Metrics, metrics, everywhere and not a lot of thinking

Someone sent me a personal e-mail asking for guidance on metrics, so I thought I would replicate that here publicly.

Also, Carson Zimmerman will keynote at the SOC Summit in New Orleans in August, 2018 with a talk specifically on metrics. Hopefully you can make it to that event. If you can't make it, you can check out that talk afterward via video.

When starting out, I'd pick 3-5 reported metrics and a couple of service level objectives to start. Too many metrics results in diminished clarity on if you're meeting the objectives of the organization.

Metric

. Time to detection

. Method of Detection

. Time to initiate Response

.  Root cause analysis: Level 1,2,3. 

1 is a measure was available, but wasn't applied

2 is a measure was available, we chose through risk acceptance not to apply and it allowed issue to occur

3 is "zero day" - no measure was available

Service Level Objectives

. Initial notification within 1 hour to system owners of affected systems

. Eradication results in final closure, no need to reopen 100% of time

Online resource, look at Veris, which is the data schema behind the Verizon DBIR:

http://veriscommunity.net/incident-track.html

Look at Pescatore's "briefing the board" info:

https://www.sans.org/summit-archives/file/summit-archive-1496685631.pdf

https://www.sans.org/webcasts/influencing-effectively-communicating-ceos-boards-directors-103927

For a book to read on metrics, the standard reference is Joqaith's Security Metrics:

https://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989

Also look at the Hubbard / Siersen  "how to measure risk" book. Rich gave a talk last year at the SOC summit, but I don't see the talk posted. 

https://www.sans.org/summit-archives/cyber-defense