The Fault in Our Metrics: Rethinking How We Measure Detection & Response

Focus on measuring what you can control rather than raw quantities - filter out built-in/automated time and focus on controllable metrics

Organize metrics in a pyramid structure:

• Top: Business impact/cost reduction
• Middle: Coverage and effectiveness
• Bottom: Operational metrics

Use the SAVR framework to evaluate metrics:

• Streamlined (efficiency/automation)
• Awareness (threat intel/visibility)
• Vigilance (detection capabilities)
• Readiness (response capabilities)

Prioritize detection development by identifying top 5 threats based on:

• External threat intelligence
• Industry-specific threats
• Environment and attack surface
• Cost/impact to business

Avoid common metrics mistakes:

• Losing sight of business goals
• Measuring uncontrollable quantities
• Pursuing 100% coverage without value
• Not adjusting metrics for different audiences
• Focusing on “why” instead of “how”

Compare metrics relatively rather than focusing on absolute numbers

Regularly review and expire metrics that are no longer relevant or valuable

Balance speed metrics with quality/effectiveness measurements

Consider the cost to generate metrics vs their business value

Tie metrics back to maturity model capabilities and organizational risks