Hello. How can we help you?

Key Metrics – MTTD,MTTA & MTTR

Mean Time to Detect (MTTD)

Mean Time to Detect (MTTD) is the average time taken to identify a security incident by generating a signal or alert after the raw log event is ingested. In DNIF, Time to Detect (TTD) is calculated for each signal as the difference between the time the signal is created and the ingestion time of the earliest raw log event that contributed to generating the signal. MTTD is then determined by summing all TTDs across signals and dividing this total by the number of signals.

MTTD helps in the following:

  1. Early Threat Identification: MTTD allows security teams to assess how quickly they can identify potential security incidents. A lower MTTD means quicker detection, reducing the time attackers have to cause damage.
  2. Reducing Incident Impact: Faster incident detection leads to quicker responses, which can limit the scope of damage, data loss, or disruption. A low MTTD minimizes the window for attackers to exploit vulnerabilities.
  3. Improving Security Posture: MTTD is a key metric in continuous improvement processes. Tracking it over time helps organizations refine detection mechanisms, rules, and policies in their SIEM system to reduce detection times further.
  4. Compliance and Reporting: Many industries have regulations requiring that incidents be detected and reported within a certain timeframe. MTTD ensures that organizations comply with these requirements by providing a measurable way to track detection speed.

Note: The Time to Detect (TTD) will be calculated daily at midnight for each region. TTD values will be calculated for signals generated on or after the feature release date.

MTTA – Mean Time to Acknowledge

Mean Time to Acknowledge (MTTA) is the average time it takes to acknowledge a security alert after it has been generated. In DNIF, the Time to Acknowledge (TTA) is calculated for each case as the time difference between the creation of the case and the generation of the earliest signal within that case. If a new, older signal is added, the TTA is recalculated to reflect the time of the oldest signal. MTTA is determined by adding up all the TTAs across cases and dividing by the total number of cases.

MTTA helps in the following:

  1. Responsiveness Tracking: MTTA helps monitor how quickly the security team responds to alerts, indicating the effectiveness of alert handling and initial response. A shorter MTTA suggests that potential threats are being acted upon quickly, reducing the window of exposure.
  2. Incident Prioritization: By tracking MTTA, teams can identify whether alerts are being acknowledged in a timely manner and whether the most critical incidents are getting the attention they need first.
  3. Early Intervention: A fast acknowledgment time means that the security team is quickly aware of potential threats, allowing for early-stage containment before incidents escalate into major security breaches.
  4. Process Optimization: High MTTA values can reveal inefficiencies in alerting workflows or indicate alert fatigue. This helps teams identify areas for process improvement, such as better alert prioritization or automation.
  5. Resource Management: MTTA offers insight into whether the security team is properly staffed or equipped to handle the volume of alerts. Longer acknowledgment times might indicate the need for more resources or automation tools to assist with triage.
MTTR – Mean Time to Resolve

Mean Time to Resolve (MTTR) is the average time taken to fully resolve a security incident, starting from when it’s acknowledged. In DNIF, Time to Resolve (TTR) is calculated for each case by measuring the time difference between when the case was created and when it was closed. If the case is reopened, the TTR is updated based on the new closure time. If a case status is changed to On-Hold, the TTR calculation is paused. It resumes when the case status is changed to In-Progress. MTTR is determined by adding up all the TTRs across cases and dividing the total by the number of cases. 

MTTR helps in the following:

  1. Incident Response Efficiency: MTTR provides insights into how quickly your security team can address and mitigate threats. A lower MTTR means quicker resolution of incidents, reducing potential damage.
  2. Evaluating Security Effectiveness: By tracking MTTR, organizations can evaluate the efficiency of their incident response processes, tools, and workflows, helping identify areas for improvement.
  3. Minimizing Downtime: Faster resolution times ensure that disruptions to business operations or IT services caused by security incidents are kept to a minimum.
  4. Resource Planning: Monitoring MTTR helps in allocating the right resources, such as staffing or automation tools, to speed up the resolution process.

Note: TTA and TTR values will be calculated on cases that have been created on or after the feature release date.