These are use cases for specific profiles in an organization to show how they can utilize the report’s data to improve their workflow. Check our documentation to learn more about the content of Lumu Reports.

We will take a look at three vital roles:

CISO - Chief Information Security Officer

Lumu Reports contain data about the cybersecurity state of the organization which CISOs can use to make informed decisions that will have a positive impact on the cybersecurity state of their company. 

The most valuable data in the report for the CISO can be found in the Open Incidents section of the report, more specifically, in the subsections focusing on risk level. 

Risk level is a great tool for CISOs as it informs them of the stage of attacks within the network, and which actions have been taken against them. This, combined with the information provided by the incidents’ labels, will provide a holistic view of the network's cybersecurity state which the CISO can use to make informed strategic decisions. 

Knowing which of the open incidents in your network are being operated on, and having an accurate estimation of progress of these attacks can allow the CISO to prioritize the organization’s cybersecurity team’s resources to tackle the adversaries currently affecting the network, and strengthen the organization’s cybersecurity posture against relevant threats. 

After dealing with active threats, they can use the factual data acquired throughout the process to acquire relevant technologies to further protect the network from common attacks. They can also adjust the organization’s cybersecurity policy based on factual data on threat types affecting your network and monitored labels, and even design and implement disaster recovery protocols with a very clear picture of a worst case scenario. 

Let’s take a look at a potential scenario: 

• The CISO receives factual data regarding the risk level of active incidents
• The CISO finds out that incidents that should have been prioritized based on their risk level are still open and haven’t been picked up by anyone within the organization. These incidents are active threats and should be acted upon. 
• The CISO contacts the SOC Director to engage in a discussion about the situation. It becomes evident that there is an opportunity to enhance the utilization of the cybersecurity team's resources and refine procedures, especially considering the advancements made by some of these incidents within the network. 
• The CISO provides priorities of operation for the SOC director, and they agree on measurable goals to operate and close high-priority incidents.
• The CISO stays on top of the operation while checking periodic reports to make sure the procedure is having the intended effect. 
• The CISO uses this factual data to validate the success of the operation. 

SOC Director

The SOC director leads the team and oversees their goals, training and activities. As such, the most valuable data they can find in the report would be metrics, most specifically the ones in the Security Operation Summary section. These metrics provide the SOC director with insights on the operation expediency and efficiency of the team. 

For example, they can measure the holdover open incidents from previous periods to know whether the current team composition can handle all the incident load, or if their current assets aren’t being used as effectively as possible. 

They can also look at the number of resolved incidents versus detected incidents and set an incident resolution goal between them for the next period, for instance. 

The average resolution time can also tell them how old the incidents resolved during the analyzed period are, which can provide ideas to improve practice and procedures to prevent incidents to linger in your network and advance to stages where they can potentially harm the organization. 

Another important metric is the Mean Time to response (MTTR) which tells you how fast the team is responding to incidents to start operating them. Manual operation can lead to high values in this indicator as there is a limit to human capacity to handle such large loads of data; however, this can be severely mitigated by Lumu’s automated out-of-the-box integrations. 

These integrations, which are available to Lumu Defender customers, provide SOC directors with an estimate of the number of work hours saved given that automated integrations can respond to incidents faster than any human could. 

Last, but certainly not least, the most important metric, and the one that can be used to verify the team’s effectiveness with more certainty would be the capacity to operate, as it measures the team’s ability to operate the organization’s cybersecurity. Ideally, you should aim for a high value in this metric, as anything below may imply that either the team’s policies, training, practices, or even team composition must be evaluated and adjusted. 

Let’s take a look at a potential scenario: 

• Following a discussion with the CISO, the SOC Director endeavors to uncover the underlying causes of operational gaps. These gaps have inadvertently allowed critical incidents to evade detection and propagate within the network.. 
• The SOC Director consults the report to look at factual data regarding operation metrics. 
• Upon reviewing the metrics, the SOC director identifies areas for improvement in crucial indicators like response time and operational capacity. Addressing these aspects enhances the team’s ability to effectively manage threats, safeguarding the organization from potential harm.
• A high response time can be addressed by improving existing response procedures and assigning SOC agents to respond to provide first response to high-priority incidents. The SOC director must determine which resources will be assigned to this duty and communicate the changes. Another possible solution can be to automate first-response procedures, which can be done with Lumu’s out-of-the-box response integrations. Consult the CISO to learn which integrations are available to you, then, consult the relevant party within your organization to deploy these integrations. 
• A low capacity to operate may mean different things based on the team’s situation: Either the team is not large enough to handle the volume of incidents and the SOC director must add resources to accommodate it; or the team’s resources are not assigned and/or trained optimally to handle the organization’s incident load. The SOC director can use the report’s metrics to determine which is the team’s scenario and make pertinent decisions. In this case, it is determined the team is large enough, but isn’t handling incident’s optimally. 
• The SOC director must find out which elements are underperforming and why and take corrective measures, reassign team elements effectively, and set performance goals to determine the success of said changes. 

SOC Analyst 

The report also contains data relevant to those operating the organization’s cybersecurity at a tactical level, namely, the team’s analysts. 

Analysts can benefit greatly from incident specific data provided throughout the report to make decisions on individual incidents which give the analyst insights to prioritize and operate incidents effectively. The analyst can also access the MITRE Framework from the portal’s Incidents view to find effective mitigation strategies and countermeasures against specific threats. 

It also provides detailed data regarding affected endpoints that may require special attention and direct intervention lest they become the adversary’s foothold into the network. 

There isn’t a single criteria to determine which incidents should be prioritized; however, Lumu  provides all the required information for the analysts to do so. Business relevance is always the first priority since this should be determined by the organization when setting up their labels, so other data such as the incident’s activity, affected endpoints, and contacts should be considered while keeping the business relevance in mind. 

With the data provided by the report, analysts should have a better view of the organization’s cybersecurity landscape allowing them to make correct and timely tactical decisions. 

Let’s take a look at a potential scenario: 

• The analyst collaborates with the SOC director's guidance, focusing on addressing high-priority incidents by considering a blend of business importance, risk assessment, and labels. Leveraging the details presented in the report and the incidents view, the analyst identifies incidents aligning with these attributes.. 
• The analyst takes ownership of a specific incident to operate on. Thanks to the report and the incident view, the analyst has access to factual data regarding the type of threat affecting the organization. Through the incident view, the analyst finds its way to the MITRE ATT&CK Framework’s entry on the threat which provides effective mitigation measures that can be applied in the organization’s case. 
• One of these effective measures is isolating the affected device. Through the report and incident view, the analyst can find out which endpoints within the organization are being affected by the specific threat; however, the analyst’s authority level may very likely be not high enough to isolate the device by themselves. 
• The analyst must request the assistance of the SOC director to address the issue urgently and contact the organization’s IT department to isolate the affected endpoint to contain the threat. 
• The analyst must carry out any other necessary mitigation and remediation procedures to address the threat and make sure the threat is under control and eliminated, as well as request the assistance of any relevant party within the organization to carry out the required procedures. 
• Once done, close the incident in the Lumu Portal to inform the rest of the team that specific incident has been taken care of.