How to use KPIs effectively in Security Operations Center?

Importance of Smart KPIs in Security Operations Center (SOC)

It is quite a common question- What is the benefit that we offer in return for the investment that has been made? Smart KPIs can only provide the best answer to our existence and path the way forward; let me share my experience on how KPIs have helped me.

Measure Up: Security Operations Center (SOC) effectiveness is an operational parameter to quantify the performance of an SOC team.

SOC Functions can be drawn up based on incident detection, triaging, diagnosis, incident isolation & management, tool/technology administration, use case/policy configuration, vendor management, escalations to next levels, closure of events and persistent threat investigation, and threat intel and hunting.

These functions are performed by a team of security analysts, security leads, incident managers, and delivery managers in a collaborative delivery framework to provide a seamless service to every customer. The success of SOC services depends on how well a customer’s security requirements are understood.

From my experience of handling an SOC, the KPI of SOC should have the following dimensions:

• Measure basic hygiene factors
• Measure the effectiveness of an SOC
• Measure response effectiveness and extent of automation.

Where do we need to start?

First, we need to understand the scope, tools used, interactions involved, and levels managed.

Here is an example of a KPI that ensures basic hygiene of the environment that is being monitored. 

While hygiene is a good starting point, the next stage is to have a KPI that provides insight into the detection capability of our platforms and its effectiveness. The next question is- How to bring in Context to the SOC operations?

The third dimension of KPI allows us to measure the response capability and the automation that we want to bring to the SOC.

From a managed security service provider perspective, value is seen by a customer when the SOC services are effectively protecting his environment from insider/external cyber threats while the core business functions seamlessly. Towards this, KPIs serve as a lever to measure the SOC effectiveness objectively to provide an executive dashboard to assimilate visually.

Conclusion:

In effect, the KPI should embody not only a contractual requirement but the spirit of our service to bring continuous value to the customer. Such effectiveness when measured periodically (monthly), can motivate the team of analysts to imbibe the FB, improve the processes and hence, improve the benchmarks continuously. SOC is all about reducing risk to business operations. KPI is one heck of a way of achieving this.