-
Notifications
You must be signed in to change notification settings - Fork 0
/
SOC NOTES
58 lines (41 loc) · 3.51 KB
/
SOC NOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Monitor - Constant monitoring.(Event, Netowk, alert Logs)
Detect - IOC, Patterns.
Analyze - Analyse if incidents, Timeline, TTPs.
Respond - Containment, Communication with Team, Response plan
People - Analysts, responders etc
Process - IR plans, Playbooks etc
Tech - Siem,IDS,EDR etc
Reactive:
Forensic, Malware analysis
Incident response
Proactive:
threat hunting
Threat Intelligence
Vulnerability Assessments
Pen Testing
Types of SOC:
Internal (SOC)
Managed (MSOC) Oursourced
HYBRID (SOC)
SOC METRICS:
Mean Time to Detect (MTTD)
MTTD measures the average time a SOC team takes to detect an incident or a security breach. A shorter Mean Time to Detect (MTTD) value indicates better performance. It showcases the ability of the SOC team to quickly detect and respond to incidents, minimizing the impact on clients.
Additionally, MTTD it helps evaluate the effectiveness of monitoring tools and the efficiency of detection capabilities.
Mean Time to Investigate (MTTI)
MTTI denotes the average time from fault detection until the IT team initiates investigation. It bridges the gap between MTTD (Mean Time to Detect) and the start of MTTR, outlining the initial response phase.
Mean Time to Resolution (MTTR)
MTTR is the metric used to evaluate the average time a SOC team takes to completely resolve an incident once it has been detected. A lower MTTR value indicates that their incident response process is fast and highly effective. Typically, MTTR includes the time it takes to:
Investigate the root cause.
Apply fixes.
Carry out recovery processes.
This metric allows organizations to identify areas where they need to focus, improving their incident response strategy.
Mean Time to Restore Service (MTRS)
MTRS quantifies the average time from fault detection until service is fully restored, emphasizing user-centric recovery time following repair. MTRS differs from MTTR in that MTTR measures repair duration, whereas MTRS encompasses the entire process until service is operational again.
Mean Time Between Failures (MTBF)
MTBF measures how frequently a failure occurs. It represents the average time between one failure and the next, indicating the expected interval before another failure might occur. This metric is versatile, applicable to individual components or entire systems, offering insights into overall system reliability and performance. MTBF, along with MTTR, plays a crucial role in determining system uptime. While MTTR assesses how quickly a system can be restored after a breakdown, a favorable scenario involves decreasing MTTR and increasing MTBF, highlighting minimal downtime and efficient recovery capabilities.
Mean Time Between System Incidents (MTBSI)
MTBSI signifies the average interval between successive incidents, calculated by adding MTBF and MTRS. It provides a comprehensive view of system stability and operational continuity over time.
Mean Time to Attend and Analyze (MTTA&A)
MTTA measures the average time taken by SOC teams to respond to and analyze an incident. It starts with detecting an incident and ends when the team acknowledges and properly analyzes its priority, impact and possible resolution.
Therefore, this metric helps you evaluate the efficiency and effectiveness of their incident response processes.
MTTA&A begins when an incident is detected or reported. It ends when the incident response team acknowledges, assesses and analyzes the incident to determine its scope, impact and potential remediation actions. This metric is crucial as it reflects the efficiency and effectiveness of the incident response process.