Security analysts are thoughtful, hardworking, quick-witted, and clever. Their shifts are long, and their expertise deep. But despite their best efforts, SOC analysts’ ability to monitor security alerts is not keeping pace with the mounting volume of cyberattacks, and data breaches are costing global businesses more and more with each passing year.
According to the Ponemon Institute’s 2018 Cost of A Data Breach Study, it takes the typical organization 197 days to identify that their technology environment has been compromised, and the total cost of containing, investigating, and repairing the breach average $3.86 million, or $148 per lost or stolen record.
Generally speaking, the more quickly the breach is discovered and contained, the lower the overall cost the victim will incur. Incidents that are fully resolved within 30 days cost an average of $1 million less to remediate than those taking more time. Unfortunately, the trend is moving in the wrong direction as it’s taking companies longer to identify and contain the data breaches they’re being confronted with than it did last year.
It’s Time to Change the Status Quo
It is all too common—in fact, it’s the norm with today’s data breaches—for SOC analyst teams to have received multiple alerts about the activity in their environment that resulted in a breach, only to have failed to register these alerts’ true significance. Very likely, the analyst(s) never even saw the alerts since they didn't match any of their rules. Most network security monitoring programs are collecting ample amounts of telemetry data. But only a minuscule fraction of that data is currently being analyzed or reviewed and even then, it's not being considered in depth.
Though information security professionals may comfort themselves with the thought that this data they’ve collected will be available for forensic analysis in case of a breach, the dismaying reality is that using endpoint or network monitoring this way does little or nothing to thwart attackers. From the perspective of prevention or detection, it’s utterly ineffective.
As long as we continue in our current approach to this problem, we’re not going to see better results. Decision automation is far more capable of monitoring millions of relevant alerts than human security teams are, and it’s able to accomplish this with the speed, scale, and consistency of software.
Humans cannot process more than 75 to 150 events per analyst hour, and at this rate, are able to consider only a tiny fragment (far less than one percent) of the total relevant alert volume. By contrast, automated analysis software can examine all events from across an expansive security landscape, and it can do so without experiencing fatigue, becoming biased or changing jobs.
The numbers below represent the real performance of The Respond Analyst in live customer environments. They seem incredible, but in fact, are verifiable and true. We often quote smaller numbers to our potential customers just to keep people from becoming too incredulous.
For stakeholders accustomed to thinking of security event monitoring from within the limitations of yesterday’s approaches, these performance numbers represent an enormous leap forward. According to the Cost of a Data Breach study, organizations adding artificial intelligence (AI)-driven SOC analysis software to their security stack would see an instant cost reduction of $8.20 per record in the expenses they were likely to experience in case of a data breach. And in network environments across the U.S. and around the globe, The Respond Analyst is adding the equivalent of 13,318 experienced full-time cybersecurity analysts to our customers’ teams.
How many additional analysts would your security operations program need to hire in order to monitor one hundred percent of your relevant security alerts? How many analysts would you need to bring on board to significantly reduce your likelihood of experiencing a breach? The Respond Analyst can provide you the equivalent of this headcount at a fraction of the cost.
If you’re curious about what full coverage would be like in your own network environment, contact us to schedule a demonstration of the Respond Analyst today.
Chris has over 30 years of experience in defensive information security; 14 years in the defense and intelligence community and 17 years in commercial industry. He has designed, built and managed global security operations centers and incident response teams for eight of the global fortune-50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his first-hand experience in learning the limitations of the man vs. data SecOps model that Chris leads product design and strategy for Respond Software.View all posts by Chris Calvert