it cannot be used to report on activity within a SOC.
Uptime is the most important metric in a NOC, and mean time to repair (mean time to recovery/restore) [MTTR] is an accurate measure of performance. A SOC’s MTTR. However, is a proxy for analyst activity, which may lead to the wrong choice of behavior. An analyst will be incentivized to rush investigations and not feed updates back into the control system if they are assessed on how quickly they close out alerts. Due to this, the same attackers appear repeatedly in an analyst’s console, since they weren’t effectively blocked by previous incidents.
The MTTR can worsen the problem by motivating rushed investigations by leading analysts to ignore alerts that could otherwise be examined. IDC’s InfoBrief, published by FireEye recently, confirms that analysts do indeed ignore alerts. About 35 percent of security analysts within organizations and 44 percent of security analysts employed by managed security service providers (MSSPs) overlook them because of excessive alerts and false positives. MTTR measures productivity, resulting in poor alert handling. Which further exacerbates this stress.
A SOC’s cherry-picking of alerts is another example of an analyst’s poorly motivated behavior. Analysts can use MTTR to determine which alerts can be closed quickly when evaluating their performance. Comparing the efficiency of one analyst versus another can be skewed due to this. The result of cherry-picking is that more complicated or involved investigations may be delayed. Therefore attackers may spend more time in the area.
What is the significance of MTTR for a SOC?
Additionally, MTTR can be used to evaluate automation tools within a SOC. By using the MTTR, analysts can assess whether additional automation will benefit them if they are consistent with their investigations and remediation efforts. In the implementation of new technology, analysts can do their jobs faster using MTTR to validate and quantify gains.
Measuring SOC performance with metrics
If MTTR isn’t a good metric for measuring the effectiveness of a SOC, what are some alternatives?
Analyzer hourly events:
An organization can implement measures to improve its operations with good metrics like events per analyst hour. Security operations rely on an event per analyst hour (EPAH) as the gold standard. Analyzers can use it as an indication of how overwhelmed they are right now. If their EPAH is more than 100 hours, then they are extremely overwhelmed. Overwhelmed analysts ignore alerts and focus on rushing investigations despite warnings. The EPAH should be eight to thirteen hours. An increase in EPAH indicates that the business needs to take action. Some measures can be taken such as staff education, increased automation, or adding more staff to handle the volume of alerts.
2. Tuning per technology:
Having too many false positives is another problem SOCs face. According to IDC, 45 percent of false positives were reported by analysts. By tracking the number of false positives and tunes per technology, it is possible to identify which technologies are contributing to the most excess work for analysts. It is a considerable administrative burden to tune technologies constantly. A technology investment’s value can be determined by examining both the effectiveness of your technologies and the negative impact these investments have on your analysts.
3. Unrealized technology benefits:
The economy may suffer from unrealized benefits of technology. While executives believe that investing in new technologies will reduce the risk to their organization. The protections have been added to the backlog of undeployed technologies or the technologies have been deployed with only the bare minimum set of capabilities enabled. When security features and protections aren’t present (such as SSL inspection, URL filtering), the security operations center (SOC) can’t block attackers effectively. A good idea for security organizations is to monitor undeployed technologies, the percentage of capabilities within deployed technologies, and their effectiveness against real-world attacks.
The service SecOps provides to the company is ultimately critical. As a result of this service, clients are assured that they have proper security measures in place to detect or prevent attacks and that the security team has implemented these measures. By measuring the right metrics, businesses can demonstrate their level of confidence, gain visibility into their functional effectiveness, and identify areas for improvement.
On our website, you can find additional information on NOC Support.
NOC Engineers are experts in their field
An engineer who works in a network operation center. Also known as a NOC engineer, manages and monitors networks from a central location. The technical NOC consists of teams of skilled IT and NOC engineers. Their team monitors the IT environment 24/7 and ensures the systems are reliable and connected.
Field Engineer helps businesses find the right NOC engineers by providing an online platform where they can find their experts. Using the Field Engineer Gig platform, IT and telecom businesses can find computer network installation and testing specialists, enhancing the performance of their systems.
By signing up with FE. You can hire a freelance NOC engineer right now!