Over the last few years, the issue of corporate cyber security has gone high profile and accordingly, budgets allotted to combating malicious infiltrators have grown exponentially. According to Gartner, in 2016 security spending was set to grow 7.9 percent, and the typical 1000-employee company is spending approximately $15 million attempting to keep their enterprise safe. With a significant chunk of that spend directed to Threat Intelligence feeds. Yet in the rush to gather as much intelligence as possible, many organizations lack the structure to translate this data into actionable intelligence and measurable improvement in security. At the same time, CISOs are increasingly under the gun to prove ROI from current and future security investments.
ROI challenge isn’t isolated to Threat Intelligence
It’s pretty clear enterprise security teams have poured money into Threat Intelligence in recent years with lackluster results. Largely driven by the inability to triangulate external threats to their own environment in real time. Yet Threat Intelligence is just one symptom of the ROI challenge within the broader issue. The fact is when thinking about how to maximize the ROI of Threat Intelligence spend, it can’t be addressed in isolation.
Threat Intelligence – One Facet of Effective Security Operations & Orchestration
As stand-alone data Threat Intelligence feeds are of nominal value. The key is integration and context. Humans must contextualize alerts, threat intelligence and other security data into a threat storyline as the basis for effective response. Integrating Threat Intelligence into a comprehensive security operations platform is table-stakes to navigate the full scope of security operations and incident response from the initial alert through remediation.
For example, consider the relationship of Threat Intelligence and Automation -- utilizing automation security teams can now use incoming threat intel as a trigger to search/operationalize incoming threats and match it against any existing security investments. By normalizing threat intelligence with all other security data and expanding case context one can help make Threat Intelligence much more actionable by allowing you to identify threats relevant to your organization. Imagine a threat actor is targeting your industry and is known to be exploiting a vulnerability in one of your external hosts. Automated, real-time integration to existing alerts provides the needed context to prioritize accordingly and set the stage for remediation.
With the right integration and context we can begin to ask the broader question on how do we drive and measure ROI across the entire security infrastructure.
Even with the right structure how do we measure ROI?
By definition, it’s challenging to prove the worth of security investments because they aren't really about returns - there is no actual monetary gain. The gain is achieved by preventing loss and by driving productivity with limited analysts, both of which are much harder to quantify than gain that comes in the form of dollars and cents.
But proving the difficult-to-pin-down ROI of your current and future investments is critical, and to do that the right metrics must be in place. While there is no standard model with which to assess risk vs. investments, there are some pretty clear metrics security leaders should look to as they seek to drive productivity from their security operations:
Viewing the complete spectrum of your SOC as one holistic unit where all events and intelligence are interrelated will help your team:
- Reduce the number of alerts (including duplicate alerts) that come in and consume valuable analyst time. By weeding out false positives and repeated alerts, analysts can concentrate on remediating real incidents.
- Increase the percent of alerts that are investigated. With fewer alerts being created, analysts can tackle a greater percentage of alerts, leading to fewer casualties.
- Decrease investigation time. With proper tools and context analysts can intensify their efforts on high yield incidents, accelerating response and recovery time.
- Increase analyst caseload capacity. Clustering of alerts, reduction in cases, enriched context, and eliminating the need to jump from screen to screen drives productivity and enables analysts to work more efficiently, negating the need to add manpower.
- Drive down mean time from threat to remediation. When all the above factors come together, the bottom line is that mean time from threat to mitigation drops from days to minutes. If you have to prove your ROI, there can be no more compelling proof than that.
The average breach costs businesses north of $10M, which makes the status quo no longer tenable. Given the stakes, security leaders recognize the importance of driving analyst productivity. The analyst is more important than ever, and must be armed with the right tools to respond to next generation threats. Threat Intelligence is one important facet of those tools but can’t be viewed in a silo.