Intelligent Tech Channels Issue 16 - Page 38

INTELLIGENT ENTERPRISE SECURITY Security metrics using Automated Detection and Response CISOs can enhance and expand their operational security metrics by using ADR, writes Roland Daccache at Fidelis Cybersecurity. C ISOs have become leaders in their businesses rather than just experts in their departments. They need to educate their peers on the scope, scale, severity and solutions for cybersecurity and how emerging threats affect each aspect of the business, elevate the cybersecurity discussion out of the trenches of speeds, feeds and fingerprints and finally report on evolving metrics that impact the bottom line of the business to facilitate rapid decision making by the rest of their executive peers. A recent report from the SANS institute found that 71% of organisations do not have regular metrics for or even measure incident response performance, process and effectiveness. Without metrics there is no objective way to determine progress. Enter Automated Detection and Response, ADR. A unified, ADR platform that provides its own broad and unique visibility across networks and endpoints, uses a variety of different but coordinated techniques to detect threats at any stage of the attack lifecycle, automatically correlates and validates the impact of the threat, and consolidates redundant or related security events in to a single conclusion and gives security operations analysts all the information, context, guidance and tools they need to investigate, contain and remediate the attack. As such, the new thinking of ADR enables new metrics that drive results, that impact not only security posture, but also the bottom line of the business, as detailed below. 38 Cost per incident, CPI CPI can be measured as [the time per incident] x [average hourly rate for a Tier 1 analyst]. To get a baseline, run that formula through your IR playbook for each phase of a response from detection, decision to escalation and investigation to response determination to response and remediation execution. Then run it again with an ADR platform in place in a proof of concept or even as a table-top exercise. A further extension of this metric involves the empowerment of Tier 1 and 2 analysts. When Tier 1 and 2 analysts are empowered with an ADR Platform to perform or augment the work of a Tier 3 analyst, then substantial effectiveness savings can be quantified. Cost per workflow Review, investigation and response workflows are both personnel and technology-dependent. Automation reduces personnel and technology dependencies. Reducing technology dependencies decreases personnel maintenance requirements. Thus, automation impacts personnel cost, technology cost, and maintenance cost. Leaders will see that entire steps of their workflows are able to be reduced or eliminated completely; delivering massive acceleration, huge savings and massive efficiency boosts as teams can focus on the validation of real incidents rather than wasting time on a wild goose chase. Roland Daccache, Senior Regional Sales Engineer MENA, Fidelis Cybersecurity. Automatic versus manual detection Establish a baseline for determining the ratio of detections your security stack produces versus the combined number of human detections you receive. To figure out the human detections, determine the number of staff detections, example an employee recognises that their machine is malfunctioning, or an IT Admin recognises that a system is performing in unusual ways, plus the number of external detections, example the number of times you get a call from the IT administration, plus the number of detections your security operations staff create by manually synthesising data from your security stack and Security Event and Incident Management. This will give you a sense of the efficiency of your current system. With ADR you can expect the ratio to tilt substantially toward the automation side of the equation which means substantially better security operations efficiency. Investigation versus volume Determine what is slipping through the cracks. By measuring investigations versus alert volume, you can get a sense for what might be slipping through the cracks and creating risk. With the ADR system you should expect to see a shrinking gap and Issue 16 INTELLIGENT TECH CHANNELS