We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
The Fault in Our Metrics: Rethinking How We Measure Detection & Response
Learn how to transform your security metrics from raw data to actionable insights. Discover frameworks for measuring detection & response effectiveness while avoiding common pitfalls.
-
Focus on measuring what you can control rather than raw quantities - filter out built-in/automated time and focus on controllable metrics
-
Organize metrics in a pyramid structure:
- Top: Business impact/cost reduction
- Middle: Coverage and effectiveness
- Bottom: Operational metrics
-
Use the SAVR framework to evaluate metrics:
- Streamlined (efficiency/automation)
- Awareness (threat intel/visibility)
- Vigilance (detection capabilities)
- Readiness (response capabilities)
-
Prioritize detection development by identifying top 5 threats based on:
- External threat intelligence
- Industry-specific threats
- Environment and attack surface
- Cost/impact to business
-
Avoid common metrics mistakes:
- Losing sight of business goals
- Measuring uncontrollable quantities
- Pursuing 100% coverage without value
- Not adjusting metrics for different audiences
- Focusing on “why” instead of “how”
-
Compare metrics relatively rather than focusing on absolute numbers
-
Regularly review and expire metrics that are no longer relevant or valuable
-
Balance speed metrics with quality/effectiveness measurements
-
Consider the cost to generate metrics vs their business value
-
Tie metrics back to maturity model capabilities and organizational risks