Ron Gula's (ex-Tenable CEO) fireside chat at the NYC Infosec Meetup got serious when he questioned whether to optimize security team efficacy vs. efficiency. This dovetailed beautifully with our tech talk right before. When we explain visual playbooks, people quickly see how they cut MTTR, which in turn gets at both efficacy and efficiency. This has led us to think about what KPIs to focus on, so I ended up presenting a different take: focus on reliability... and an actionable KPI around that, playbook coverage.
Image: Leo sharing visual playbook best practices
A key property of a visual playbook is it enables, for the investigations in the category the playbook was defined for, starting every investigation with a computer-assisted run through of best practices. Think tasks like data gathering, correlation, and inspection. Analogous to code coverage for software, we've started thinking about playbook coverage for incidents: what percent of investigations were covered by visual playbooks, or some complementary technique like orchestration? Playbook coverage measures how prepared IR is in practice. Making the KPI actionable, it provides a clear target for what to cover by the next report. In contrast, MTTR requires more thinking and interpretation.
To see more on this, go to the final slides @ https://www.slideshare.net/lmeyerov/graphistry-nyc-infosec-meetup-increasing-investigation-leverage-with-graph-tech-visual-analysis-playbooks .