Management guru Peter Drucker once said, “What gets measured, gets managed.”
Take your organization’s incident response program for example. While implementing a cybersecurity incident response (IR) program ensures your business can quickly respond to data threats, it's only when you collect metrics for your IR team that you’re able to determine your program’s – and your team’s – effectiveness.
You can then fine-tune your IR program based on those metrics.
Given no business is immune from cyberattacks — no matter how stellar their security posture — monitoring cybersecurity incident response metrics has become more important than ever.
In this blog post, I’ll explore five key metrics that can help gauge the overall effectiveness of your cybersecurity incident response capabilities:
- Mean time to inventory
- Mean time to detect
- Dwell time
- Mean time to respond
- Cost of an incident
You’ll also get an overview of how Axonius can be used to improve or track these metrics, and
how our customers are leveraging the platform to help expedite incident response investigations and remediation, and reduce alert triage time.
1. Mean Time to Inventory
This metric helps determine when incident response is lagging as a result of missing inventory information.
With Axonius, customers have access to all the device and user information needed to aid an investigation. Apart from creating a comprehensive asset inventory, Axonius also creates a complete and contextual user inventory.
Axonius provides the integrations you need to get a unified view of all your assets, users, vulnerabilities, and more by aggregating data from 300+ business management and security tools.
A consolidated user inventory can accelerate incident response investigation by helping security analysts easily correlate alerts with data in Axonius to answer critical cybersecurity incident response questions like:
- Which devices and users were associated with the alerts?
- Where are the devices located?
- What software is running on the device?
- Were the devices affected by known vulnerabilities?
Improving mean time to inventory can help reduce mean time to detect and mean time to respond for incident responders.
2. Mean Time to Detect (MTTD)
One of the most important metrics, mean time to detect (or MTTD), is defined as the average amount of time needed to detect a security threat or incident. It helps you understand how cybersecurity incidents are detected.
To measure MTTD, add up the total amount of time it takes your team to detect incidents during a given period, then divide that by the number of incidents. This MTTD can then be compared to a previous time period or another incident response team of similar size to determine performance.
It’s good to shoot for a low MTTD number. However, incident response teams must be sure they’re minimizing the "unknowns" that aren't being detected. Often, security teams find there are unknown and unmanaged devices that may not be covered by a security control, and thus may not manifest into a "detection" if something were to happen.
Axonius helps customers enhance visibility into all devices — managed and unmanaged — allowing incident response teams to be more confident their MTTD metric is comprehensive and accurate.
3. Dwell Time
A critical metric, dwell time represents the entire length of time a threat actor has free reign in your environment — starting from the time they first enter your network to the time they leave or are removed.
Why should you focus on reducing dwell time? Because the longer it takes your company to contain an attack, the more expensive it will end up being.
Quickly analyzing an event and responding accordingly is key to containing an attack and reducing dwell time.
Axonius helps speed up incident response investigations by providing security analysts with rich, correlated data. The platform also makes it simple to search for attributes of a particular device or user in order to triage alerts.
4. Mean Time to Respond (MTTR)
Mean time to respond is defined as the average time it takes for incident responders to control, remediate, and eradicate a threat after it has been identified. It provides insight into how quickly your incident response team can help you and impacted systems return to normalcy
It therefore comes as no surprise that poor performance in this metric means higher breach costs for your organization.
MTTR is calculated by collecting data on all incidents for a specific period, then adding up the time spent on restoring the system from the moment the alert about the problem was received. The total is then divided by the number of incidents.
By automating the essential data gathering tasks, organizations can dramatically increase productivity of their SOC personnel. Axonius allows the SOC team to analyze more alerts in a shorter period of time, thereby increasing visibility and reducing MTTR.
Having an accurate user inventory also helps reduce MTTR by giving incident responders the ability to:
- Quickly group high privileged accounts into a single view
- Understand recent password and privilege changes
- Understand where a user account was used on a specific date
- Understand devices associated with the user account
5. Cost of an Incident
A simple way to determine incident costs is by measuring the time needed to fully detect and resolve an incident, then translating that time into combined salary costs of staff involved.
Keep in mind this excludes major incidents that require third parties getting involved.
Showing how much incidents cost and having a roadmap for faster incident detection and response will likely show a number that trends down over time.
For SOC analysts, the time it takes to investigate an incident is often too long because they don’t have the full contextual information needed to aid the investigation and resolve incidents. But with Axonius, organizations can have that information about devices and users up front, which significantly reduces the time spent in gathering information. This in turn reduces the actual cost of investigating an incident.
A focus on improving cybersecurity incident response metrics will drastically strengthen your company's security posture. The sooner you can detect and resolve incidents, the less impact a successful attack will have.
For improving organizational IR practices, teams should ensure that metrics are not just improving, but are truly accurate and comprehensive.