Measure up: Modern KPIs for SOCs

Amid the increase in volume and sophistication of cyber-attacks and the deepening cybersecurity skills deficit, many enterprises are turning to managed security service providers (MSSPs) who can provide them with access to state-of-the-art Security Operations Centres (SOC) and the cybersecurity expertise that they need.

In principle, a SOC provides a holistic view of all security-related information and insights and is equipped with the tools, expertise and methodologies to detect and respond to cyber threats more effectively. However, enterprises will need to have relevant and actionable key performance indicators (KPIs) in place to ensure that it is really delivering on these promises.

In developing these KPIs, a good starting point would be to identify and prioritise the security operations goals of the organisation, and then to develop indicators to measure how well these goals are being met. Some examples of KPIs for cybersecurity include:

It is important to keep track of the number of reported security incidents, and also to analyse them in terms of the number of large incidents that could have a huge financial impact on the organisation, and small incidents that could potentially be a malicious preamble to a full-fledged attack. Tracking the increase or decrease in the number of security incidents will enable a SOC to take the appropriate actions to improve the cybersecurity profile of the organisation.

A SOC should be able to identify and report on the number of systems with known vulnerabilities, and to manage updates and patches to ensure that they are not exploited by threat actors.

Time is of the essence when dealing with a cybersecurity threat. With the stealthy approach taken by many advanced persistent threats which may remain hidden with the enterprise network while carrying out malicious activities, it is important to monitor the Mean-Time-to-Detect and also the Mean-Time-to-Respond so that steps can be taken to improve on these indicators to minimise the fallout from a security breach.

The longer a former employee’s credentials remain active, the higher the risk of information being leaked and systems compromised, especially if it is a disgruntled staff. This metric helps gauge how closely IT works with the human resource department to ensure that access rights are cancelled immediately.

“Super users” are a prime target of hackers as their credentials are the keys to the kingdom, so to speak. It is important, therefore, to track and manage the number of “super users” and block administrator rights where they do not make sense.

Over the course of a project, enterprises often provide vendors or business partners with access to their systems and networks. It is important to constantly review who is being granted access, the level of access, and if any critical enterprise systems are involved, to ensure that access that is no longer needed is cancelled. It will also help in threat mitigation if a compromise of the partner’s systems has a potential impact on the enterprise.

While these are some important indicators, it is important to remember that the KPIs for a SOC will vary depending on the needs and priorities of the enterprise. Even organisations that lack an SOC can benefit from setting KPIs to internal security plans as they evolve and scale their security infrastructure or outsource operations to a managed security services provider.

As the cybersecurity landscape evolves, it is also important for KPIs to evolve with it to remain relevant. Ultimately, the indicators will have to provide information that is relevant and actionable, so that the enterprise can put in place the right measures to enhance the overall security posture of the organisation.

Speak to us to find out how to develop meaningful KPIs.