As cyber-attacks grow more aggressive and sophisticated, the pressure to make smart, informed decisions about your security posture is intensifying.
Since cybersecurity is dynamic, it's a necessity to constantly assess how your security team can improve and adapt. Measuring your security teams' ability to mitigate threats by engaging them and making their work more visible is fundamental to improving your company's security hygiene and operations.
Figuring out the right security-related key performance indicators (KPIs) for your organization takes time. When it comes to what metrics to prioritize, one size doesn’t fit all, but that’s not to say there aren’t some solid generic markers to help keep things under control.
In a previous post, we shared some tips on how to optimize your security posture, and there are plenty of helpful articles out there detailing how best to measure your security stance. So, instead of echoing them, in this blog post, we want to highlight four things you should consider before you start tracking and reporting on your team’s performance:
Measure only what matters. Do you have the right data sources?
Context is king. Do you understand what success looks like?
Timing. Is your organization ready?
Grey areas. Are your goals well defined?
What’s important to you won’t necessarily be as important to another security team. It used to be all about the number of indicators blocked, but that’s no longer a viable strategy to measure success because you’re not really telling people you’re getting better, you’re just collecting more data. Instead, prioritize data that actually matters to you, such as your mean time to detect, mean time to respond, number of tickets, number of tickets remediated or handled through automation, number of domains blocked, number of IPs locked, number of emails processed, time saved through automation, or cost saved through automation.
It is impossible to overstate just how important this is. Context gives analysts all of the information they need to make decisions about how to respond so that they can spend less time on alerts and more time on incidents.
Your environment also matters when establishing risk tolerance and determining alert severity. Enrichments in your automation tool will ensure you have actionable intelligence with contextual data at your fingertips – so you know exactly what needs attention right away. It can be pretty useful to measure your coverage against the MITRE ATT&CK Framework - this will tell you what sort of protection you have in place against attack techniques.
Whatever you’re measuring needs to be in a reliable state. Your organization needs to be mature enough to support a bunch of detections and remediations. For example, identifying publicly available Google Docs and removing the public access after messaging the file owner, automatically making public AWS S3 Buckets private again, and isolating a host from the network if it looks like malware has run on it.
Different security teams will go after different pain points, but you shouldn’t rush into implementing detections such as codebase monitoring, user access management, or server acceptance testing. If you’re still early in your detection pipeline, you risk wasting time by measuring a lot of noise. So, it’s imperative to pace yourself; too much visibility too soon is usually a bad idea. If you measure without standardizing your alerts, the danger is you’ll overanalyze your data and draw conclusions that are simply inaccurate. Take the time to figure out what matters to you and why, and get to a point where you can reliably predict your data.
Side note, you should try to capture the time it takes for you to be able to detect a new technique. This encompasses a lot of different things - log coverage, free time, tools, coverage for detections - and it’s hard to measure on its own automatically.
Some areas are really difficult to measure, but that’s not to say they’re not worth the effort. One of the key advantages of Tines is that it gives you back time to focus on improving your analysis. But some metrics simply aren’t worth striving for, such as employee turnover. Tracking turnover is not an indicator of success, although it is an indicator of failure. Stick to measuring the things that genuinely matter, like detections built by analysts, and the number of P1s and P2s.
There’s no one right way to measure your security posture, but there are plenty of wrong ways. The effectiveness of your security operations depends on how you measure them. Step one is taking in the big picture before implementing a metrics program that will help guide ongoing efforts for more impactful security investments.
Tines can help you dramatically improve your security posture by enabling you to stay on top of alerts and respond swiftly if your organization has been compromised or hacked.