INTELLIGENT ENTERPRISE SECURITY
Security metrics using
Automated Detection
and Response
CISOs can enhance and expand their operational
security metrics by using ADR, writes Roland Daccache
at Fidelis Cybersecurity.
C
ISOs have become leaders in
their businesses rather than just
experts in their departments.
They need to educate their peers on the
scope, scale, severity and solutions for
cybersecurity and how emerging threats
affect each aspect of the business, elevate
the cybersecurity discussion out of the
trenches of speeds, feeds and fingerprints
and finally report on evolving metrics that
impact the bottom line of the business to
facilitate rapid decision making by the rest
of their executive peers.
A recent report from the SANS institute
found that 71% of organisations do not
have regular metrics for or even measure
incident response performance, process
and effectiveness. Without metrics there is
no objective way to determine progress.
Enter Automated Detection and
Response, ADR. A unified, ADR platform
that provides its own broad and unique
visibility across networks and endpoints,
uses a variety of different but coordinated
techniques to detect threats at any stage of
the attack lifecycle, automatically correlates
and validates the impact of the threat,
and consolidates redundant or related
security events in to a single conclusion
and gives security operations analysts all
the information, context, guidance and
tools they need to investigate, contain and
remediate the attack. As such, the new
thinking of ADR enables new metrics that
drive results, that impact not only security
posture, but also the bottom line of the
business, as detailed below.
38
Cost per incident, CPI
CPI can be measured as [the time per
incident] x [average hourly rate for a Tier
1 analyst]. To get a baseline, run that
formula through your IR playbook for
each phase of a response from detection,
decision to escalation and investigation to
response determination to response and
remediation execution.
Then run it again with an ADR
platform in place in a proof of concept
or even as a table-top exercise. A
further extension of this metric involves
the empowerment of Tier 1 and 2
analysts. When Tier 1 and 2 analysts are
empowered with an ADR Platform to
perform or augment the work of a Tier
3 analyst, then substantial effectiveness
savings can be quantified.
Cost per workflow
Review, investigation and response
workflows are both personnel and
technology-dependent. Automation
reduces personnel and technology
dependencies. Reducing technology
dependencies decreases personnel
maintenance requirements. Thus,
automation impacts personnel cost,
technology cost, and maintenance cost.
Leaders will see that entire steps of
their workflows are able to be reduced or
eliminated completely; delivering massive
acceleration, huge savings and massive
efficiency boosts as teams can focus on
the validation of real incidents rather than
wasting time on a wild goose chase.
Roland Daccache, Senior Regional Sales
Engineer MENA, Fidelis Cybersecurity.
Automatic versus
manual detection
Establish a baseline for determining the
ratio of detections your security stack
produces versus the combined number of
human detections you receive.
To figure out the human detections,
determine the number of staff detections,
example an employee recognises that
their machine is malfunctioning, or an
IT Admin recognises that a system is
performing in unusual ways, plus the
number of external detections, example
the number of times you get a call from
the IT administration, plus the number of
detections your security operations staff
create by manually synthesising data from
your security stack and Security Event and
Incident Management.
This will give you a sense of the
efficiency of your current system. With
ADR you can expect the ratio to tilt
substantially toward the automation side
of the equation which means substantially
better security operations efficiency.
Investigation versus volume
Determine what is slipping through the
cracks. By measuring investigations versus
alert volume, you can get a sense for what
might be slipping through the cracks and
creating risk. With the ADR system you
should expect to see a shrinking gap and
Issue 16
INTELLIGENT TECH CHANNELS