Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE – • Metrics are a decision support tool for stakeholders • Good metrics are first and foremost: – Quantifiable or objectively measurable – Targeted to a specific audience – Denotes the success or failure of a process – Start with why – What story are you trying to tell? – What conclusion should the audience draw from my data? – Can I reasonably expect them to infer my intent from the metrics?
Why Metrics? • Foundations of Metrics (That Don’t Suck) • Example Blue Team Metrics – SOC Metrics – Incident Response Metrics – CTI Metrics – Threat Hunting Metrics
Building Good Metrics – Don’t Measure Everything.
A few example SOC metrics (depending on intended audience):– Person hours committed to working alarms – Person hours committed to engineering new and better detections– Number of new detection rules created (and source for each) – Number of tuned detection rules – Number (and severity) for alarms by business unit – Detection source for alarms.