The Fault in Our Metrics: Rethinking How We Measure Detection & Response

Learn how to transform your security metrics from raw data to actionable insights. Discover frameworks for measuring detection & response effectiveness while avoiding common pitfalls.

Key takeaways
  • Focus on measuring what you can control rather than raw quantities - filter out built-in/automated time and focus on controllable metrics

  • Organize metrics in a pyramid structure:

    • Top: Business impact/cost reduction
    • Middle: Coverage and effectiveness
    • Bottom: Operational metrics
  • Use the SAVR framework to evaluate metrics:

    • Streamlined (efficiency/automation)
    • Awareness (threat intel/visibility)
    • Vigilance (detection capabilities)
    • Readiness (response capabilities)
  • Prioritize detection development by identifying top 5 threats based on:

    • External threat intelligence
    • Industry-specific threats
    • Environment and attack surface
    • Cost/impact to business
  • Avoid common metrics mistakes:

    • Losing sight of business goals
    • Measuring uncontrollable quantities
    • Pursuing 100% coverage without value
    • Not adjusting metrics for different audiences
    • Focusing on “why” instead of “how”
  • Compare metrics relatively rather than focusing on absolute numbers

  • Regularly review and expire metrics that are no longer relevant or valuable

  • Balance speed metrics with quality/effectiveness measurements

  • Consider the cost to generate metrics vs their business value

  • Tie metrics back to maturity model capabilities and organizational risks