{"id":105016,"date":"2020-01-14T06:00:00","date_gmt":"2020-01-14T14:00:00","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=105016"},"modified":"2020-07-30T20:05:43","modified_gmt":"2020-07-31T03:05:43","slug":"cortex-soc-metrics","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/01\/cortex-soc-metrics\/","title":{"rendered":"Do Your SOC Metrics Incentivize Bad Behavior?"},"content":{"rendered":"

\"SOC<\/p>\n

The following post on SOC metrics is adapted from the book, \u201cElements of Security Operations,\u201d a guide to building and optimizing effective and scalable security operations. <\/span><\/i>Download a free copy today<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

Some metrics that security operations centers (SOCs) widely use to evaluate their performance have the potential to drive poor behavior.<\/p>\n

One example is mean time to resolution (MTTR). This is a fine metric when used in a network operations center (where uptime is key) but it can be detrimental when used in a SOC. Holding security analysts accountable for MTTR incentivizes them to rush to close incidents rather than rewarding full investigations that feed learning back into the controls to prevent future attacks. Similarly, ranking performance by number of incidents handled may lead to analysts \u201ccherry picking\u201d incidents that they know are fast to resolve. This will not produce better outcomes or reduced risk for the business.<\/span><\/p>\n

Another poor metric is counting the number of firewall rules deployed. 10,000 firewall rules can be in place, but if the first bypasses the rest (e.g., any-any), then they are useless. This is similar to measuring the number of data feeds into a security information and event management platform (SIEM). If there are 15 data feeds into a SIEM but only one use case, then the data feeds aren\u2019t being utilized and are a potentially expensive waste.\u00a0<\/span><\/p>\n


\n<\/span>SOC Metrics That Matter<\/span><\/h2>\n

When determining good metrics for your business, always keep in mind the mission of the SOC and the value it provides to the business. The business wants confidence that the SOC can prevent attacks and that if\/when a breach does occur, then the team is able to handle it quickly, limit the impact and learn from it. Good metrics should provide insight into whether the business should have confidence or not. There are two types of confidence to focus on: configuration confidence and operational confidence.<\/span><\/p>\n

Configuration confidence<\/b> is knowing that your technology is properly configured to prevent an attack, that you can automatically remediate it and\/or that the proper intelligence can be gathered for analysis by a human. Example questions to answer are:\u00a0<\/span><\/p>\n