WatchGuard Blog

Security Operations Maturity Model I : Measuring SOC performance

Companies need to measure performance in all areas of operations to check whether they are proving cost-effective and achieving the desired results. One of the best ways for security managers to demonstrate that their security operations program is aligned with business objectives is to use metrics that demonstrate efficiency and effectiveness.  

MTTD and the MTTR are the two key performance indicators used to measure and report on how fast security operations detect and respond to cyberthreats that can fly under the radar of existing security controls.  

Let's find out what these metrics are and how they are calculated:  

Mean Time to Detection (MTTD): What is it and how is it calculated? 

It measures the time it takes the security operations team to detect and identify a lurking threat in an organization's network. This metric demonstrates the effectiveness of security operations and calculates the speed and capabilities of the threat hunters, SOC analysts and response team in monitoring, classifying and investigating anomalous behavior on the network, as well as responding to the attacker if a security breach occurs. The team's goal should be to keep this metric as low as possible, as this means the impact will be lower if an organization's networks are compromised.  

The MTTD for a single incident is calculated based on the date/time difference between the first sign of the attack and the date the incident case was created, i.e., the time when the threat was classified for full investigation. The mean time to detect each incident is calculated to work out the MTTD for all incidents in a specific time period.  

Mean Time To Respond (MTTR): Definition and Calculation 

This indicates the time it takes the team to investigate and respond to detected threats. This measure determines the effectiveness of security operations and shows the efficiency of the SOC's analysts and response team who are responsible for identifying and correlating behavioral anomalies that indicate an incident has occurred, investigating them thoroughly and responding, from containment to eradicating the threat from the network. If this indicator is high, the technology used in the areas that support SOC threat investigation and mitigation may be slow and weak, and automation may be lacking. In these cases, threats in corporate networks could result in a data breach or incur extremely high costs in damages. The response time for a single incident is based on the date/time difference between the date of case creation, or the start of the investigation, and the time when the incident is resolved. As in the case of MTTD, the mean time it takes the team to investigate and respond to each incident is used to determine the response time for all incidents within a specific time period. 

The speed with which security operations detect and respond can make the difference between a breach that can be contained in time and a serious data breach or costly operational and reputational damages. Therefore, applying basic metrics such as MTTD and MTTR enables the SOC team and stakeholders to gain a deeper understanding of operational performance, allowing them to make better investment decisions and demonstrate value to management.  

Increasing SOC maturity to reduce MTTD and MTTR 

High MTTD and MTTR rates do not necessarily mean that the security strategy being used is incorrect, but that the SOC needs to implement some additional measures to help reduce the downtime of the infrastructure environment if a real attack occurs.  

As the maturity of an organization's security operations increases, the effectiveness of its detection and response capabilities will improve and MTTD and MTTR rates will drop. These metrics are designed to provide information on the effectiveness, performance and accountability of security operations. By keeping them in mind, the SOC is also able to identify any bottlenecks in their processes, applied technologies or experts and will be able to identify any resources or processes that need reviewing.  

All business processes need to be assessed so that they can be improved, and security operations are no different in this regard. In the e-book Empowering the SOC: Security Operations Maturity Model, we outline the key capabilities needed to address today's challenges for security teams and provide insights on how to create a successful SOC.  

If you want to learn more about Security Operations Centers, don't miss our series of articles: