NOC Uptime is the most important metric, and mean time to repair (mean time to recovery/restore) [MTTR] offers an accurate in the Measuring of performance. In a SOC, however, MTTR is a proxy for analyst activity that can lead to the wrong behavior. The analyst would be incented to rush investigations and not feed updates back into the control system if they are assessed based on how quickly they close out alerts. As a result, the same attackers appear repeatedly in an analyst’s console because they didn’t get effectively blocked based on prior incidents.
The MTTR can worsen the problem by motivating rushed investigations by leading analysts to ignore alerts that could otherwise be investigated. FireEye confirmed that analysts do indeed ignore alerts in a recent Info Brief from IDC. Approximately 35 percent of security analysts within organizations and 44 percent of security analysts employed by managed security service providers (MSSPs) overlook them because they are overwhelmed by false positives and excessive alerts. This stress can be further exacerbated if productivity is measured by MTTR, leading to poor alert handling.
In a SOC, cherry-picking alerts is another example of poorly motivated analyst behavior driven by MTTR. MTTR can lead analysts to favor alerts they know they can close quickly when measuring their efficiency. Comparisons of one analyst’s efficiency versus another can be skewed by this. As a result, cherry-picking can lead to more complicated or involved investigations being delayed, which can result in additional dwell time for attackers.
When is MTTR important for a SOC?
On the other hand, MTTR can be useful when evaluating automation tools within a SOC. The MTTR can be used to assess the effect of additional automation if analysts are consistent in their investigations and remediation activities. MTTR can be used to validate and quantify the gains from implementing new technology that enables analysts to do their job more quickly.
Metrics for measuring SOC performance
What are some good metrics for gauging the effectiveness of a SOC if MTTR isn’t a good metric?
- Events per analyst hour: An organization can implement actions to improve its operations with good metrics such as events per analyst hour. Event per analyst hour (EPAH) is the gold standard of security operations. It’s a good indicator of how overwhelmed an analyst is right now. If their EPAH is over 100 hours, then they are incredibly overwhelmed. In an overwhelmed state, analysts ignore alerts and focus on rushing investigations. We suggest an EPAH of 8 – 13 hours. A higher EPAH indicates a need for action on the part of the business. Actions can be taken such as staff education, increased automation, or adding more staff to handle the load of alerts.
- Tunes per technology: Another issue facing SOCs is an overabundance of false positives. As reported by IDC, analysts were bombarded with 45 percent of false positives. It is possible to determine which technologies are contributing to the most excess work for analysts by tracking the number of false positives and tunes per technology. Keeping technology tuned constantly is a big administrative burden. Considering the effectiveness of your technologies as well as the negative effect of these investments on your analysts can show the value of your technology investment.
- Unrealized benefits from technology: Unrealized benefits from technology can hurt the economy. Despite executives believing they reduce the risk to their organization by investing in new technologies, the protections have been added to the backlog of undeployed technologies, or the technologies have been deployed with only the minimum set of capabilities enabled. A security operation center (SOC) cannot effectively block attackers if security features or protections aren’t available (e.g. SSL inspection, URL filtering). The monitoring of undeployed technologies, percentages of capabilities used within the deployed technologies, and effectiveness of technologies against real-world attacks is a good idea for security organizations.
Finally, SecOps provides a critical service to the business. Essentially, the service is intended to provide confidence that security controls are in place to detect or prevent an attack and that processes are in place for the security team to implement these controls. Measuring the right metrics will help provide that confidence, provide visibility into functional effectiveness, and identify opportunities for improvement.
You will find additional information on NOC Support by visiting our site.
Expert support from NOC Engineers
Network Operation Center Engineers, also known as NOC engineers, specialize in managing and in Measuring networks from any centralized location. Teams comprised of skilled IT and NOC engineers form the technical NOC. 24/7, they monitor the IT environment and ensure that the uptime and connectivity of the systems are seamless.
By providing a platform for finding NOC engineers, Field Engineer assists businesses in finding the right experts for their needs. IT and telecom firms can use the Field Engineer Gig platform to find people with the skills to install and in Measuring their computer networks, enhancing their efficiency and effectiveness.
You can hire a freelance NOC engineer by signing-up at FE right now!