Intelligent Tech Channels Issue 16 | Page 39

INTELLIGENT ENTERPRISE SECURITY massive improvement. For example, if an organisation is typically performing 3 investigations for every 100 alerts, that is 3/100 or 3%, and then implements an ADR which sees a 10% alert-to-conclusion rate and an additional 2 investigations, that is 5/10 or 50%, that can yield a massive 1,500% increase to security operations effectiveness. Investigation versus response This metric shows how many items that were investigated lead to a response workflow going through completion. The ratio indicates where security operations teams may be wasting time. If an investigation is started and then abandoned due to lack of context, insight or actionable intelligence, then time and resources are not only wasted, but the result is a huge opportunity cost in lost time and loss of focus on threats and attacks that are actionable. Organisations that implement an ADR platform should expect to see a convergence of investigations-to-response since more investigations are against validated conclusions rather than merely suspected attacks. Rate of validation This metric measures the time it takes to make a decision. Analysis paralysis and security operations uncertainty increases dwell time and risks the spread of an attack. It also takes time away from investigating and responding to other attacks or compromises that may be happening at the same time. By measuring the decision rate both before and after implementing an ADR platform, the security operations team is able to demonstrate agility and increased response capacity without adding scarce people resources. Response versus reimage This metric measures business disruption. Disrupted business means substantially higher cost from delays, lost productivity or even liability to third parties. The more surgical and remote responses that are enabled by the ADR platform, the fewer big hammer fixes of reimaging an end-user’s endpoint have to happen. That means less business disruption and inconvenience for employees. Business disruption can be quantified based on the staff role, affected device role and length of time for a response. Taking someone’s laptop for a day to reimage it is an inconvenience. Taking down a payment processing server is a substantial disruption, even when hot backups and clustered failovers are part of the solution. The ADR approach thinks differently about security operations. ADR is based on a purpose-built platform designed to deliver validated conclusions about attacks, intrusions and compromises at any stage of the attack lifecycle while also automating the response capability to those attacks. This transformation enables new metrics that impact the organisations’ business and bottom line. Each of these metrics point to the potential and necessity of adopting an ADR approach and making it the cornerstone of a cybersecurity strategy in 2018 and beyond.  39