Some typical SOC metrics to demonstrate the SOC value to the business decision makers may include: The mean TTD of the incident after its occurrence The mean time to contain the incident after its detection The mean time to mitigate the incident after its containment The number of incidents being detected, contained, and mitigated The percentage of the discovered incidents found using the plays in the SOC playbook The number of new plays added to the SOC playbook The number…
The SOC manager should develop a workflow model and implement SOPs for incident-handling that guide the analysts through the triage and response procedures. Security analyst tiered responsibilities may include: Tier 1 Continuously monitors the alert queue Triages security alerts Monitors the health of the security sensors and endpoints Collects data and context necessary to initiate Tier 2 work Tier 2 Performs deep-dive incident analysis by correlating data from various sources Determines if a critical system or data set has been…