Measuring SOC effectiveness and defining operational boundaries
Security Operations Centers must demonstrate value to the organization. Metrics provide objective measurements of SOC performance, identify areas for improvement, and justify resource allocation. Without metrics, SOC teams cannot prove effectiveness or advocate for improvements.
Understanding tier structure is critical — it determines escalation paths and who handles what:
You are here. Monitor SIEM dashboards, perform initial alert triage, classify true/false positives, escalate confirmed incidents. Handle 80% of alerts. SLA: respond within 15 minutes for high priority.
Deep investigation of escalated incidents. Perform forensic analysis, correlate across data sources, determine root cause, execute containment. Manages the incident through resolution. Requires 2-3 years experience.
Proactive hunting for threats that bypass automated detection. Develops custom detection rules, reverse engineers malware, performs threat intelligence analysis. Often holds GCIH, GCFA, or OSCP certifications.
Oversees operations, manages team, reports to CISO. Tracks KPIs (MTTD, MTTR, false positive rate), manages shift schedules, coordinates with other teams. Owns the SOC budget and tooling decisions.
Dwell time is the number of days an attacker remains in the environment before detection. The 2024 industry average is 204 days for external detection (discovered by a third party) and 73 days for internal detection (discovered by the organization's own SOC). Every day of undetected access increases the damage exponentially. Your MTTD metric directly reduces dwell time.
This topic extends the SOC Operations presentation from Eye House, adding practical metrics tracking for day-to-day operations.
| Metric | Definition | Target | Why It Matters |
|---|---|---|---|
| MTTD (Mean Time to Detect) | Time from breach to detection | < 5 minutes | Faster detection limits damage |
| MTTR (Mean Time to Respond) | Time from detection to containment | < 30 minutes | Faster response reduces impact |
| MTTC (Mean Time to Contain) | Time to isolate/stop threat | < 1 hour | Containment stops spread |
| Dwell Time | Time attacker is undetected | < 24 hours | Industry average is 200+ days! |
Total alerts generated per day/week/month. Track trends to identify noise.
Percentage of alerts that are actual incidents. Target: >90%.
Percentage of alerts that are noise. High rate = tuning needed.
Percentage of Tier 1 alerts escalated to Tier 2/3. Indicates complexity.
| Metric | What It Measures |
|---|---|
| Asset Coverage | % of assets with security monitoring |
| Log Coverage | % of critical systems sending logs to SIEM |
| Rule Coverage | % of MITRE ATT&CK techniques with detection rules |
| Network Visibility | % of network segments with traffic analysis |
Network traffic, endpoint alerts, SIEM events, cloud workloads, email security, vulnerability alerts
Physical security, OT/ICS systems, third-party vendor systems (unless integrated)
| Tier | Primary Role | Metrics Focus |
|---|---|---|
| Tier 1 (Alert Analyst) | Triage, initial analysis, escalation | Alert volume, escalation rate, MTTD |
| Tier 2 (Incident Responder) | Deep analysis, containment, remediation | MTTR, MTTC, incident resolution rate |
| Tier 3 (Threat Hunter) | Proactive hunting, malware analysis, IR lead | Hunts conducted, IOCs discovered, dwell time reduction |
| SOC Manager | Team leadership, process improvement | Overall SLAs, staff utilization, coverage gaps |
Personal Metrics: Track your own performance - alerts handled, escalation accuracy, average triage time. This data helps in performance reviews and identifies personal areas for improvement.
Response: 15 min | Containment: 1 hour | Resolution: 4 hours
Response: 30 min | Containment: 4 hours | Resolution: 24 hours
Response: 1 hour | Containment: 8 hours | Resolution: 72 hours
Response: 4 hours | Containment: 24 hours | Resolution: 1 week
Test your understanding of SOC metrics and scope. Score 80% or higher to pass.
1. What does MTTD measure?
2. A high false positive rate in SIEM alerts indicates:
3. What is "dwell time" in cybersecurity?
4. Which SOC tier is primarily responsible for proactive threat hunting?
5. What does "coverage" in SOC metrics typically refer to?