North star metrics for security operations
The Solarwinds case has cemented the role of enterprise security in protecting business risk and advancing resiliency. As security continues to elevate and garner a seat at the board-level, we need to rely less on articulating the Fear, Uncertainty and Doubt (FUD) and rely more on communicating in terms of clear operational metrics as a way of establishing a baseline and goals in language the board can understand.
In the last year, we’ve seen a step-change in adoption of Mean-time-to-Detect and Mean-time-to-Respond as the core metrics forward-thinking security leaders are adopting as the north star metrics for their organization.
- Mean-Time-to-Detect -- how long does it take me to find something is bad
- Mean-Time-to-Respond -- how long does it take me to stop it
Just as the sales and marketing organization is focused on reducing the length of sales cycles and increasing conversion through automation to increase revenue, the security organization is focused on reducing MTTD and accelerating MTTR through automation to increase resilience.
The Ponemon Study on Cyber Resilience states:
- 67 percent of enterprises have experienced an increase in volume of cyber incidents in the last 12 months.
- 64 percent of enterprises have experienced an increase in severity of cyber incidents in the last 12 months.
- 51 percent of enterprises reported a cybersecurity incident that resulted in a significant disruption to their organizations’ IT and business process in the last 24 months.
If incidents are increasing in both volume and severity, then it’s the enterprise security leader’s job to allocate resources efficiently to keep up. Data-Centric Security Automation is focused on leveraging the value of your internal and external sources of intelligence as primary assets used to improve MTTD and MTTR as north star metrics.
External intelligence sources like closed/open subscription feeds and ISAC/ISAO intelligence exchanges are helpful in accelerating MTTD as they can help you detect malicious signatures your providers and peers are seeing in the wild. With the right intelligence management solution, you can ensure that only high-priority signatures are ingested into your detection tools. Without intelligence management, you may see your MTTD go down, but your MTTR will go up as the time it takes to resolve a growing number of false positives will compete with bandwidth for resolving actual events.
These external sources are also helpful for MTTR, and here context is key to making the right decisions around expanding and escalating an investigation. As important, correlating with your internal historical events to ensure you’re not wasting time reinvestigating a similar event from an hour/day/week/month ago that was captured in another tool or by another analyst on a different shift or workflow.
These internal and external sources of intelligence provide 'Coverage' or 'labels' to your data that help you automate and accelerate MTTD and MTTR. The right intelligence management solution will help you see how your internal and external sources are performing for you in terms of 'Coverage':
- Which sources are generating detections first?
- Which sources are generating more false positives in detection?
- Which sources are generating unique enrichment to my incident response?
- Which sources are redundant?
- What types of events and signatures are lacking automated enrichment and require manual ‘hunting and pecking’?
Your intelligence investments and the integrations into your core detection and response tools will drive your coverage, which is a critical lever for accelerating both MTTD and MTTR. In the next decade, the enterprise security teams and leaders that adopt these core tenets of data-centric security automation will find a new language to communicate, cooperate and effectively compete for resources to elevate enterprise resilience.
Patrick Coughlin is the Co-Founder and Chief Executive Officer of TruSTAR. Before founding TruSTAR, Patrick led cyber security initiatives in the Middle East as a Director at Good Harbor International. Patrick also led counterterrorism analyst teams for Booz Allen Hamilton clients in the DoD and Special Operations Command.