t cht lk
impact of the threat, and consolidates
redundant or related security events in to
a single ‘conclusion’ and gives security
operations analysts all the information,
context, guidance and tools they need to
investigate, contain and remediate the attack.
As such, the new thinking of ADR enables new
metrics that drive results, that impact not only
security posture, but also the bottom line of
the business, as detailed below.
Cost per incident (CPI)
CPI can be measured as (the time per
incident) x (average hourly rate for a Tier
One analyst). To get a baseline, run that
formula through your IR playbook for
each phase of a response from detection,
decision to escalation and investigation to
response determination to response and
remediation execution. Then run it again
with an ADR platform in place in a Proof
“
THE NEW
THINKING OF ADR
ENABLES NEW
METRICS THAT
DRIVE RESULTS,
THAT IMPACT NOT
ONLY SECURITY
POSTURE,
BUT ALSO THE
BOTTOM LINE OF
THE BUSINESS.
Cost per workflow
Review, investigation and response
workflows are both personnel and
technology-dependent. Automation reduces
personnel and technology dependencies.
Reducing technology dependencies
decreases personnel maintenance
requirements. Thus, automation impacts
personnel cost, technology cost, and
maintenance cost. Leaders will see that
entire steps of their workflows are able to be
reduced or eliminated completely; delivering
massive acceleration, huge savings and
massive efficiency boosts as teams can focus
on the validation of real incidents rather
than wasting time on a wild goose chase.
Roland Daccache, Senior Regional Sales
Engineer MENA, Fidelis Cybersecurity
of Concept (POC) or even as a table-top
exercise. A further extension of this metric
involves the empowerment of Tier One
and Tier Two analysts. When Tier One and
Tier Two analysts are empowered with an
ADR Platform to perform or augment the
work of a Tier Three analyst (a very scarce
resource!), then substantial effectiveness
savings can be quantified.
96
INTELLIGENTCIO
Automatic setection vs
manual detection
Establish a baseline for determining the ratio
of detections your security stack produces vs
the combined number of human detections
you receive. To figure out the human
detections, determine the number of staff
detections (e.g. an employee recognises
that their machine is malfunctioning, or
an IT Admin recognises that a system
is performing in unusual ways) plus the
number of external detections (e.g. the
number of times you get a call from the
authorities /IT Admins) plus the number of
detections your security operations staff
create by manually synthesising data from
your security stack and Security Event and
Incident Management (SEIM). This will give
you a sense of the efficiency of your current
system. With ADR you can expect the ratio to
tilt substantially toward the automation side
of the equation which means substantially
better security operations efficiency.
Percent investigation vs volume
Determine what is slipping through the
cracks. By measuring investigations versus
alert volume, you can get a sense for what
might be slipping through the cracks and
creating risk. With the ADR system you
should expect to see a shrinking gap and
massive improvement. For example, if an
organisation is typically performing three
investigations for every 100 alerts (3/100
or 3%) and then implements an ADR which
sees a 10% alert-to-conclusion rate and an
additional two investigations (5/10 or 50%)
that can yield a massive 1,500% increase to
security operations effectiveness.
Ratio of investigation to response
This metric shows how many items that were
investigated lead to a response workflow
going through completion. The ratio indicates
where security operations teams may be
wasting time. If an investigation is started
and then abandoned due to lack of context,
insight or actionable intelligence, then time
and resources are not only wasted, but the
result is a huge opportunity cost in lost time
and loss of focus on threats and attacks that
are actionable. Organisations that implement
an ADR platform should expect to see a
convergence of ‘investigations-to-response’
since more investigations are against
validated conclusions rather than merely
suspected attacks.
Rate of validation
This metric measures the time it takes to
make a decision. Analysis paralysis and
security operations uncertainty increases
dwell time and risks the spread of an attack.
It also takes time away from investigating
and responding to other attacks or
compromises that may be happening at
the same time. By measuring the decision
rate both before and after implementing an
www.intelligentcio.com