You don’t need a Ph.D. in cybersecurity to recognize the importance of security analytics. Security analytics uses data analysis – often aided by machine learning – to detect security threats and measure the effectiveness of security operations.
But what may be challenging to determine, especially if you’re not a cybersecurity expert, is what to analyze to improve security outcomes for your organization. This article discusses five of the most crucial security analytics to track.
As you’ll see, some of these analytics assist with threat detection, which is one component of effective security operations. Others deal with assessing the effectiveness of your security operations processes to help you detect inefficiencies or risks within your approach to security management.
Mean time to detect
Mean time to detect, also known as MTTD, is a standard metric for IT operations teams, who use it to assess how quickly, on average, they can identify specific issues.
MTTD is particularly necessary for security analytics. Indeed, it’s arguably even more critical in this context, given that many organizations struggle to detect cybersecurity breaches. Threat actors use increasingly stealthy tactics to hide their malicious intents. They orchestrate several “normal” actions to hide in plain sight.
Plus, the longer it takes you to find out if there’s a breach in your environment, the more damage the attack will likely cause. The episode is likely to escalate to affect more applications and data if you don’t detect it and isolate affected resources.
You should comprehensively assess how long it takes your team to detect cybersecurity incidents and aim to improve that metric continuously for all these reasons.
Mean time to resolve
Detection is only the first step in resolving security incidents. That’s why the mean time to resolve (MTTR) is an equally important security analytics metric to measure.
MTTR reflects how efficiently and effectively your security operations team works when a breach occurs. By tracking this metric, you can assess how much efficiency you gain when you implement changes to your security operations strategy, such as adopting a new tool or making organizational changes to your security response team. MTTR is also useful for assessing how rapidly your team can resolve different security incidents, like DDoS attacks, ransomware attacks, and data leaks.
Mean time to contain
In between security incident detection and resolution comes containment. Containment is the process of isolating compromised resources once you’ve detected a breach to prevent further damage.
In some respects, mean time to contain, or MTTC, is even more important than MTTR. The overall cost of an incident depends partly on how quickly you can contain it.
For that reason, you should track MTTC alongside MTTD and MTTR. If you find that you detect incidents quickly but take a long time to contain them after that, it’s a sign that you need to invest a bit more in containment strategies.
Unidentified devices on internal networks
Today’s networks are very fluid. Endpoints come and go continuously, and most networks lack firm perimeters because they constantly connect to remote cloud infrastructure, off-site devices connected via VPNs, etc. Ultimately, this means that it’s impossible to draw black-and-white distinctions between which devices should and shouldn’t exist on your network.
However, you can and should systematically track how many unidentified devices exist on your network. Unidentified devices are devices whose origins and purposes are unknown.
In many cases, unidentified devices are benign. They could be new VMs that an engineer spun up or a mobile device that a worker brought on-site as part of a BYOD policy.
Still, the number of unidentified devices on your network should generally follow a consistent pattern. Suppose you detect a sudden spike in unknown devices. In that case, it could be a sign of risk, like the unauthorized creation of new endpoints by employees who are not adhering to your company’s IT governance rules, or (worse yet) efforts by attackers to bring malicious devices into the environment to escalate a breach.
Access control metrics
Access control roles and policies for modern IT environments are complex. Different parts of your environment (like a public cloud on the one hand and on-premises servers and workstations on the other) typically use different access control systems and require different types of settings.
There is no simple way to track access control configurations or positively identify a risk. For that, you’ll need comprehensive and detailed access control management techniques, like cloud security posture management (CSPM) and cloud infrastructure entitlements management (CIEM).
Nonetheless, even the most basic security analytics strategy can track metrics like the number of users and roles within access control configurations. You can also measure how rapidly access control policies change. Fluctuations from the norm for both metrics could be a sign of a security issue.
The security analytics described above represent only the most basic metrics you should consider tracking to optimize security operations. There are dozens of others – like mean time to patch, data transfer rates, and network port exposures, to name just a few – that can add critical context to security operations.
But if you’re devising a basic security analytics strategy, start with the core essentials, like MTTD, MTTR, MTTC, unidentified device tracking, and access control metrics.