Security News > 2021 > June > Why MTTR is Bad for SecOps
Kerry Matre, senior director at Mandiant, discusses the appropriate metrics to use to measure SOC and analyst performance, and how MTTR leads to bad behavior.
In a SOC measuring analyst activity with MTTR can drive the wrong behavior.
Even worse than motivating rushed investigations, MTTR can lead analysts to ignore alerts that should otherwise be investigated.
In a recent IDC InfoBrief from FireEye entitled, "The Voice of the Analysts: Improving Security Operations Center Processes Through Adapted Technologies" it was confirmed that analysts do in-fact ignore alerts.
If analysts are consistent in their investigations and remediation activities, then MTTR can be used to evaluate the effect of additional automation.
If a new technology is implemented that allows analysts to perform the duties of their job faster, then MTTR can be used to validate and quantify the gains.