- SOAR 101
By tracking specific metrics over time, trend reporting can establish a historical view of threats encountered, quantify SOC performance, and support smarter, more agile, and more data-driven incident response.
Analyzing these reports can act as an early warning system to help identify threats and bottlenecks before they become, or exacerbate, a major incident. Trend reports also make it easier to validate claims about threats and make the case for investments in new tools or processes. Having a strong set of trend reports will result in a more complete understanding of the problems your SOC is facing.
While virtually any metric can be tracked over time to produce a trend report, in this article we’ve identified five that will be beneficial for SOCs of any industry and level of operational maturity.
Trend Report 1: Incident Categories
Why it’s important: Tracking the levels of different incident categories gives a SOC manager a baseline knowledge of the types of incidents managed by the SOC, and therefore what security processes should be highest priority.
It also gives the security team the ability to correlate changes in detected incident types with other changes in the organization. For example, has a new digitization project or the implementation of new detection tools led to an increase in the detection of certain incidents?
Trend Report 2: Root Causes
Why it’s important: When an incident occurs, you need to know what vulnerabilities were exploited, but also what deeper issues caused the vulnerabilities to begin with. For example, if a JBoss server wasn’t patched properly, why not? Was it a technology problem? Did the responsible individual not carry out, or validate, the work? Was there even a process in place for patching at all?
The same can be said for a non-compliance incident…finding out the root cause of a HIPAA violation is the best way to ensure it doesn’t happen again.
Tracking trends across the root causes of incidents helps you identify the issues that are systemic, not just one-off occurrences. With good trend data, incident responders can develop a roadmap for future prevention efforts based on remediating underlying vulnerabilities. Without the data to perform root cause analysis, security teams are just playing “whack-a-mole”—trying to stop incidents one-by-one as the pop up.
Trend Report 3: Recurring Incidents
Why it’s important: Tracking recurring incidents is a good way to assess your SOC’s effectiveness. A high number of recurring incidents is not a good sign, and suggests that root causes are being left unaddressed (as described in the previous section). Depending on its type, a recurring incident could also be a good candidate for an automated incident response process. Using past response actions and industry best practices as guides, you can use D3 to quickly create an automated playbook that will mimic the response actions of your best investigators.
Trend Report 4: Mean Time to Respond (MTTR)
Why It’s Important: MTTR is one of the key metrics for any security team, especially when it can be tied to specific incident categories for more precise correlations. Tracking MTTR over time gives you a clear picture of how adding automation, hiring new employees, or making other changes is impacting your response times at the most basic level. Additionally, this data will help you create benchmarks, goals, and alerts for when expectations aren’t being met.
Trend Report 5: Sources of False Positives
Why It’s Important: False positives are one of the biggest time-wasters in most SOCs, and so eliminating them should be among any security manager’s top priorities. A SOC simply cannot be efficient without an incident response platform that reduces false positives. Widespread shortages in skilled security analysts and tightening budgets only increase the urgency of this task.
By tracking the source systems that generate your security alerts and recording which alerts are ultimately determined to be genuine incidents, you can create a picture of system accuracy over time. This will give you the ability to see how well you are tuning your systems. For example, if your IDS is continually producing false positive alerts, does changing your detection rules result in a noticeable drop, or does the issue lie elsewhere?
These are just a few of the many ways you can use trend reporting to improve your cybersecurity. To learn more about how D3’s reporting features fit into its comprehensive security operations solution, schedule a one-on-one demo with one of our product experts today.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW