CASE MANAGEMENT
      Back to home
      1. KNOWLEDGE BASE
      2. SECURITY MONITORING
      3. CASE MANAGEMENT

      Key Metrics - MTTA & MTTR

      MTTA - Mean Time to Acknowledge

      Mean Time to Acknowledge (MTTA) is the average time it takes to acknowledge a security alert after it has been generated. In DNIF, the Time to Acknowledge (TTA) is calculated for each case as the time difference between the creation of the case and the generation of the earliest signal within that case. If a new, older signal is added, the TTA is recalculated to reflect the time of the oldest signal. MTTA is determined by adding up all the TTAs across cases and dividing by the total number of cases.

      MTTA helps in the following:

      1. Responsiveness Tracking: MTTA helps monitor how quickly the security team responds to alerts, indicating the effectiveness of alert handling and initial response. A shorter MTTA suggests that potential threats are being acted upon quickly, reducing the window of exposure.
      2. Incident Prioritization: By tracking MTTA, teams can identify whether alerts are being acknowledged in a timely manner and whether the most critical incidents are getting the attention they need first.
      3. Early Intervention: A fast acknowledgment time means that the security team is quickly aware of potential threats, allowing for early-stage containment before incidents escalate into major security breaches.
      4. Process Optimization: High MTTA values can reveal inefficiencies in alerting workflows or indicate alert fatigue. This helps teams identify areas for process improvement, such as better alert prioritization or automation.
      5. Resource Management: MTTA offers insight into whether the security team is properly staffed or equipped to handle the volume of alerts. Longer acknowledgment times might indicate the need for more resources or automation tools to assist with triage.

      MTTR - Mean Time to Resolve

      Mean Time to Resolve (MTTR) is the average time taken to fully resolve a security incident, starting from when it's acknowledged. In DNIF, Time to Resolve (TTR) is calculated for each case by measuring the time difference between when the case was created and when it was closed. If the case is reopened, the TTR is updated based on the new closure time. If a case status is changed to On-Hold, the TTR calculation is paused. It resumes when the case status is changed to In-Progress. MTTR is determined by adding up all the TTRs across cases and dividing the total by the number of cases. 


      MTTR helps in the following:

      1. Incident Response Efficiency: MTTR provides insights into how quickly your security team can address and mitigate threats. A lower MTTR means quicker resolution of incidents, reducing potential damage.
      2. Evaluating Security Effectiveness: By tracking MTTR, organizations can evaluate the efficiency of their incident response processes, tools, and workflows, helping identify areas for improvement.
      3. Minimizing Downtime: Faster resolution times ensure that disruptions to business operations or IT services caused by security incidents are kept to a minimum.
      4. Resource Planning: Monitoring MTTR helps in allocating the right resources, such as staffing or automation tools, to speed up the resolution process.

      Note: TTA and TTR values will be calculated on cases that have been created on or after the feature release date.