Which of the following is the best metric for an organizatio - CompTIA CySA+ CSO-003

Correct Answer: A. Mean Time to Detect (MTTD)

• SIEM systems are used to monitor and analyze security events in real-time, and their primary purpose is often to help organizations detect security incidents quickly.
• SOAR systems automate and orchestrate the response to these incidents. If your organization has invested in SIEM and SOAR, focusing on Mean Time to Detect (MTTD) makes sense because it measures how long it takes from when an incident starts to when it is first detected. This metric is critical for evaluating the effectiveness of your SIEM system in detecting security breaches, as well as the overall security posture of the organization.
• Having a low MTTD helps the organization mitigate risks sooner, reduce damage, and respond faster.

Why the Other Options Are Incorrect:

Number of exploits by tactic

• While the number of exploits by tactic (often mapped in frameworks like the MITRE ATT&CK framework) is important for understanding the tactics, techniques, and procedures (TTPs) being used by attackers, it's more of an outcome-based metric rather than a proactive, real-time indicator of system performance.
• This metric doesn't directly tell you how effective your SIEM or SOAR systems are at detecting incidents. It’s more relevant after detection has occurred to analyze the nature of the attacks.

Alert volume

• Alert volume represents the number of alerts generated by the SIEM system. While it can indicate how active your monitoring systems are, it doesn’t reflect how efficient the detection process is or how fast incidents are being detected. In fact, a high alert volume can overwhelm security teams, leading to alert fatigue, which might dilute the focus on real threats.
• Therefore, alert volume doesn’t provide a true measure of detection effectiveness like MTTD does. In addition, alert volume might require additional processing or filtering to assess relevance.

Quantity of intrusion attempts

• The quantity of intrusion attempts tells you how many times attackers have tried to breach your network. However, it doesn’t give you insights into how quickly those attempts are detected (which is the main concern with SIEM and SOAR systems).
• While this metric can be useful for understanding the volume of threats, it's not focused on the detection process or the response efficiency that SIEM and SOAR are meant to address.