Measuring the success of a detection
Measuring success is a key part of any organization, and SOCs, while they are operational, are no different. I’ve run SOC environments in a few different ways; primarily there is a split 60/40 of alert triage to project work. Project work can be anything from creating detections and runbooks to assisting with an audit or ingesting new log sources. Of course, that split is also variable based on incidents. Regardless, finding the right way to measure is key to determining success for both your SOC and detection.
Requirement-setting
The project aspect is straightforward on whether the project is completed or not. For that, I run quarterly sprints where our projects are broken down using business-driven development language or that of Cucumber, an open source software tool that can assist with writing test cases in a broken-down, non-technical format. An example of a ticket would be as follows:
“I’d like to ingest Microsoft...