5.5 Capabilities: Analytics
For most organizations, the goal in securing their systems from threats is to detect and resolve threats faster. The Analytics capability in TruSTAR provides two metrics -- Mean Time to Detection (MTTD) and Mean Time to Response (MTTR) -- that are key to analyzing how well your security systems are performing.
Mean-Time-To-Resolution (MTTR) is the average amount of time it takes to respond to a threat. Once a suspicious event has been detected, you need to get context about it to determine the severity and nature of your response. In the case of that email with the suspicious URL, you want to see if there are known security issues and, based on that information, take action.
If the primary purpose of security intelligence is to accelerate automation that detects and responds to threats, then coverage is how you measure the effectiveness of your intelligence sources. Specifically, you want to look at how well those sources match with internal events and help you to triage those events.
You can track MTTD and MTTR metrics by using internal events and external intelligence feeds to determine the best way to increase your coverage. You can also use those metrics to understand how much coverage those intelligence sources you subscribe to are providing. You can decide to keep or change sources, depending on what works best over time.
For a deeper dive into coverage, MTTD and MTTR, see these TruSTAR blog posts: