12 Measuring Success
This chapter covers
- The importance of measuring and reporting success
- Defining what success means in the context of threat hunting
- Identifying and discussing the areas to measure success
- Identifying and describing important threat hunting metrics
- How to report and communicate success to different stakeholders
- How to communicate the discoveries and with whom
Until now, our primary focus has been on conducting threat hunting operations: uncovering threats, conducting incident investigations, and collaborating with other teams to request information or share our findings.
In this chapter, we take we take pause and consider governance and answer essential questions:
- Did our work add value to the business?
- How can we evaluate that value?
- Are there things that we should have done better?
- How can we improve the threat hunting practice?
In this chapter, we define success in the context of threat hunting and guide how to measure it. We outline methods for establishing and extracting essential measurements to calculate key-value metrics. In addition, we provide valuable insights into good practices for reporting and communicating threat hunting performance to different roles within the organization.
We conduct a threat hunting expedition (yes, another one) to illustrate the value of threat hunting in protecting the business and how reporting success goes beyond just reporting on key-value metrics.