5.5 Capabilities: Analytics

Updated 1 year ago by TruSTAR

For most organizations, the goal in securing their systems from threats is to detect and resolve threats faster. The Analytics capability in TruSTAR provides two metrics -- Mean Time to Detection (MTTD) and Mean Time to Response (MTTR) -- that are key to analyzing how well your security systems are performing.

This feature available later in 2021.
Mean-Time-To-Detection (MTTD) is the amount of time between when a potential threat enters the network and when it is either prioritized for action or it is dismissed as a viable event. One example of this is an email containing a URL. The MTTD is the total time from when that email enters the organization's network until it is judged as malicious or safe.

Mean-Time-To-Resolution (MTTR) is the average amount of time it takes to respond to a threat. Once a suspicious event has been detected, you need to get context about it to determine the severity and nature of your response. In the case of that email with the suspicious URL, you want to see if there are known security issues and, based on that information, take action.

If the primary purpose of security intelligence is to accelerate automation that detects and responds to threats, then coverage is how you measure the effectiveness of your intelligence sources. Specifically, you want to look at how well those sources match with internal events and help you to triage those events.

You can track MTTD and MTTR metrics by using internal events and external intelligence feeds to determine the best way to increase your coverage. You can also use those metrics to understand how much coverage those intelligence sources you subscribe to are providing. You can decide to keep or change sources, depending on what works best over time.

Related Links

For a deeper dive into coverage, MTTD and MTTR, see these TruSTAR blog posts:

How Did We Do?