Return on investment, or ROI, is a financial method of measuring profitability. A big challenge in the security industry is measuring ROI. Not because it doesn’t exist, but because traditional ROI models do not apply. The primary goal of any security investment is not to generate increased revenue like most other business investments, but is to safeguard information and defend against multiple threats.
While the ROI of security in relation to mitigating risk, and avoiding potential reputational damage and costs associated with a data breach, are well documented, with so much focus on justifying security budgets to senior management, it can be easy to neglect initiating a strategy to ensure that the returns from every cyber-specific investment can be optimised.
The value is in the data
Determining ROI for any cybersecurity investment is a challenging proposition—but value can come in many forms. Purchasing and deploying technology, for example, is just the first step in deriving the maximum ROI when curating a successful cybersecurity programme.
One of the most overlooked benefits of cybersecurity tools — be it firewall, endpoint detection and response (EDR), or SIEM (security information and event management)— is actually one of the biggest. It is contained in the data these tools generate over time. Analysing information gathered by your cybersecurity tools can prove highly effective for enabling the data-driven insights that help reduce cybersecurity challenges across the business, while also increasing operational efficiency. Yet organisations often fail to take advantage of this wealth of information.
This data can be leveraged in a number of ways. However, any effort to improve cybersecurity ROI will be dependent on having the right processes and people in place. Here are three key ways organisations can harvest their data to derive maximum value from their cybersecurity technology investments.
#1 Talent and skillset
Having skilled employees with the right technical capabilities, as well as a deep know how of security best practices, will go a long way in getting the most out of a cybersecurity investment.
However, to harvest real value, these employees will need to demonstrate an ‘outside the box’ mentality. This is because they will need to analyse the data output generated by enterprise-wide security tools, and look for clues that will help in threat hunting. They should also be exploring where it is possible to extend these tools to bridge other gaps in the environment from a security and compliance perspective, which in turn will optimise the initial investment.
Turning to a managed service provider with inherent knowledge of the technology solution in question, could be an option for organisations where these skills are not readily available in house. However, in this situation be sure to carefully evaluate and agree on the service-level agreement, as well as the metrics and reporting that will demonstrate ROI.
#2 Analysing data trends
There is only so much that static signatures and rules can do when it comes to analysing data trends.
One option is to use machine learning to evaluate how data trends over time will enable security teams to better orchestrate various tools and controls, as well as streamlining common tasks like regression, prediction and classification. However, before purchasing machine learning technologies, organisations should first research any potential limitations and evaluate which data sources will deliver maximum benefit and value.
Additionally, simply feeding data logs into analytics tools that can spot unusual user, workflow or network behaviours—including insider threats—will go a long way in helping keen-eyed teams to sniff out what’s normal and abnormal in their environments.
#3 Review logs to uncover malicious activity
By exporting logs to a central location, like SIEM software, enterprise security teams are better able to manage and decipher vast amounts of data, enabling them to more quickly identify suspicious events and track down any potential threat activity.
The key to developing highly effective threat hunting signatures that are tailored for a specific environment, is gathering detailed information on the behaviours, goals and methods of cyber-adversaries. This means that defining rules and signatures within the data to trigger alarms is vital in ensuring there is an appropriate workflow in place for the analyst team when it comes to triaging alerts.
Utilising rules that generate lots of data, from a threat hunting perspective, is highly beneficial as it enables teams to develop the hunting signatures that require analysts to generate baseline configurations.
Data centric and proactive
Taking a data-centric approach to security and analysing intelligence generated by your cybersecurity tools will ultimately enable you to rethink priorities, and better understand what delivers protection and ROI. Adding to this, organisations, and threat hunters in particular, should always take a proactive approach to cybersecurity, rather than waiting for alarms to trigger or for malicious activity to occur.
Tim Bandos, Vice President, Digital Guardian