A recent report from the SANS institute found that 71% of organisations do not have regular metrics for or even measure incident response performance, process and effectiveness. Without metrics there is no objective way to determine progress. Enter Automated Detection & Response (ADR).
A unified, ADR platform that provides its own broad and unique visibility across networks and endpoints, uses a variety of different but coordinated techniques to detect threats at any stage of the attack lifecycle, automatically correlates and validates the impact of the threat, and consolidates redundant or related security events in to a single “conclusion” and gives security operations analysts all the information, context, guidance and tools they need to investigate, contain and remediate the attack.
The new thinking of ADR enables new metrics that drive results, that impact not only security posture, but also the bottom line of the business, as detailed below.
Cost per incident (CPI)
CPI can be measured as (the time per incident) x (average hourly rate for a Tier 1 analyst). To get a baseline, run that formula through your IR playbook for each phase of a response from detection, decision to escalation and investigation to response determination to response and remediation execution. Then run it again with an ADR platform in place in a POC or even as a table-top exercise. When Tier 1 and 2 analysts are empowered with an ADR platform to perform or augment the work of a Tier 3 analyst , then substantial effectiveness savings can be quantified.
Cost per workflow
Automation reduces personnel and technology dependencies. Reducing technology dependencies decreases personnel maintenance requirements. Thus, automation impacts personnel cost, technology cost, and maintenance cost.
Automatic detection vs manual detection
Establish a baseline for determining the ratio of detections your security stack produces vs the combined number of human detections you receive. This will give you a sense of the efficiency of your current system. With ADR you can expect the ratio to tilt substantially toward the automation side of the equation which means substantially better efficiency.
Percent investigation vs volume
By measuring investigations versus alert volume, you can get a sense for what might be slipping through the cracks and creating risk. With the ADR system you should expect to see a shrinking gap and massive improvement.
Ratio of investigation to response
The ratio indicates where security operations teams may be wasting time. If an investigation is started and then abandoned due to lack of context, insight or actionable intelligence, then time and resources are not only wasted, but the result is a huge opportunity cost in lost time and loss of focus on threats and attacks that are actionable. Organisations that implement an ADR platform should expect to see a convergence of “investigations-to-response” since more investigations are against validated conclusions rather than merely suspected attacks.
Rate of validation
This metric measures the time it takes to make a decision. Analysis paralysis and security operations uncertainty increases dwell time and risks the spread of an attack. It also takes time away from investigating and responding to other attacks or compromises that may be happening at the same time. By measuring the decision rate both before and after implementing an ADR platform, the security operations team is able to demonstrate agility and increased response capacity without adding scarce people resources.
Remediation response vs reimage
This metric measures business disruption. Disrupted business means substantially higher cost from delays, lost productivity or even liability to third parties. The more surgical and remote responses that are enabled by the ADR platform, the fewer “big hammer” fixes of reimaging an end-user’s endpoint have to happen. That means less business disruption and inconvenience for employees. Business disruption can be quantified based on the staff role, affected device role and length of time for a response. Taking someone’s laptop for a day to reimage it is an inconvenience. Taking down a payment processing server is a substantial disruption – even when hot backups and clustered failovers are part of the solution.
The ADR approach thinks differently about security operations. ADR is based on a purpose-built platform designed to deliver validated conclusions about attacks, intrusions and compromises at any stage of the attack lifecycle while also automating the response capability to those attacks. This transformation enables new metrics that impact the organisations’ business and bottom line. Each of these metrics point to the potential and necessity of adopting an ADR approach and making it the cornerstone of your cybersecurity strategy in 2018 and beyond.
About the author: Roland Daccache is senior regional sales engineer, MENA at Fidelis Cybersecurity
A unified, ADR platform that provides its own broad and unique visibility across networks and endpoints, uses a variety of different but coordinated techniques to detect threats at any stage of the attack lifecycle, automatically correlates and validates the impact of the threat, and consolidates redundant or related security events in to a single “conclusion” and gives security operations analysts all the information, context, guidance and tools they need to investigate, contain and remediate the attack.
The new thinking of ADR enables new metrics that drive results, that impact not only security posture, but also the bottom line of the business, as detailed below.
Cost per incident (CPI)
CPI can be measured as (the time per incident) x (average hourly rate for a Tier 1 analyst). To get a baseline, run that formula through your IR playbook for each phase of a response from detection, decision to escalation and investigation to response determination to response and remediation execution. Then run it again with an ADR platform in place in a POC or even as a table-top exercise. When Tier 1 and 2 analysts are empowered with an ADR platform to perform or augment the work of a Tier 3 analyst , then substantial effectiveness savings can be quantified.
Cost per workflow
Automation reduces personnel and technology dependencies. Reducing technology dependencies decreases personnel maintenance requirements. Thus, automation impacts personnel cost, technology cost, and maintenance cost.
Automatic detection vs manual detection
Establish a baseline for determining the ratio of detections your security stack produces vs the combined number of human detections you receive. This will give you a sense of the efficiency of your current system. With ADR you can expect the ratio to tilt substantially toward the automation side of the equation which means substantially better efficiency.
Percent investigation vs volume
By measuring investigations versus alert volume, you can get a sense for what might be slipping through the cracks and creating risk. With the ADR system you should expect to see a shrinking gap and massive improvement.
Ratio of investigation to response
The ratio indicates where security operations teams may be wasting time. If an investigation is started and then abandoned due to lack of context, insight or actionable intelligence, then time and resources are not only wasted, but the result is a huge opportunity cost in lost time and loss of focus on threats and attacks that are actionable. Organisations that implement an ADR platform should expect to see a convergence of “investigations-to-response” since more investigations are against validated conclusions rather than merely suspected attacks.
Rate of validation
This metric measures the time it takes to make a decision. Analysis paralysis and security operations uncertainty increases dwell time and risks the spread of an attack. It also takes time away from investigating and responding to other attacks or compromises that may be happening at the same time. By measuring the decision rate both before and after implementing an ADR platform, the security operations team is able to demonstrate agility and increased response capacity without adding scarce people resources.
Remediation response vs reimage
This metric measures business disruption. Disrupted business means substantially higher cost from delays, lost productivity or even liability to third parties. The more surgical and remote responses that are enabled by the ADR platform, the fewer “big hammer” fixes of reimaging an end-user’s endpoint have to happen. That means less business disruption and inconvenience for employees. Business disruption can be quantified based on the staff role, affected device role and length of time for a response. Taking someone’s laptop for a day to reimage it is an inconvenience. Taking down a payment processing server is a substantial disruption – even when hot backups and clustered failovers are part of the solution.
The ADR approach thinks differently about security operations. ADR is based on a purpose-built platform designed to deliver validated conclusions about attacks, intrusions and compromises at any stage of the attack lifecycle while also automating the response capability to those attacks. This transformation enables new metrics that impact the organisations’ business and bottom line. Each of these metrics point to the potential and necessity of adopting an ADR approach and making it the cornerstone of your cybersecurity strategy in 2018 and beyond.
About the author: Roland Daccache is senior regional sales engineer, MENA at Fidelis Cybersecurity
© 2017 ITP Business Publishing Ltd. All Rights Reserved. Provided by SyndiGate Media Inc. (Syndigate.info).
