Getting Security Operations Metrics Right

The GreySpark Analysis Process

  • Ingest Event

    Collect and Tag Data using Customer ID, Location ID, Asset Class, Domain, ...

  • Recognize and Enrich

    Identify Vendors and Event Types, Enrich Events with Organizational Context

  • Normalize

    Deconstruct and Map to Common Information Model (Metadata)

  • Quantify

    Construct Fundamental Data Elements that Characterize Metadata

  • Assess

    Using Fundamentals, Calculate Repeatable, Meaningful and Precise Security Operations Metrics

Cyber Defense Matrix (CDM)

The GreySpark Cyber Defense Matrix (CDM) provides an intuitive and informative visualization of controls (processes and technologies) as they correspond to the NIST CSF operational security functions (Identify, Protect, Detect, Respond, Recover) as well as the classes of assets in the environment (Devices, Applications, Networks, Data and Users). This 5x5 matrix serves as a communication about controls coverage, and, when driven by sensor data, shows controls operational status as well as adherence to compliance frameworks.

Controls Coverage

Quick assessment of cyber security control set in a NIST CSF framework.


The Cyber Defense Matrix Controls Coverage module within GreySpark will help you highlight gaps and identify appropriate ways to close them.

Below is an example of the recommendations provided within the platform. This table highlights gaps and provides recommendations for the cyber security technology and process architecture for a specific organization.



Operations Challenges

Data-driven proof of controls operations indicates misconfigurations.


The Cyber Defense Matrix Controls Coverage module allows you to see where you have gaps in your operational controls.

Below is an example of recommendations for improvements to controls coverage for a specific organization. The following table highlights areas where, although technologies or processes were indicated as implemented, there is no evidence of operation.  You should verify that these are operating as intended and forwarding data to the GreySpark Data Collection Appliance.



Compliance Challenges

Gaps in coverage and operations against compliance frameworks.


The Cyber Defense Matrix Compliance module allows you to see exactly where you have gaps against your compliance framework. Below as an example of the compliance coverage recommendations for a specific organization.

The controls framework indicated for this security operation is the First 5 CIS.  The following table lists technologies or processes required for controls framework compliance that are either NOT DEPLOYED or show NO EVIDENCE of operations.  For technologies deployed but no evidence of operation, you should verify that these are operating as intended and forwarding data to the GreySpark Data Collection Appliance.  For technologies or processes not deployed, you may close the gap by implementing a selection of the technologies listed in the table below.



Take a look under the hood. Join our next regularly scheduled demo.

Register Now

Security Operations Metrics (KRIs)

With controls coverage, operation and compliance assured through the CDM, GreySpark calculates metrics specifically designed for the measurement of aspects of cyber security operations. There are 6 quantitiative and 3 qualitative metrics:

Quantitative Metrics


New Threats

How often are we seeing events that have not been seen before? Will I have a remedy ready?


Opportunity Risk

How is the overall severity of events trending? This refers to the opportunity for threats for success.


Surface Area

Do I have blind spots? Am I seeing everything I should be? Are there unexpected changes in assets?


Defense Effectiveness

What are my repeat events? Where are they occurring in my defense in depth?


Technical Debt

What is the combined severity, volume and arrival rate of new events? Will I be overwhelmed?


Score History

What do I know about my environment? Do I have enough data to be confident in the metrics?

Qualitative Metrics



How are the metrics distributed among high value assets or those in compliance boundaries?



Which division, line of business or office is contributing most to my risk metrics?



How rapidly are things changing? Do I know what is different from yesterday?


Metrics For The Way You Operate

A key component of generating reliable metrics is to start with an accurate, complete and meaningful data set. GreySpark's process rigorously deconstructs disparate vendor data into a highly structured and well-understood common information model (the fundamental metadata). Along the way, the tagging and enrichment process ensures that these fundamentals remain contextual to the source organization and security operations infrastructure.

These rich and reliable fundamental data are ideally suited for creating any number of custom metrics, and the GreySpark API exposes them for users to consume in third party reporting or analytics applications.

Watch a Video Demo.

Watch Now

Schedule a Live Demo.

Schedule Now