In the last few weeks I have been hearing more and more prospects and customers ask about our response service-level agreement (SLA), and, to be honest, it’s great and about time! Security operators, incident responders, or security analysts should all have an easy way to evaluate their work. And what’s better than well-defined key performance indicators (KPIs)?
When we meet prospects, some of the things we ask them are "What’s your mean time to detect?", "What’s your mean time to investigate?", and "What’s your mean time to respond and mean time to repair?", and the most common response is: “What? We don't formally track our time … we think it's X minutes/hours.”
The next question we would usually ask is, "So how do you know that you are doing a good job?", "How do you know that you are improving/progressing from time to time?"
Answers we would get to these questions are:
Usually, the last question would be, "Have you heard about the "golden hour"?". The answer was usually “Yes”.
In case you’re not familiar with the term, “golden hour” originated from hospitals. From Wikipedia: "The golden hour, also known as golden time, refers to the period of time following a traumatic injury during which there is the highest likelihood that prompt medical and surgical treatment will prevent death". The term was used in the early 2010s to express how important it is to respond to/repair a cybersecurity threat in the first hour.
Fast forward to today's world: the term “golden hour” was deemed a buzzword and vendors have stopped using it. The concept was not lost, though; it’s just called something else. Nothing really changed, based on our perception, and it should. I think we should learn from our past, so we can progress: although the concept of the golden hour is great for medicine, it’s time to re-evaluate how it’s used in cybersecurity
In some of the attacks we’ve seen in the last few years (WannaCry, Petya, Bad Rabbit, etc.), the "golden hour" concept just doesn't hold. On top of malware threats that spread quickly, we have seen more and more attackers using automation (we provide some examples in this blog).
We should go back to basics: we need to do our best to prevent attacks from happening in the first place. And just because it's fun I’ll now provide you with one analogy from the software development world:
Figure 1 Source: https://deepsource.io Link
I'm sure you get the point (shift-left). ;)
If you really like to secure your organization, I would recommend the following (divided into three categories)
One last recommendation is to define a set of KPIs and to monitor your efficiency and progress. You can start with the following:
I hope you found this blog interesting and worth your time. Use the comments to give feedback and share your thoughts on KPIs that you use in your organization. (Hint: We might have another blog in the oven on the "Top six security KPIs organizations should track".)
Examples of attackers using automation. https://blog.radware.com/security/botnets/2019/01/attackers-are-leveraging-automation/
https://www.securityweek.com/how-machine-learning-will-help-attackers
https://www.bankinfosecurity.com/lazy-hacking-attack-automation-continues-to-increase-a-11152
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.