//////////////////////////////////////////////////////////////////// t cht lk
Cost per workflow
loss of focus on threats and attacks that are
actionable. Organisations that implement
an ADR platform should expect to see a
convergence of ‘investigations-to-response’
since more investigations are against
validated conclusions rather than merely
suspected attacks.
Review, investigation and response
workflows are both personnel and
technology-dependent. Automation reduces
personnel and technology dependencies.
Reducing technology dependencies
decreases personnel maintenance
requirements. Thus, automation impacts
personnel cost, technology cost, and
maintenance cost. Leaders will see that
entire steps of their workflows are able to be
reduced or eliminated completely; delivering
massive acceleration, huge savings and
massive efficiency boosts as teams can focus
on the validation of real incidents rather
than wasting time on a wild goose chase.
Automatic detection vs
manual detection
Establish a baseline for determining the ratio of
detections your security stack produces vs the
combined number of human detections you
receive. To figure out the human detections,
determine the number of staff detections (e.g.
an employee recognises that their machine
is malfunctioning, or an IT admin recognises
that a system is performing in unusual ways)
plus the number of external detections (e.g.
the number of times you get a call from the
authorities /IT Admins) plus the number of
detections your security operations staff
create by manually synthesising data from
your security stack and Security Event and
Incident Management (SEIM). This will give
you a sense of the efficiency of your current
system. With ADR you can expect the ratio to
tilt substantially toward the automation side of
the equation which means substantially better
security operations efficiency.
Percent investigation vs volume
Determine what is slipping through the
cracks. By measuring investigations versus
alert volume, you can get a sense for what
might be slipping through the cracks and
creating risk. With the ADR system you
should expect to see a shrinking gap and
massive improvement. For example, if an
organisation is typically performing three
investigations for every 100 alerts (3/100
or 3%) and then implements an ADR which
sees a 10% alert-to-conclusion rate and an
additional two investigations (5/10 or 50%)
that can yield a massive 1,500% increase to
security operations effectiveness.
www.intelligentcio.com
Rate of validation
Roland Daccache, Senior Regional Sales
Engineer MENA, Fidelis Cybersecurity
Ratio of investigation to response
This metric shows how many items that
were investigated lead to a response
workflow going through completion.
The ratio indicates where security
operations teams may be wasting time.
If an investigation is started and then
abandoned due to lack of context, insight
or actionable intelligence, then time and
resources are not only wasted, but the result
is a huge opportunity cost in lost time and
“
DISRUPTED
BUSINESS MEANS
SUBSTANTIALLY
HIGHER
COST FROM
DELAYS, LOST
PRODUCTIVITY OR
EVEN LIABILITY
TO THIRD
PARTIES.
This metric measures the time it takes to
make a decision. Analysis paralysis and
security operations uncertainty increases
dwell time and risks the spread of an attack.
It also takes time away from investigating
and responding to other attacks or
compromises that may be happening at
the same time. By measuring the decision
rate both before and after implementing an
ADR platform, the security operations team
is able to demonstrate agility and increased
response capacity without adding scarce
people resources.
Remediation response vs reimage
This metric measures business disruption.
Disrupted business means substantially
higher cost from delays, lost productivity
or even liability to third parties. The more
surgical and remote responses that are
enabled by the ADR platform, the fewer ‘big
hammer’ fixes of reimaging an end-user’s
endpoint have to happen. That means
less business disruption and inconvenience
for employees. Business disruption can be
quantified based on the staff role, affected
device role and length of time for a response.
Taking someone’s laptop for a day to
reimage it is an inconvenience. Taking down
a payment processing server is a substantial
disruption – even when hot backups and
clustered failovers are part of the solution.
The ADR approach thinks differently
about security operations. ADR is based
on a purpose-built platform designed to
deliver validated conclusions about attacks,
intrusions and compromises at any stage of
the attack lifecycle while also automating
the response capability to those attacks.
This transformation enables new metrics
that impact the organisations’ business and
bottom line. Each of these metrics point
to the potential and necessity of adopting
an ADR approach and making it the
cornerstone of your cybersecurity strategy in
2018 and beyond. n
INTELLIGENTCIO
89