Top 5 security analytics to measure

You do not need a Ph.D. in cybersecurity to recognize the importance of security analytics. Security analytics uses data analysis – often aided by machine learning – to detect security threats and measure the effectiveness of security operations.

But what may be challenging to determine, especially if you’re not a cybersecurity expert, is what to analyze to improve security outcomes for your organization. This article discusses five of the most crucial security analytics to track.

As you’ll see, some of these analytics assist with threat detection, which is one component of effective security operations. Others deal with assessing the effectiveness of your security operations processes to help you detect inefficiencies or risks within your approach to security management.

Mean time to detect

Mean time to detect, also known as MTTD, is a standard metric for IT operations teams, who use it to assess how quickly, on average, they can identify specific issues.

MTTD is particularly necessary for security analytics. Indeed, it’s arguably even more critical in this context, given that many organizations struggle to detect cybersecurity breaches. Threat actors use increasingly stealthy tactics to hide their malicious intents. They orchestrate several “normal” actions to hide in plain sight.

Plus, the longer it takes you to find out if there’s a breach in your environment, the more damage the attack will likely cause. The episode is likely to escalate to affect more applications and data if you do not detect it and isolate affected resources.

You should comprehensively assess how long it takes your team to detect cybersecurity incidents and aim to improve that metric continuously for all these reasons.

Mean time to resolve

Detection is only the first step in resolving security incidents. That’s why the mean time to resolve (MTTR) is an equally important security analytics metric to measure.

MTTR reflects how efficiently and effectively your security operations team works when a breach occurs. By tracking this metric, you can assess how much efficiency you gain when you implement changes to your security operations strategy, such as adopting a new tool or making organizational changes to your security response team. MTTR is also useful for assessing how quickly your team can resolve different security incidents, like DDoS attacks, ransomware attacks, and data leaks.

Mean time to contain

In between security incident detection and resolution comes containment. Containment is the process of isolating compromised resources once you’ve detected a breach to prevent further damage.

In some respects, mean time to contain, or MTTC, is even more important than MTTR. The overall cost of an incident depends partly on how quickly you can contain it.

For that reason, you should track MTTC alongside MTTD and MTTR. If you find that you detect incidents quickly but take a long time to contain them after that, it’s a sign that you need to invest a bit more in containment strategies.

Unidentified devices on internal networks

Today’s networks are very fluid. Endpoints come and go continuously, and most networks lack firm perimeters because they constantly connect to remote cloud infrastructure, off-site devices connected via VPNs, etc. Ultimately, this means that it’s impossible to draw black-and-white distinctions between which devices should and should not exist on your network.

However, you can and should systematically track how many unidentified devices exist on your network. Unidentified devices are devices whose origins and purposes are unknown.

In many cases, unidentified devices are benign. They could be new VMs that an engineer spun up or a mobile device that a worker brought on-site as part of a BYOD policy.

Still, the number of unidentified devices on your network should generally follow a consistent pattern. Suppose you detect a sudden spike in unknown devices. In that case, it could be a sign of risk, like the unauthorized creation of new endpoints by employees who are not adhering to your company’s IT governance rules, or (worse yet) efforts by attackers to bring malicious devices into the environment to escalate a breach.

Access control metrics

Access control roles and policies for modern IT environments are complex. Different parts of your environment (like a public cloud on the one hand and on-premises servers and workstations on the other) typically use different access control systems and require different types of settings.

There is no simple way to track access control configurations or positively identify a risk. For that, you’ll need comprehensive and detailed access control management techniques, like cloud security posture management (CSPM) and cloud infrastructure entitlements management (CIEM).

Nonetheless, even the most basic security analytics strategy can track metrics like the number of users and roles within access control configurations. You can also measure how quickly access control policies change. Fluctuations from the norm for both metrics could be a sign of a security issue.

Conclusion

The security analytics described above represent only the most basic metrics you should consider tracking to optimize security operations. There are dozens of others – like mean time to patch, data transfer rates, and network port exposures, to name just a few – that can add critical context to security operations.

But if you’re devising a basic security analytics strategy, start with the core essentials, like MTTD, MTTR, MTTC, unidentified device tracking, and access control metrics.

Source

You do not need a Ph.D. in cybersecurity to recognize the importance of security analytics. Security analytics uses data analysis – often aided by machine learning – to detect security threats and measure the effectiveness of security operations.

But what may be challenging to determine, especially if you’re not a cybersecurity expert, is what to analyze to improve security outcomes for your organization. This article discusses five of the most crucial security analytics to track.

As you’ll see, some of these analytics assist with threat detection, which is one component of effective security operations. Others deal with assessing the effectiveness of your security operations processes to help you detect inefficiencies or risks within your approach to security management.

Mean time to detect

Mean time to detect, also known as MTTD, is a standard metric for IT operations teams, who use it to assess how quickly, on average, they can identify specific issues.

MTTD is particularly necessary for security analytics. Indeed, it’s arguably even more critical in this context, given that many organizations struggle to detect cybersecurity breaches. Threat actors use increasingly stealthy tactics to hide their malicious intents. They orchestrate several “normal” actions to hide in plain sight.

Plus, the longer it takes you to find out if there’s a breach in your environment, the more damage the attack will likely cause. The episode is likely to escalate to affect more applications and data if you do not detect it and isolate affected resources.

You should comprehensively assess how long it takes your team to detect cybersecurity incidents and aim to improve that metric continuously for all these reasons.

Mean time to resolve

Detection is only the first step in resolving security incidents. That’s why the mean time to resolve (MTTR) is an equally important security analytics metric to measure.

MTTR reflects how efficiently and effectively your security operations team works when a breach occurs. By tracking this metric, you can assess how much efficiency you gain when you implement changes to your security operations strategy, such as adopting a new tool or making organizational changes to your security response team. MTTR is also useful for assessing how quickly your team can resolve different security incidents, like DDoS attacks, ransomware attacks, and data leaks.

Mean time to contain

In between security incident detection and resolution comes containment. Containment is the process of isolating compromised resources once you’ve detected a breach to prevent further damage.

In some respects, mean time to contain, or MTTC, is even more important than MTTR. The overall cost of an incident depends partly on how quickly you can contain it.

For that reason, you should track MTTC alongside MTTD and MTTR. If you find that you detect incidents quickly but take a long time to contain them after that, it’s a sign that you need to invest a bit more in containment strategies.

Unidentified devices on internal networks

Today’s networks are very fluid. Endpoints come and go continuously, and most networks lack firm perimeters because they constantly connect to remote cloud infrastructure, off-site devices connected via VPNs, etc. Ultimately, this means that it’s impossible to draw black-and-white distinctions between which devices should and should not exist on your network.

However, you can and should systematically track how many unidentified devices exist on your network. Unidentified devices are devices whose origins and purposes are unknown.

In many cases, unidentified devices are benign. They could be new VMs that an engineer spun up or a mobile device that a worker brought on-site as part of a BYOD policy.

Still, the number of unidentified devices on your network should generally follow a consistent pattern. Suppose you detect a sudden spike in unknown devices. In that case, it could be a sign of risk, like the unauthorized creation of new endpoints by employees who are not adhering to your company’s IT governance rules, or (worse yet) efforts by attackers to bring malicious devices into the environment to escalate a breach.

Access control metrics

Access control roles and policies for modern IT environments are complex. Different parts of your environment (like a public cloud on the one hand and on-premises servers and workstations on the other) typically use different access control systems and require different types of settings.

There is no simple way to track access control configurations or positively identify a risk. For that, you’ll need comprehensive and detailed access control management techniques, like cloud security posture management (CSPM) and cloud infrastructure entitlements management (CIEM).

Nonetheless, even the most basic security analytics strategy can track metrics like the number of users and roles within access control configurations. You can also measure how quickly access control policies change. Fluctuations from the norm for both metrics could be a sign of a security issue.

Conclusion

The security analytics described above represent only the most basic metrics you should consider tracking to optimize security operations. There are dozens of others – like mean time to patch, data transfer rates, and network port exposures, to name just a few – that can add critical context to security operations.

But if you’re devising a basic security analytics strategy, start with the core essentials, like MTTD, MTTR, MTTC, unidentified device tracking, and access control metrics.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!