The KPIs of
Detection Engineering
Quantify, measure, and mature your detection engineering efforts to new heights. Close threat detection gaps and increase team productivity over time with evidence-based results.
Metrics That Matter
Measure Your SOC Maturity
Many security teams today are mapping their detection coverage to MITRE and that is something that Anvilogic is well positioned to help you do.
Our platform takes it beyond just detection and technique coverage and can also help you assess your SOC operations to provide you with a baseline maturity score, from the first day you connect your environment into the platform.
Your personalized maturity score is based on the threat landscape identified specifically for your organization and is determined based on your infrastructure, region, and industry you operate in.
The maturity score is continuously assessed across the feeds you connect to the platform, the detections aligned to TTP coverage, and the productivity of the operations performed against the Events of Interest observed on the platform.
The Devil is in the Data Feeds
Effective detection engineering relies on how teams process and utilize their engineered data feeds to create high-quality detections and keep their organizations out of the headlines.
Your feed score is determined by the effectiveness of your data logging practices, compared against the necessary feeds for detecting all TTPs.
It is also what we at Anvilogic rely on, to assess the quality, maturity, and what can show true improvement of a program over time to a leader or CISO.
This process helps identify potential cost-saving opportunities by eliminating redundant data feeds, ensures that all necessary feeds are being logged, evaluates the adequacy of current feeds for supporting existing detections, and identifies any additional required feeds.
MITRE Chess Not Bingo
While MITRE ATT&CK is a valuable framework for categorizing adversary tactics and an essential component of detection engineering, it's often misapplied as a superficial solution for mapping detections and creating coverage maps.
This misuse can lead to oversimplification, where organizations claim broad coverage without delving into the necessary details to ensure comprehensive and effective security measures. It's not about whether you do MITRE but how you do it.
We understand that true value is realized by how organizations align MITRE with their detections. That's why all detections are mapped against MITRE to determine technique coverage so you can accurately represent SOC detection performance while also measuring how well all the detections are correlated to detect threat patterns.
You can also measure your team's productivity by looking at Triage Dwell Time, Alert to Analyst Ratios, Triage Percentage, Hunt Percentage, and more, allowing you to see your detection engineering progress and make data-driven decisions for future budgeting and resource planning.
Stop Playing MITRE ATT&CK Bingo
How security leaders get ATT&CK wrong and what you can do about it