News & Events

5 Trend Reports Every SOC Should Track

By Walker Banerd •  Incident-Response, Industry-Specialization, Security-Orchestration-Automation-Response

By tracking specific metrics over time, trend reporting can establish a historical view of threats encountered, quantify SOC performance, and support smarter, more agile, and more data-driven incident response.

Analyzing these reports can act as an early warning system to help identify threats and bottlenecks before they become, or exacerbate, a major incident. Trend reports also make it easier to validate claims about threats and make the case for investments in new tools or processes. Having a strong set of trend reports will result in a more complete understanding of the problems your SOC is facing.

While virtually any metric can be tracked over time to produce a trend report, in this article we’ve identified five that will be beneficial for SOCs of any industry and level of operational maturity.

Trend Report 1: Incident Categories
Why it’s important: Tracking the levels of different incident categories gives a SOC manager a baseline knowledge of the types of incidents managed by the SOC, and therefore what security processes should be highest priority.

It also gives the security team the ability to correlate changes in detected incident types with other changes in the organization. For example, has a new digitization project or the implementation of new detection tools led to an increase in the detection of certain incidents?

Trend Report 2: Root Causes
Why it’s important: When an incident occurs, you need to know what vulnerabilities were exploited, but also what deeper issues caused the vulnerabilities to begin with. For example, if a JBoss server wasn’t patched properly, why not? Was it a technology problem? Did the responsible individual not carry out, or validate, the work? Was there even a process in place for patching at all?

The same can be said for a non-compliance incident…finding out the root cause of a HIPAA violation is the best way to ensure it doesn’t happen again.

Tracking trends across the root causes of incidents helps you identify the issues that are systemic, not just one-off occurrences. With good trend data, incident responders can develop a roadmap for future prevention efforts based on remediating underlying vulnerabilities. Without the data to perform root cause analysis, security teams are just playing “whack-a-mole”—trying to stop incidents one-by-one as the pop up.

Trend Report 3: Recurring Incidents
Why it’s important: Tracking recurring incidents is a good way to assess your SOC’s effectiveness. A high number of recurring incidents is not a good sign, and suggests that root causes are being left unaddressed (as described in the previous section). Depending on its type, a recurring incident could also be a good candidate for an automated incident response process. Using past response actions and industry best practices as guides, you can use D3 to quickly create an automated playbook that will mimic the response actions of your best investigators.

Trend Report 4: Mean Time to Respond (MTTR)
Why It’s Important: MTTR is one of the key metrics for any security team, especially when it can be tied to specific incident categories for more precise correlations. Tracking MTTR over time gives you a clear picture of how adding automation, hiring new employees, or making other changes is impacting your response times at the most basic level. Additionally, this data will help you create benchmarks, goals, and alerts for when expectations aren’t being met.

Trend Report 5: Sources of False Positives
Why It’s Important: False positives are one of the biggest time-wasters in most SOCs, and so eliminating them should be among any security manager’s top priorities. A SOC simply cannot be efficient without an incident response platform that reduces false positives. Widespread shortages in skilled security analysts and tightening budgets only increase the urgency of this task.

By tracking the source systems that generate your security alerts and recording which alerts are ultimately determined to be genuine incidents, you can create a picture of system accuracy over time. This will give you the ability to see how well you are tuning your systems. For example, if your IDS is continually producing false positive alerts, does changing your detection rules result in a noticeable drop, or does the issue lie elsewhere?

These are just a few of the many ways you can use trend reporting to improve your cybersecurity. To learn more about how D3’s reporting features fit into its comprehensive security operations solution, schedule a one-on-one demo with one of our product experts today.

D3 Security’s Incident Response Platform Helps Organizations Prepare For Threats & Orchestrate Security Response. Discover The Leading Solution Now


Originally published at d3security.com on January 14, 2019.

23 thoughts on “5 Trend Reports Every SOC Should Track”

  1. When I initially left a comment I appear to have clicked the -Notify me when new comments are added- checkbox and now whenever a comment is added I get four emails with the same comment. Is there a means you are able to remove me from that service? Cheers.

  2. Next time I read a blog, Hopefully it doesn’t disappoint me just as much as this particular one. I mean, I know it was my choice to read, nonetheless I genuinely believed you’d have something helpful to talk about. All I hear is a bunch of complaining about something that you could fix if you were not too busy searching for attention.

  3. Your style is really unique compared to other people I’ve read stuff from. Thank you for posting when you’ve got the opportunity, Guess I’ll just bookmark this blog.

  4. The next time I read a blog, Hopefully it does not fail me just as much as this particular one. I mean, Yes, it was my choice to read through, however I genuinely believed you would have something helpful to say. All I hear is a bunch of complaining about something you could fix if you were not too busy seeking attention.

  5. I truly love your website.. Excellent colors & theme. Did you create this web site yourself? Please reply back as I’m trying to create my own personal site and want to learn where you got this from or exactly what the theme is called. Kudos!

  6. An impressive share! I’ve just forwarded this onto a colleague who has been doing a little homework on this. And he in fact bought me dinner because I stumbled upon it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanx for spending time to talk about this matter here on your blog.

Leave a Reply

Your email address will not be published. Required fields are marked *