Performance summary of cyber detection against executed attack simulations. The dashboard data is based on all attack simulations carried out by your company.
This sketch cannot currently be displayed in exports
Hint: You can use the switch in the right top corner to exclude or include archived campaigns from those statistics
Hint: In each section, the slider at the top right allows you to switch the presentation of the results between absolute value and percentage.
Main KPI (section 1)
The first line presents the main indicators:
Total number of campaigns (regardless of their status)
Total number of simulations within those campaigns
Total number of executed events
Number of qualified events, i.e. those for which the detection status has been provided (therefore different from Undefined)
Number of events with an Alerted status
Campaigns statistics (section 2)
Cybersecurity score
This overall score is the average of the scores obtained for all the events in all the campaigns, whatever their status. It measures the detection rate of attack simulations carried out by BlackNoise.
BlackNoise rates each event according to 2 criteria:
The efficiency of the detection: The more effective it is, the higher the score (an "Alerted" event earns more points than a "Logged" event, which itself earns more points than an "Undetected" event). The score is also higher if it concerns a High severity event than a Low severity event, supporting the need to detect the most characteristic malicious actions.
The more information there is on the context of the detection, the higher the score
The complete score calculation formula is indicated in the legend of the graph by clicking on the "i" information button.
Score evolution
This is the evolution of the score for your campaigns.
You can select which campaigns to include in the graph and modify the time frame considered for this visualization.
Campaign targets
This table shows the types of Information System targeted by the campaigns.
This sketch cannot currently be displayed in exports
Detection efficiency (section 3)
Status synthesis
This graph shows the distribution of simulated attacks according to the 4 BlackNoise statuses:
Unqualified: Status assigned by default, no information on the detection of the event is given.
Undetected: The event is missed, the attack simulation is not detected (no logs, no alert).
Logged: The security tools created a technical trace (a log) corresponding to a simulated attack. But no alert was triggered and no reaction was taken. To be valid, Logged proofs must at least indicate: the source, the destination, the date and time and if possible the type of action recorded.
Alerted: The security tools identified the simulated attack. An alert or a notification was issued on one of these tools. To be valid, Alerted detection proofs must at least indicate: the source, the destination, the date & time and the type of threat identified. If applicable, the type of remediation made by the security teams can also be specified in the “reaction” section.
Mean time to detect (MTTD)
The Mean Time to Detect (MTTD) is the average time between the execution of a simulated BlackNoise attack and the alert by a security equipment. This KPI is calculated for events with the Alerted status and only if the dates and times of detection are provided. This overall MTTD is the average of the TTDs for all the events that meet these criteria in all campaigns.
Detection per severity
This graph shows the distribution of attacks detected (events with Alerted status) according to severity level.
High: An event whose detection is deemed to be of high priority due to the nature of the simulated attack being executed and/or the intended targets
Low: Event whose detection is judged to be less important compared to other attack simulations performed
Sources for Alerted & Logged events
This table lists the sources (equipment, tools, solutions) used to detect the simulated attacks.
This indicator helps quickly identify the most effective detection sources and those that are under-exploited. Under-exploited sources may indicate that the tools or services are not useful, or their configuration is inappropriate (e.g., no access to required technical data, incorrect settings, disabled functionalities, etc.).
Reaction efficiency (section 4)
Status synthesis
This graph shows the distribution of simulated attacks according to the reaction status:
Reacted: At least one action taken (response strategy) has been delared on the event after its detection.
Ignored: No reaction has been provided after the detection of the event.
Mean time to react (MTTR)
The Mean Time To Reaction (MTTR) is the average time between the alert by a security equipment and the application of the response strategy (reaction). This KPI is calculated for events with the Alerted status, detection dates & times and the dates and times of reaction. This overall MTTR is the average of the TTRs for all the events that meet these criteria in all campaigns.
Reaction per severity
This graph shows the distribution of attacks reacted (events with a reaction provided) according to severity level.
High: An event whose detection is deemed to be of high priority due to the nature of the simulated attack being executed and/or the intended targets
Low: Event whose detection is judged to be less important compared to other attack simulations performed
Reaction strategy
This graph shows the distribution of actions taken (response strategy) to deal with events that have been the subject of an alert. An event can have several reactions.
This sketch cannot currently be displayed in exports
Detection Compliance based on BlackNoise Simplified Kill Chain (section 5)
Distribution of the executed events according to a simplified decomposition of the Kill Chain in 3 major phases defined by the BlackNoise team. These 3 phases include the following MITRE ATT&CK Tactics: