true
Blog How TruSTAR Uses MTTD and MTTR as North Star Metrics

How TruSTAR Uses MTTD and MTTR as North Star Metrics

The north star metrics for Data-Centric Security Automation are the minimization of MTTD (Mean Time to Detection) and MTTR (Mean Time to Resolution). At TruSTAR, we view this as a constrained optimization problem and see optimizing intelligence coverage and coverage quality as the two most important ways to achieve that goal.

To get a better understanding of what these concepts mean, how they relate to each other, and how intelligence management solutions can help, see our blog: Toward MTTD & MTTR as North Star Metrics.

Where We Are Today

For the Detection Use Case, our customers leverage TruSTAR to collect, prepare and prioritize indicators from across their external threat intel sources along with their historical events, and connect that into their lighthouse detection tools. As the data from these sources is managed in Enclaves our customers can achieve much needed visibility into how different intelligence sources are performing in terms of coverage. Here are some examples of key metrics:

Metric

Insight

Metric Impact

What are the different types of indicators your intel sources are focused on?

Source Suitability, Impact on Coverage

MTTD & MTTR

How many high priority indicators are each of your intel sources creating?

Impact on Coverage

MTTD

How much of an overlap exists between the sources you subscribe to?

Impact on Coverage

MTTD

How varying are their opinions on the indicators that overlap between them?

False Positives

MTTR

 

Some example graphs are presented here for illustrative purposes.

Indicator Types by Source

Visibility into the types of indicators that are predominant in your external threat intel sources is the first step toward optimizing coverage to advance Data-Centric Security Automation.   

Source Coverage by Indicator Type

Naturally, you want to make sure you have strong alignment between your threat intel sources and the detection and response tools as destinations. File hashes, bitcoin addresses and malware names may be valuable for some tools and workflows, while IPs and URLs may be more relevant for others. 

Sources by Priority Score

You’ll also want to see which of your sources are providing strong opinions or labels in the form of scores for your currently unlabeled data. 

In the above three graphs, you can see that Facebook ThreatExchange has an outsized amount of email addresses with high maliciousness scores. This can help align FBTX with certain use-cases, such as Triaging suspicious emails reported to the Security Operations Center.

Where We’re Going Tomorrow

While this baseline level of visibility is critical, it’s only the beginning. In the coming months, we’ll be making more investments and releasing more features designed to help customers optimize their Coverage to accelerate MTTD and MTTR. 

  • With visibility into which indicator types matter most, we can match our customers with the intel sources that fit their needs best - even sources outside of the customers’ current subscribed sources.
  • With feedback from detection and response tools, our customers will see the false positive rate from each intel provider - and TruSTAR will recommend tuning and weighting strategies to minimize noise, FPs and therefore, MTTR.

As our customers adopt a Data-Centric Security Automation approach and integrate more of their detection and response tools, TruSTAR will return increasing signal on how to leverage existing sources, reduce redundancies and recommend new sources to expand Coverage in a way that optimizes your investments in intelligence.

For more information on how TruSTAR’s Intelligence Management Platform can help your organization reduce MTTD and MTTD, reach out to us at info@trustar.co.

The Evolution of Intelligence in Security Operations In the last decade, threat intelligence catapulted to the forefront of security operations as companies like Mandiant and iSight Partners started to ... Read More
Toward MTTD & MTTR as North Star Metrics Data-centric security leaders from across industries have embraced Mean-time-to-Detection (MTTD) and Mean-time-to-Resolution (MTTR) as key metrics ... Read More
Customer Spotlight Webinar: PVH Corp. TruSTAR has a new webinar series, Customer Spotlight, where we invite security leaders and operators from across the TruSTAR community to share ... Read More