top of page

How to Measure What Matters in Cloud SecOps

Measurement and continuous improvement are key components of any security operations program. To understand if teams are working effectively, security operations leaders need metrics that help them answer key questions like:

  • What is our cloud telemetry coverage for the TTPs most relevant to our organization (across all our cloud services, accounts, subscriptions, etc.)?

  • How long does it take to investigate a threat?

  • How long does it take to completely resolve an incident?

Given the massive scale and complexity of the cloud (and especially multi-cloud), these metrics can be very difficult to track. Additionally, most traditional cloud security products were designed to track metrics more relevant for DevOps (like vulnerabilities and misconfigurations) than for SOC teams.


When developing our dashboard, we had three major guiding principles:

  • Focus on what matters most first, giving teams the actionable insights they need day-to-day

  • Show trends over time, allowing leaders to easily report on higher-level strategic objectives

  • Allow teams to measure performance against industry standards and accepted benchmarks, to better plan and prioritize action

Our dashboard consolidates executive-level reporting with the day-to-day insights that SecOps teams need, enabling them to act immediately to identify the highest priority issues. And all the metrics in the dashboard are available through APIs, so you can also integrate them into the reporting workflows you use every day.


Get continuous visibility into cloud telemetry coverage

At the top of our dashboard is a customer’s “Readiness Score,” which quantifies how prepared the organization is for a cloud breach in real-time. Calculated automatically based on which telemetry an organization is collecting and mapping it against the MITRE ATT&CK framework, the readiness score gives organizations a continuous understanding of the types of attacks they are ready to defend against and the types of attacks to which they may be blind. To put the score in context, we provide clear benchmarks and averages to enable organizations to understand where they stand in relation to their peers.

The readiness score is a key KPI as a real-time snapshot, but the dashboard also allows teams to track progress over time, and breaks down the score by cloud provider. This allows executives to easily spot weak points: for example, if a merger introduced a new GCP environment to a team focused primarily in AWS and Azure, teams can easily pinpoint the impact on their overall readiness. Alternatively, an executive kicking off a strategic initiative to achieve readiness parity across different cloud providers can easily track progress against that goal for reporting to stakeholders.


Map your MTTR to better understand performance and compare against peers

Gem’s dashboard also provides organizations with a clear view of their mean time to resolve (MTTR) cloud threats. MTTR is a critical metric for any security operations team, as ultimately the speed at which organizations can stop an attack is the key determinant in preventing it from reaching critical assets and minimizing the blast radius.


We track both the mean time to resolve cloud threats (i.e., mean time until an incident has been fully contained) and also the mean time to acknowledge a threat. We calculate Mean Time To Acknowledge as the time it takes for a team member to open the alert for the first time and start investigating.

Both metrics are tracked over time to enable executive-level reporting on wider strategic trends. For example, MTTR that’s above target could indicate domain-specific challenges with triage and investigation in the cloud - we’ve seen clear reductions in MTTR as organizations adopt Gem. MTTA that’s above target could indicate organizational or process challenges that are preventing teams from getting to the most important issues fastest. Once again, we provide clear benchmarks to help you put your results in context.


Deliver the right insights for each stakeholder

A few weeks ago, I was attending an amazing daylong conference in New York City, where we’re based. During a session dedicated to dashboards and metrics, we heard this very memorable quote from one of the CISOs attending: “a CISO has two eyes, and one hundred dashboards.”


This hit close to home as we were preparing for the GA dashboard release, and we understand that teams today have way too many platforms and dashboards to cycle through. This is why we built our dashboard, just like every other component of the platform, with an API-first approach. Every widget is programmatically accessible, allowing teams and CISOs to pull only the data they need and combine it into their existing reporting tools and workflows. This reduces the friction of tracking the team's MTTR or the organization's readiness over time, enabling decision-makers to work with real-time data in a more efficient way and easily integrate it into the reporting systems they use day-to-day.

At Gem, we aim to provide solutions that are not only effective but also align with the real-world needs of SecOps teams. If you’re interested in learning more, feel free to reach out. We’d love to show you ourselves.

Comments


bottom of page