Cyber security ROI: how to use data insights to improve controls and protections
23 May 2019
Tim Bandos, Vice President of Cyber Security, Digital Guardian reveals 3 ways to extract maximum value from your security-intelligence system investments.
Measuring ROI in the cyber security arena is a big challenge, because the primary goal of any security investment is to safeguard information and defend against multiple threats. Since security programmes don’t generate increased revenue, traditional ROI models don’t apply. But that doesn’t mean that ROI doesn’t exist.
Much has been written around evaluating the ROI of security solutions in relation to risk avoidance and the potential reputational damage and costs associated with a data breach.
But with so much effort and energy focused on justifying security budgets to senior management, it can be all too easy to neglect initiating a strategy to ensure that the returns from every cyber-specific investment can be optimised.
Capturing value – the answer is in the data
When it comes to developing a successful cyber security programme, purchasing and deploying technology is just the first step in deriving maximum value from your investment. As we’ve already seen, determining the ROI for any cyber security investment is a challenging proposition—but value can come in many forms.
One of the biggest and often most overlooked benefits of cyber security tools is contained in the data these can generate over time. Analysing this information can prove highly effective for enabling the data-driven insights that make it possible to reduce cyber security problems across the enterprise, while increasing organisational quality and operational efficiency.
Regardless of the type of solution purchased—firewall, endpoint detection and response (EDR), or SIEM (security information and event management)—organisations often fail to take advantage of the wealth of information, held deep in logs, that goes well beyond the default ‘set it and forget it’ mentality.
Cyber adversaries can be adept at evading these tools from a blocking perspective, but there’s every chance they’ll leave behind tiny bits of data behind—breadcrumbs—that can help facilitate a deeper investigation into the unknown.
There are several ways organisations can leverage this data to get the most from their investment, regardless of the solution. However, any effort to improve cyber security ROI will be dependent on having the right processes and people in place.
Let’s explore three options for maximising the value derived from cyber security technology investments.
Also of interest: Verizon breach report: senior executives are main targets!
1) Hire the right talent, with the right skills
Doing more with cyber security investments depends on having skilled personnel with the appropriate technical capabilities required to run solutions and a deep know how of security best practices.
But that’s not all. To harvest real value, these personnel will need to analyse the data output generated by enterprise-wide security tools, looking for the clues that will aid threat hunting.
Plus, they’ll need to demonstrate a ‘thinking outside the box’ mentality that means they’ll seek to optimise investments by exploring whether it’s possible to extend these tools to bridge other gaps in the environment from a security and compliance perspective.
If the right talent isn’t available in-house, then consider contracting a managed services provider with inherent knowledge of the technology solution in question.
However, if you go this route, it will be important to carefully evaluate the service-level agreement and the metrics and reporting that will be used to demonstrate how value or ROI from the product has been achieved.
Also of interest: The role of the threat hunter: what is it and why it matters
2) Monitor long term data trends
Static signatures and rules can only do so much. However, feeding data logs into analytics tools that can spot unusual user, workflow or network behaviours—including insider threats—will help keen-eyed teams to sniff out what’s normal and abnormal in their environments.
Similarly, using machine learning to evaluate how data trends over time will enable security teams to better orchestrate various tools and controls, as well as streamlining common tasks like regression, prediction and classification.
Before purchasing machine learning technologies, organisations should do their due diligence, researching any potential limitations and evaluating which data sources will deliver maximum benefit and value.
Harnessing the power of machine learning and behavioural analytics can transform how security teams handle large amounts of data, but careful scrutiny will be required to ensure the solution selected exactly fits organisational needs.
Also of interest: It’s time to kill the VPN
3) Review logs to uncover malicious activity
Exporting logs to a central location, such as security information and event management (SIEM) software, will enable enterprise security teams to juggle and interpret vast amounts of data so that they can identify suspicious events and track down any potential threat activity.
Gathering detailed information on the behaviours, goals and methods of cyber adversaries is the key to developing highly effective threat hunting signatures that are tailored for your specific environment.
For that reason, organisations will need to carefully define rules and signatures within the data to trigger alarms, ensuring an appropriate workflow is in place within the analyst team when it comes to triaging alarms.
Utilising rules that generate lots of data, from a threat hunting perspective, is highly beneficial as it enables teams to develop the hunting signatures that require analysts to generate baseline configurations.
Also of interest: Cyber-security is dead: Long live digital security
Always adopt a proactive approach
The goal for any organisation should be to optimise its cyber security investments, because security is not only a competitive advantage—it’s also a brand differentiator.
To maximise security postures across the enterprise, threat hunters should always take a proactive approach—as opposed to waiting for alarms to trigger or for malicious activity to come to you.
Taking a data-centric approach to security and analysing intelligence generated by your cyber security tools will ultimately enable you to rethink priorities, and better understand what delivers protection and ROI.