MTTR and Its Importance in a SOC

In the context of a security operations center (SOC), MTTR, or Mean Time to Remediate, is the average time it takes to remediate or resolve a security incident. It’s an important metric in evaluating the efficiency and effectiveness of a SOC.

Companies can differ in exactly how they define and track MTTR and which response actions they include. Because there is no hard and fast standard, comparing MTTRs across SOCs or managed detection and response (MDR) providers may not be comparing apples to apples. When considering MTTR, it’s useful to know what has been included in the calculation—at what points the time measurement starts and stops.

Blackpoint’s Security Operations Center has an industry-leading MTTR of 27 minutes, with an impressive 7 minute response time for cloud incidents in particular. Blackpoint’s measurement of this MTTR starts when an alert is first generated and ingested into the queue and ends with a partner phone call after threat elimination. In between, there’s a two-phase process.

In the first phase, an MDR analyst receives the alert from SNAP-Defense and conducts initial triage to determine if it is benign activity that can be dismissed, or if the alert needs further action. If further action is necessary, the event is escalated to the senior team.

In the second phase, senior MDR analysts conduct an in-depth and thorough threat hunt and investigation to identify which actions and remediation steps are needed. Depending on the severity of the alert, actions may include calling the involved partner and informing them of the activity, as well as conducting the aggressive, proactive response actions we are best known for. These actions can include isolation, account disablement, or other needed remediation steps to contain and eradicate the threat.

Once the threat has been eliminated, the SOC follows up with the affected partner via phone call and informs them of the protective actions we have taken in their, or their end client’s, environment.

Due to the rapid pace at which threat actors tend to compromise business emails, as well as the high fidelity of Blackpoint’s current Cloud Response detection logic, cloud alerts skip the first phase entirely, instead jumping right into investigation by the senior team. This results in lower MTTR times for cloud attacks versus on-premises attacks.

The SOC’s industry-leading MTTR is impressively low for a few distinct reasons. First, our custom, built-in-house proprietary MDR software is much faster than a traditional SIEM, and with high-fidelity detection logic built on top of it, our analysts get the necessary information and targeted metadata in their hands much faster.

Next, the platform our team uses to triage and investigate these events allows for very fast, in-depth access to all the metadata they need to make the right decisions.

And finally, Blackpoint hires world-class MDR analysts to conduct our human-led threat hunts and investigations to rapidly identify, contain, eradicate, and remediate security incidents.

The SOC continuously seeks ways to continue building efficiencies at every step to lower the overall MTTR. This includes tech efficiencies, detection logic tuning, detection scoring, automation wherever possible, process improvements, and a world-class training program that starts from day one of analysts’ onboarding.

Our SOC team monitors behavior to see attacks as they’re happening, in addition to threat hunting based on events that have already happened—and they take action to eliminate the threats, on the spot. While other SOCs wait for partner approval to take action, the Blackpoint SOC takes a proactive approach, using their expertise to best protect the partner without waiting for permission.

After eliminating the threat, the SOC follows up with a partner phone call, every time, to keep our partners informed about what’s happened.

Blackpoint’s advanced MDR+Remediation technology and our human-powered SOC are why we maintain a low MTTR, giving us the industry’s fastest response and highest efficacy and keeping our MSP partners first in cybersecurity.