Retired colonel and ReliaQuest CISO John Burger frequently says, “If you’re not measuring, you’re not operating.” You need to measure to understand and improve security operations. Metrics allow you to report on security program outcomes, benchmark against your peers and industry, and identify next steps to mature your security operations program. This blog provides three actionable steps for security teams to achieve desired metric outcomes efficiently, without significant time or resource investment.

1. What to Do If Your MTTR Is Flat or Rising

One of the most frequently cited and most useful cybersecurity metrics is mean time to resolve (MTTR). MTTR assesses how well a security operations team responds to incidents. A downward slope on the MTTR trendline indicates that your threat response is improving, and threat dwell time is shrinking.

It is worth noting that MTTR can have different definitions across the industry. ReliaQuest defines MTTR as the time to resolve an incident, measured from the start of an incident to the time a customer closes it. Others in the industry, however, may define MTTR as the time to respond, measured from the initial incident to when a customer is notified of its escalation, even if the issue is not yet resolved. Comparing MTTR across the industry can be problematic given varying definitions.

Actions to Improve MTTR

A consistently prompt response to threats is a team effort. Discussing among your team and with your provider may uncover process changes that can improve communications and accelerate response. One tool ReliaQuest customers have used to improve those communications is a security operations mobile app that allows you to take action on the go – quickly evaluating an alert, closing out common alerts, and knowing when you need to crack open a laptop to do some deeper analysis. Many ReliaQuest customers find value in using the GreyMatter Mobile App, which was launched in May 2023. The top 20 GreyMatter Mobile App adopters have seen an average decline of 36% in MTTR once they start using the app.    


GreyMatter Mobile App

Figure 1: GreyMatter Mobile App  

2. If Automation and Playbook Utilization Is Low

Automation across threat detection, investigation, and response workflows can act as a force multiplier for security teams. Automating repetitive work enables your team to overcome “high-time, low-brain” activities and focus on more important projects or priorities. While automation can be applied throughout the detection, investigation, and response (DIR) lifecycle, it is particularly impactful in threat response.

Action to Impact Playbook Utilization

A quick action your team can take is to locate high-fidelity alerts and automate response. Automating response actions provides several benefits:

  • Improved threat response
  • Reduced threat dwell time
  • Less repetitive work
  • Reduced errors that can crop up in manual response (no fat fingering).

When you can consistently identify true-positive alerts, it presents the opportunity to automate response actions. Based on an alert trigger, your security operations platform can usually take automated action through your existing tools, such as EDR, network security, identity (IAM/SSO), and email security tools. While there are many use cases suitable for automation, one that frequently generates high-fidelity alerts is phishing. Based on a phishing alert, you can take actions to mitigate the threat, such as block an email address or domain, ban a hash, reset a password, and so forth (see Figure 2). The result is that you automatically prevent additional users from visiting a phishing site, disallow additional emails from the same source, and revoke any compromised credentials.

Figure 2: GreyMatter Automated Response Plays for Phishing image

Figure 2: GreyMatter Automated Response Plays for Phishing 

3. If You Are Uncertain About Your Detection Coverage

Having comprehensive visibility across an attack surface is an essential element for maintaining a strong cybersecurity posture. Visibility empowers organizations to detect, mitigate, and respond to threats effectively and efficiently. You can’t monitor what you can’t see, and you can’t detect threats that slip through protective layers without adequate visibility.

To enhance visibility across the cybersecurity attack surface, organizations can leverage this framework to identify potential vulnerabilities in their environment. This comprehensive view of the organization’s security posture allows for prioritizing security measures, mitigating risks, and proactively addressing blind spots in their systems.

Aligning business risks with MITRE tactics, techniques, and procedures (TTPs) helps organizations understand their posture relative to those risks (see Figure 3). For example, ransomware might be a top risk for the business given the cost of remediation and regulatory fines. Measuring the coverage of those MITRE TTPs would clearly identify opportunities to reduce risk.

Action to Improve Threat Detection Coverage

Evaluate your significant visibility gaps using MITRE ATT&CK coverage mapping and examine how to fill those gaps. For example, if you have significant gaps in coverage for techniques related to Initial Access, you need to expand your detections, and possibly your logging, as it relates to authentication activity. However, there may be a cost-benefit tradeoff that you will need to consider: Detection coverage is only as good as the visibility you have to support those detections. Increased visibility can require more logging and data ingestion, and data ingestion may come with a cost. 


Figure 3: GreyMatter Security Model Index summary of MITRE ATT&CK Coverage image

Figure 3: GreyMatter Security Model Index summary of MITRE ATT&CK Coverage 


Metrics can provide valuable insights, enabling security leaders to make data-driven decisions, prioritize actions, and drive continuous improvement. This blog highlighted three pieces of “low-hanging fruit” that you can immediately pluck to make a quick impact. Your environment is unique, and your “low-hanging fruit” may be different. Taking these actions can get you on your way towards improving your security operations maturity and aligning metric trendlines in the right direction.

Learn More

No matter where you are in your security operations journey, ReliaQuest can help guide you in the right direction. To learn about how GreyMatter and metrics available in the GreyMatter Security Model Index can help you overcome security challenges and improve performance, reach out to schedule a demo.