News.Risky.Biz
NCSC Warns Against Ineffective SOC Metrics
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The UK's National Cyber Security Centre (NCSC) has issued a warning regarding the reliance on ineffective metrics to evaluate Security Operations Centers (SOCs). NCSC's CTO, Dave Chismon, stated that common metrics such as 'number of tickets processed' and 'time taken to close a ticket' can lead to careless behavior among SOC teams, incentivizing them to prioritize speed over thorough investigations. This can result in a high volume of false positives and ineffective security measures. Instead, the NCSC recommends focusing on metrics like time-to-detect (TTD) and time-to-respond (TTR) to better assess SOC effectiveness. Chismon emphasized that using no metrics is preferable to using bad ones, as the latter can demoralize staff and lead to a culture of rushing through alerts. The NCSC also advocates for allowing SOC teams to engage in hypothesis-led threat hunting and to study threat actors to enhance their defensive capabilities. The guidance aims to improve the overall effectiveness and morale of SOC teams.
Key Points: • NCSC advises against using ineffective metrics for SOC evaluation. • Common metrics can lead to careless behavior and false positives. • Time-to-detect and time-to-respond are recommended as better metrics.