INTELLIGENT ENTERPRISE SECURITY
massive improvement. For example, if
an organisation is typically performing 3
investigations for every 100 alerts, that
is 3/100 or 3%, and then implements an
ADR which sees a 10% alert-to-conclusion
rate and an additional 2 investigations,
that is 5/10 or 50%, that can yield a
massive 1,500% increase to security
operations effectiveness.
Investigation versus response
This metric shows how many items that
were investigated lead to a response
workflow going through completion.
The ratio indicates where security
operations teams may be wasting time.
If an investigation is started and then
abandoned due to lack of context, insight
or actionable intelligence, then time and
resources are not only wasted, but the
result is a huge opportunity cost in lost
time and loss of focus on threats and
attacks that are actionable.
Organisations that implement an
ADR platform should expect to see a
convergence of investigations-to-response
since more investigations are against
validated conclusions rather than merely
suspected attacks.
Rate of validation
This metric measures the time it takes
to make a decision. Analysis paralysis
and security operations uncertainty
increases dwell time and risks the spread
of an attack. It also takes time away from
investigating and responding to other
attacks or compromises that may be
happening at the same time.
By measuring the decision rate both
before and after implementing an ADR
platform, the security operations team is
able to demonstrate agility and increased
response capacity without adding scarce
people resources.
Response versus reimage
This metric measures business disruption.
Disrupted business means substantially
higher cost from delays, lost productivity
or even liability to third parties. The
more surgical and remote responses
that are enabled by the ADR platform,
the fewer big hammer fixes of reimaging
an end-user’s endpoint have to happen.
That means less business disruption and
inconvenience for employees.
Business disruption can be quantified
based on the staff role, affected device
role and length of time for a response.
Taking someone’s laptop for a day to
reimage it is an inconvenience. Taking
down a payment processing server is a
substantial disruption, even when hot
backups and clustered failovers are part
of the solution.
The ADR approach thinks differently
about security operations. ADR is based
on a purpose-built platform designed
to deliver validated conclusions about
attacks, intrusions and compromises at
any stage of the attack lifecycle while also
automating the response capability to
those attacks.
This transformation enables new
metrics that impact the organisations’
business and bottom line. Each of these
metrics point to the potential and necessity
of adopting an ADR approach and making
it the cornerstone of a cybersecurity
strategy in 2018 and beyond.
39