During a quarterly lessons-learned meeting, the incident-response team notes that, on average, six hours elapsed between the moment malware first executed on several endpoint hosts and the moment the SOC issued its initial detection alert. Which key performance indicator (KPI) should the team record to track this gap over time?
The metric that captures the average duration between the occurrence of an adverse event (such as the first indicator of compromise) and its discovery by security monitoring is Mean time to detect (MTTD). Tracking MTTD shows how quickly the organization recognizes incidents; a lower value indicates better detection capabilities. Mean time to respond, recover, or remediate begin after detection and therefore measure different phases of the incident-response lifecycle.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.