Security Operations Efficiency dashboard
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Security Operations Efficiency dashboard
The Security Operations Efficiency dashboard enables Security Operations Center (SOC) managers to monitor overall efficiency and individual performance metrics of SOC team members. Using this Performance Analytics dashboard, managers can gain insights into how the SOC is performing over time in various operational areas, helping improve efficiency and resource allocation.
Show less
Analyst Efficiency Tab
This tab provides detailed indicators to track analyst productivity and incident management, including:
- Average security incidents worked per analyst: Measures the average open incidents per analyst over a selected period.
- Closed security incidents per analyst: Tracks the total incidents closed by each analyst.
- Average security incident resolution: Calculates the average time each analyst takes to close incidents.
- Average security incident age: Shows how long incidents remain open per analyst.
- Backlog and closed incident analysis: Allows breakdowns by analyst, group, priority, and comparisons between months.
These metrics help managers identify workload distribution, backlog trends, and analyst efficiency improvements.
Detection and Response Effectiveness Tab
This section focuses on the quality and effectiveness of incident detection and response by tracking:
- True positive incidents: Percentage of confirmed valid security incidents.
- False positive critical incidents: Percentage of critical incidents incorrectly classified.
- Mean false positive risk score: Average risk score of false positives, indicating analyst time spent on non-threats.
- False positive incident duration: Average investigation time spent on false positives.
- Security incident source effectiveness and volume: Measures effectiveness and volume of incidents by source type, aiding in source reliability evaluation.
- Incident backlog and closure analysis: Tracks open incident age and resolution times with breakdowns by source and priority.
This tab helps SOC managers assess detection accuracy and optimize analyst focus.
Incident Risk Score Analysis Tab
This tab provides insights into risk exposure and analyst workload by risk level:
- Total risk exposure analysis: Number of open incidents by risk category (low, moderate, critical) with month-to-month comparisons.
- Normalized security analyst work by risk score: Calculates total risk scores handled by each analyst, adjusted by false positives.
- Security analyst work by mean risk score: Shows average risk score per analyst, helping managers gauge analyst effectiveness in handling high-risk incidents.
Security Incident Stage Analysis Tab
This tab tracks the lifecycle of open incidents by stage (analysis, draft, contain, eradicate, recover, review). It provides average age, affected configuration items (CIs), response tasks, and allows drill-downs for detailed insights. This enables managers to monitor incident progress and bottlenecks systematically.
Practical Benefits for ServiceNow Customers
- Gain a comprehensive view of SOC team performance and incident management efficiency.
- Identify trends in incident backlog, resolution times, and false positives to optimize workflows.
- Evaluate detection sources and risk exposure to prioritize resources effectively.
- Use detailed analytics to support continuous improvement and informed decision-making within security operations.
Security operations center (SOC) managers can view overall efficiency metrics and measure the individual performance of the SOC team members in the organization.
The SOC manager can use the Performance Analytics dashboard to improve efficiency and develop a picture of how SOC is performing in both general and specific areas over time.
Analyst Efficiency tab
Click any of the indicators to drill down for further details. For
example, click the indicator in the Average security incidents
worked per analyst section.
The graph shows that the number of open security incidents have increased
from 0 in March to over 40 in May. Notice the data displayed in the
header:
- Trend indicator: Shows the change in number of open incidents in the latest time period for which the data has been collected. This chart shows data for the period March 2019 to May 2019 and the number of open incidents has increased by 19 in the month of May. Analyst efficiency is better if the number of open incidents has decreased over a period of time.
- No. of scores: The period for which the data has been collected (March to May 2019).
- Sum: The number of new open incidents for the period between March and May.
- Change: The number of new open incidents between March and April.
- Average: The average number of open incidents per analyst for the selected period.
| Indicator | Description |
|---|---|
| Average security incidents worked per analyst | Average number of open security incidents
per analyst for the specified period. The formula
used is [[Number of open security
incidents / By month AVG +]]/[[Number of Security
Agents]] |
| Closed security incidents per analyst | The total number of incidents closed by
each analyst in the selected category in the
specified period. The formula used is
[Number of closed security incidents >
Security Incident Category = <category_name> /
By month SUM +]]/[[Number of Security Agents / By
month AVG +]] |
| Average security incident resolution | The average time taken by each analyst to
close security incidents in the specified period.
The formula used to show the result in days is
([[Summed duration of closed security
incidents > Security Incident Category =
<category_name> / By month AVG +]] / [[Number
of closed security incidents > Security Incident
Category = <category_name> / By month AVG +]])
/ 24 |
| Average security incident age | The average number of days for which
security incidents remain open for each analyst.
The formula used to show the result in days is
([[Summed age of open security incidents >
Security Incident Category = <category_name> /
By month AVG +]]/ [[Number of open security
incidents > Security Incident Category =
<category_name> / By month AVG +]]) /
24 |
| Security incident backlog analysis | The total number of open security incidents in the specified period. Select an option from the Breakdown list to view the backlog for each analyst, security group, priority, and so on. You can also compare the number of open security incidents between two selected months. |
| Closed security incident analysis | The total number of security incidents that are closed in the specified period. Select an option from the Breakdown list to view the count for each analyst, security group, priority, and so on. You can also compare the number of security incidents that were closed between two selected months. |
| Security incident age | The average number of days for security
incidents remain open in the specified period.
Select an option from the Breakdown list to view
the security incident age for each analyst,
security group, priority, and so on. The formula
used to show the result in days is
([[Summed age of open security incidents >
Security Incident Category = <category_name> >
Security Assignment Group = <group_name> / By
month AVG +]]/ [[Number of open security incidents
> Security Incident Category = <category_name>
> Security Assignment Group = <group_name> / By
month AVG +]]) / 24 |
| Security incident resolution time | The average number of days taken to resolve
security incidents during the specified period.
Select an option from the Breakdown list to view
the security incident resolution time for each
analyst, security group, priority, and so on. The
formula used to show the result in days is
([[Summed duration of closed security
incidents > Security Incident Category = Malicious
code activity > Security Assigned To = John Ashby
/ By month AVG +]] / [[Number of closed security
incidents > Security Incident Category = Malicious
code activity > Security Assigned To = John Ashby
/ By month AVG +]]) / 24 |
Detection and Response Effectiveness tab
| Indicator | Description |
|---|---|
| True positive incidents | Percentage of true positive security
incidents in the selected category for the
specified period. The formula used is
(1-([[Number of false positive security
incidents > Security Incident Category = Malicious
code activity / By month SUM +]] / [[Number of
closed security incidents > Security Incident
Category = Malicious code activity / By month SUM
+]])) * 100 |
| False positive critical incidents | Percentage of false positive critical
security incidents in the selected category for
the specified period. The formula used is
([[Number of false positive security
incidents > Security Incident Risk Score =
Critical Risk > Security Incident Category =
Malicious code activity / By month SUM +]] /
[[Number of closed security incidents > Security
Incident Category = Malicious code activity / By
month SUM +]]) * 100
Note: Any security
incident where the Closed code = Invalid
vulnerability or False positive is
treated as a false positive
incident |
| Mean false positive risk score | Average monthly risk score of closed
security incidents that were identified as false
positive incidents. A lower risk score indicates
that the security analysts spent lesser time
analyzing false positive incidents. The formula
used is ([[Number of false positive
security incidents > Security Incident Risk Score
= Critical Risk > Security Incident Category =
Malicious code activity / By month SUM +]] /
[[Number of closed security incidents > Security
Incident Category = Malicious code activity / By
month SUM +]]) * 100 |
| False positive security incident duration | Average number of days that the security
analysts spent in investigating false positive
incidents. The formula used is ([[Summed
duration of false positive security incidents]] /
[[Number of false positive security incidents]]) /
24 |
| Security incident source effectiveness | Percentage of true positive security
incidents identified by a specific source for the
specified period. The source can be email, network
activity,customer support, and so on. This data
helps measure the effectiveness of the security
incident source. The formula used is
(1-([[Number of false positive security incidents
> Security Incident Category = Malicious code
activity > Security Incident Source = IDS/IPS / By
month SUM +]] / [[Number of closed security
incidents > Security Incident Category = Malicious
code activity > Security Incident Source = IDS/IPS
/ By month SUM +]])) * 100 |
| Security incident source volume analysis | Number of closed security incidents for current month for each Security incident source. You can also compare the number of security incidents for each source type between two selected months. |
| Security incident backlog analysis | The total number of open security incidents
in the specified period and the average number of
days for which the incidents remain open. You can
also compare the number of open security incidents
between two selected months. The formula used to
calculate the average backlog period is
([[Summed age of open security incidents >
Security Incident Category = Malicious code
activity]]/ [[Number of open security incidents >
Security Incident Category = Malicious code
activity]]) / 24 |
| Closed security incident analysis | The total number of closed security
incidents in the specified period and the average
resolution time for these incidents. The formula
used to calculate the average resolution time is
([[Summed duration of closed security
incidents > Security Incident Category = Malicious
code activity]] / [[Number of closed security
incidents > Security Incident Category = Malicious
code activity]]) / 24 |
Incident Risk Score Analysis tab
| Indicator | Description |
|---|---|
| Total risk exposure analysis | Total number of open incidents in each risk category (low, moderate, and critical) in the specified period. You can also compare the number of incidents in the different risk categories between two months. |
| Normalized security analyst work by risk score | The total risk score for each security
analyst for the specified period. This is
calculated based on the number of true positive
security incidents that the security analyst
closed. The formula used is [[Summed Risk
Score of Closed Security Incidents > Security
Incident Category = Malicious code activity >
Security Assigned To = SI Admin / By month SUM +]]
- [[Summed Risk Score of False Positive Security
Incidents > Security Incident Category = Malicious
code activity > Security Assigned To = SI Admin /
By month SUM +]] |
| Security analyst work by mean risk score | The average risk score for each security
analyst for the specified period. The formula used
is [[Summed Risk Score of Closed Security
Incidents > Security Incident Category = Malicious
code activity > Security Assigned To = SI Admin /
By month AVG +]] - [[Summed Risk Score of False
Positive Security Incidents > Security Incident
Category = Malicious code activity > Security
Assigned To = SI Admin / By month AVG
+]] |
Security Incident Stage Analysis tab
You can see the number of open incidents on a specific day and the status (analysis, draft, contain, eradicate, recover, or review) of these incidents. On each stage, you can view average age, affected CIs, response tasks, and so on. Click on a link to view additional details or the breakdown of these incidents.