Key Performance Metrics
Wiki > Key Performance Metrics
| KPI | Metric Category | KPI Definition/Reasons for measurement. | Board | Executive Management | Middle Management | Operational Management | |
| Source of Incidents Created | Security Incidents | Defines the sources of incident detection or reporting e.g Phone, DNS, Proxy and DHCP | |||||
| Time Duration between Event Detected and Incident Record Created | Security Incidents | Time between when the event was detected in SIEM and when the Incident record was created | |||||
| Time Duration between Incident Acknowledgement and Incident Containment | Security Incidents | The time between Incident Acknowledgement and its containment. | |||||
| Time duration between event detected and incident contained | Security Incidents | This is the overall circle from Event detection to Incident Containment. Incident Resolution Time. Average time for resolving an incident grouped into categories | |||||
| Incident False Positive % | Security Incidents | Displays the percentage of incidents recorded that were identified as False Positives later on | |||||
| Incident % handled purely at L1 | Security Incidents | The percentage of incidents handled at L1. It could be said to be First Time Resolution Rate. Costs is low if this is sorted at L1 level. Target for this metric is usually >= 80%. | |||||
| Incident % Escalated from L1 to L2 | Security Incidents | The percentage of incidents escalated from L1 to L2 within the SOC distributed by week. | |||||
| Incident % Escalated from L2 to L3 | Security Incidents | The percentage of incidents escalated from L2 to L3 within the SOC distributed by week. | |||||
| Incidents Created & Closed | Security Incidents | Counts of Incidents Created & Closed over time (typically per week) | |||||
| Incident Status Count | Security Incidents | Total Incident Count by Status. It is the Incident Count based on following Status: New, Assigned, In Progress, Escalated, Returned to Level 1, Remediation Requested, Remediation in Progress, Remediation in Completed, Resolved. | |||||
| Incident Count by Subsidiary | Security Incidents | Distribution of Incidents laid out by subsidiary on weekly basis. | |||||
| No. of Total Investigation by Subsidiary | Security Incidents | No. of Total Investigation by subsidiary | |||||
| No. of Total Breaches by Subsidiary | Security Incidents | No. of Total Breaches by subsidiary | |||||
| Number of Breaches by Status | Security Incidents | Number of Breaches by Status | |||||
| Number of Breaches by Time | Security Incidents | Number of Breaches by Time | |||||
| Number of Incidents by Time | Security Incidents | Number of Incidents by Time | |||||
| Number of Investigations by Time | Security Incidents | Number of Investigations by Time | |||||
| Incident count by source operating system | Security Incidents | Incident count by source operating system | |||||
| Number of Incidents by Priority | Security Incidents | Number of Incidents by Priority: P1, P2, P3 and P4. Gives a snapshot of where we are at per time | |||||
| Number of Investigations by Priority | Security Incidents | Number of Incident Investigations by Priority: P1, P2, P3 and P4. Gives us a count of Incidents found versus Incidents being investigated | |||||
| Incidents by Confirmation | Security Incidents | Incidents by Confirmation: Confirmed, Suspected and False Positive | |||||
| Number of Incidents by Status | Security Incidents | Number of Incidents by Status | |||||
| Number of Investigations by Status | Security Incidents | Number of Investigations by Status | |||||
| New Incidents by Week | Weekly Security Trends | New Incidents by Week. Gives a count of New Incidents by week for comparison on how many we get over time | |||||
| Incident Trend by Status – Weekly | Weekly Security Trends | Weekly Incident Trend by Status: New, Assigned, In Progress, Escalated, Returned to Level 1, Remediation Requested, Remediation in Progress, Remediation in Completed, Resolved. Gives a summary of Incidents by Status for weekly comparisons | |||||
| Incident Trend by Priority – Weekly | Weekly Security Trends | Weekly Incident Trend by Priority: P1, P2, P3 and P4 | |||||
| Weekly Average time to escalate | Weekly Security Trends | Weekly Average time to escalate incidents | |||||
| Weekly Average time to close | Weekly Security Trends | Weekly Average time to close incidents | |||||
| Weekly trend of false positives | Weekly Security Trends | Weekly trend of false positives | |||||
| Lessons learned • most valuable mistake • conversion rate | Weekly Security Trends | Lessons learned • most valuable mistake • conversion rate | |||||
| Intelligence types • value by volume • value by severity | Weekly Security Trends | Intelligence types • value by volume • value by severity | |||||
| Count of Use Case usage (how often each use case is executed) | Accuracy of Rules | Count of Use Case usage (how often each use case is executed) | |||||
| Use Case kills | Accuracy of Rules | Use Case kills | |||||
| Use Case false positives | Accuracy of Rules | Use Case false positives | |||||
| Control Efficacy | Accuracy of Rules | The efficacy of the detection based on the invocation of the Content rules. Display top 10 content rules triggered for the Subsidiary – few samples below: ■ Resulting Alert Classification ■ Resulting Alert Category ■ Assets targeted | |||||
| Incidents distribution by Threat Category • Social: Phishing • Malware: Unknown • Malware: C2 • Hacking: Footprinting • Hacking: Brute force • Hacking: Abuse of Functionality | Threat Metrics | Insights into the subsidiary incident profile for the last week/month distributed by the assigned Incident Categories (Malware, C2, etc.) including incident prioritization (P1, P2, etc.) | |||||
| Incidents by Attack Vector | Threat Metrics | Incidents by Attack Vector | |||||
| Incidents by Target types | Threat Metrics | Incidents by Target types | |||||
| Attacker objective | Threat Metrics | Attacker objective | |||||
| Tactics, Tech. & Procedures | Threat Metrics | Tactics, Tech. & Procedures | |||||
| Incidents by Business | Business & Breach Metrics | Incidents by Business | |||||
| Incidents by Facility | Business & Breach Metrics | Incidents by Facility | |||||
| Incidents by Asset Criticality | Business & Breach Metrics | Incidents by Asset Criticality | |||||
| Incidents by Business Impact | Business & Breach Metrics | Incidents by Business Impact | |||||
| Breach by Business Impact | Business & Breach Metrics | Breach by Business Impact | |||||
| Breach Notification Status | Business & Breach Metrics | Breach Notification Status | |||||
| Breach Task Status | Business & Breach Metrics | Breach Task Status | |||||
| Types of Data Breached | Business & Breach Metrics | Types of Data Breached | |||||
| Actors: Origin | VERIS Based | Defines the geographic distribution of the attack/incident e.g. China, Russia etc | |||||
| Actors: Motive (is this measurable?) | VERIS Based | Defines the motive behind the attack/Incident e.g. Fun, Fear, Grudge etc. | |||||
| Actions: Vector | VERIS Based | Defines the vector of the attack/incident as per the VERIS classification e.g. Email, IM, Direct Install, Remote Injection etc. | |||||
| Actions: Malware | VERIS Based | Defines the distribution of the variety of malware used as per the VERIS classification of the incident e.g. RAT, Dropper, DoS, adware etc. | |||||
| Actions: Hacking | VERIS Based | Defines the distribution of the type of hacking attack used as per the VERIS classification e.g. LDAP, XSS, Cache etc. | |||||
| Asset: Management | VERIS Based | Defines the distribution of the asset management (asset managed by which part of the business or a third party) as per the VERIS classification of the incident. | |||||
| Attributes (Variety) | VERIS Based | Defines the distribution of the incidents by the platform per the VERIS classification e.g. Iphone, Win7, Win2008 etc. | |||||
| Kill Chain | VERIS Based | Attack penetration by Cyber Kill Chain (delivery, exploit, install, C2, Exfil). A kill chain is a systematic process to target and engage an adversary to create desired effects. It Basically tells us at what stage we capture an attack. The stages are: Recon>Weaponization>Delivery>Exploitation>Installation>Command & Control (C2)>Actions on Objectives | |||||
| Incident Queue by Analyst ID | Analyst Workload | Insight into the workload of Analysts to help SOC capacity planning. E.g. Incidents handled by all L1/L2 Analysts | |||||
| Incident Queue by All Analysts | Analyst Workload | Incidents handled by All Analysts based on Incident Status: New, Assigned, In Progress, Escalated, Returned to Level 1, Remediation Requested, Remediation in Progress, Remediation in Completed, Resolved. | |||||
| Analyst incident Count sent back | Analyst Workload | Analyst incident Count sent back | |||||
| Overhead costs per analyst and incident | Analyst Workload | Overhead costs per analyst and incident | |||||
| Average Time to Acknowledge | Triage | Depicts the average time to acknowledge a task in one hour intervals over the previous 24 hour reporting period with incident priority categorization. | |||||
| Average Time to Close | Triage | Depicts the average time to close a task in one hour intervals over the previous 24 hour reporting period with incident priority categorization. | |||||
| Closure Rate | Triage | Depicts the task closure rate in one hour intervals over the previous 24 hour period with incident priority categorization. | |||||
| Incident Rate | Triage | Depicts the incident rate in one hour intervals over the previous 24 hour reporting period with incident priority categorization. | |||||
| Last Modified Tasks | Triage | Depicts the most recently modified task entries with incident priority categorization. | |||||
| Longest Open Tasks | Triage | Depicts the tasks that have been open for the longest amount of time with incident priority categorization. | |||||
| Longest Unacknowledged Tasks | Triage | Depicts the tasks that have been unacknowledged for the longest amount of time with incident priority categorization. | |||||
| Open Tasks by Owner | Triage | Depicts the number of open tasks for each unique owner contained in the Task Triage database with incident priority categorization. | |||||
| Open Tasks by Priority | Triage | Depicts the percentage of open tasks by priority level with incident priority categorization. | |||||
| Tasks by Priority and Owner | Triage | Depicts the number of open items by priority for a specified user with incident priority categorization. | |||||
| Top 10 Source Addresses of Alarms | Incidents (Correlated Sources) | Displays the top 10 source addresses of intrusion detection alarms. | |||||
| Top 10 Alarms | Incidents (Correlated Sources) | Displays the top 10 alarms by signature ID that have been generated. | |||||
| Top 10 Destinations of Alarms | Incidents (Correlated Sources) | Displays the top 10 destination IP addresses that have been targeted for attack. | |||||
| Top 10 Requested URL/FTP Destinations | Incidents (Correlated Sources) | Displays the top 10 URL or FTP destinations requested by internal users. | |||||
| Top 20 Bandwidth Ports | Incidents (Correlated Sources) | Displays the 20 ports with the most bandwidth usage. | |||||
| Top 20 Bandwidth Users | Incidents (Correlated Sources) | Displays the top 20 bandwidth users. | |||||
| Top 20 Connections by Address | Incidents (Correlated Sources) | Displays the top 20 users of connections. | |||||
| Top 20 Connections by Port | Incidents (Correlated Sources) | Displays the 20 ports with the most connections. | |||||
| Top 20 Denied Inbound by Address | Incidents (Correlated Sources) | Displays the top 20 foreign addresses that were denied inbound access. | |||||
| Top 20 Denied Inbound by Port | Incidents (Correlated Sources) | Displays the 20 ports with the most denied connections. | |||||
| Top 20 Denied Outbound by Address | Incidents (Correlated Sources) | Displays the top 20 local addresses that were denied outbound access. | |||||
| Return-on-Investment | Future Metrics | This will be valid when the operational metrics are tied back to the Risk Profile and Business Impact Analysis provided by RSA Archer SecOps. It can help quantify how much potential cost saving has been made for both time and monetary terms due to mitigated incidents and/or timely response. | |||||
| Compliance Posture | Future Metrics | RSA Archer SecOps can be capitalized to measure and report against the mandatory compliance requirements, however this will require further analysis and a wider stakeholder discussions to measure its viability and implementation. | |||||
| Vulnerability Profile | Future Metrics | Vulnerability profile can be reported against as the corresponding details are gradually shared by the subsidiary. Common reporting areas are: | |||||
| Vulnerability Profile: Least Recently Scanned | Future Metrics | Lists assets in order of the longest duration since last scan. | |||||
| Vulnerability Profile: Most Vulnerable Assets by Business Rating | Future Metrics | Lists the assets in order of business rating and the aggregate vulnerability severity score. | |||||
| Vulnerability Profile: Most Vulnerable Assets by Count | Future Metrics | Lists the assets in order of the number of vulnerabilities associated with an asset. | |||||
| Vulnerability Profile: Most Vulnerable Assets by Severity | Future Metrics | Lists the assets in order of the aggregate vulnerability severity score. | |||||
| Vulnerability Profile: Vulnerability by Severities | Future Metrics | Depicts the detected vulnerabilities as a percentage of the total organized by severity value. | |||||
| Number of implemented Preventive Measures/Rules | ITIL KPIs Information Security Management | Number of preventive security measures which were implemented in response to identified security threats | |||||
| Implementation Duration | ITIL KPIs Information Security Management | Duration from the identification of a security threat to the implementation of a suitable counter measure | |||||
| Number of major Security Incidents | ITIL KPIs Information Security Management | Number of identified security incidents, classified by severity category | |||||
| Number of Security-related Service Downtimes | ITIL KPIs Information Security Management | Number of security incidents causing service interruption or reduced availability | |||||
| Number of Security Tests | ITIL KPIs Information Security Management | Number of security tests and trainings carried out | |||||
| Number of identified Shortcomings during Security Tests | ITIL KPIs Information Security Management | Number of identified shortcomings in security mechanisms which were identified during tests | |||||
| Total Number of RFCs raised | ITIL KPIs Change Management | Number of major changes assessed by the CAB (Change Advisory Board) | |||||
| Percentage for each Change Category | ITIL KPIs Change Management | Shows Routine, Standard, Expedited and Emergency change percentages | |||||
| Number of successful changes | ITIL KPIs Change Management | Number of successful changes | |||||
| Number of changes backed out | ITIL KPIs Change Management | Number of changes backed out | |||||
| Number of failed changes | ITIL KPIs Change Management | Number of failed changes | |||||
| Number of CAB Meetings | ITIL KPIs Change Management | Number of CAB (Change Advisory Board) meetings | |||||
| Time for Change Approval/ Rejection | ITIL KPIs Change Management | Average time from registering an RFC with Change Management until a decision on the RFC is reached (i.e. until it is either approved or rejected) | |||||
| Change Acceptance Rate | ITIL KPIs Change Management | Number of accepted vs. rejected RFCs | |||||
| Number of Emergency Changes | ITIL KPIs Change Management | Number of Emergency Changes assessed by the ECAB (Emergency Change Advisory Board) | |||||
| Number of Problems | ITIL KPIs Problem Management | Number of Problems registered by Problem Management grouped into categories | |||||
| Problem Resolution Time | ITIL KPIs Problem Management | Average time for resolving Problems grouped into categories | |||||
| Number of unresolved Problem | ITIL KPIs Problem Management | Number of Problems where the underlying root cause is not known at a particular time | |||||
| Number of Incidents per Known Problem | ITIL KPIs Problem Management | Number of reported Incidents linked to the same Problem after problem identification | |||||
| Time until Problem Identification | ITIL KPIs Problem Management | Average time between first occurance of an Incident and identification of the underlying root cause | |||||
| Problem Resolution Effort | ITIL KPIs Problem Management | Average work effort for resolving Problems grouped into categories |
Category: Reporting Templates