the cybersecurity capacity problem: is automation hype or the only hope?

Intelligent Security Automation hexadite.com

March 10, 2017

The Cybersecurity Capacity ProblemIs Automation Hype or the Only Hope?

Prepared for


Session Overview

• Healthy Disrespect for Marketing

• The Cybersecurity Capacity Problem

• Is Security Automation the Answer?

• What Real CISOs Think


Security Automation: The Next Big Thing!

Are the Scary RobotsTaking Our Jobs?

Will Automation Save the Rainforests? Maybe.


This image cannot currently be displayed.

The Cybersecurity Capacity Problem

Intelligent Security Automation hexadite.comhexadite.comIntelligent Security Automation

Cybersecurity has a capacity problem.



58% of companies get more than 5,000 alerts per month.

< 500

5%

500 – 1,000 1,001– 5,000 5,001– 10,000 10,001– 15,000 15,000+

10%

27%28%

21%

9%

Too Many Alerts

All told, the ESG data indicates that cybersecurity professionals are struggling to keep up with security alert volume and are doing their best to identify, prioritize and address the most critical of the lot. This makes it fairly easy for cyber adversaries to hide stealthy attacks, circumvent security controls and fly under the radar through a pervasive security alert storm.



58% of companies get more than 5,000 alerts per month.

< 500

5%

500 – 1,000 1,001– 5,000 5,001– 10,000 10,001– 15,000 15,000+

10%

27%28%

21%

9%

Too Many Alerts

A full 80% of organizations receiving 500 or more severe/critical alerts per day currently investigate fewer than 1% of them.


Prioritization is just a conscious decision about what you’re willing to ignore.


If you could investigate every alert from every detection system, wouldn’t you?



This image cannot currently

One cyber analyst can handle roughly 10 alerts per day, on one alert at a time

Too Few Resources


What is Security Automation?


3 Approaches

WHAT THEY DO

Gather data, tell people what they should do next

Workflow Tools Orchestration Tools Scripting Tools

DIFFERENCE

You still need people to perform the investigation and remediation actions

WHAT THEY DO

Connect your existing tools together

DIFFERENCE

They connect for the sake of connection

WHAT THEY DO

Perform actions based on code you write

DIFFERENCE

You still have to write, maintain and update the code


What is Security Automation?Security automation is the active process of :1. Mimicking the ideal steps a human would take to

investigate a cyber threat2. Determining whether the threat requires action3. Performing necessary remediation actions4. Deciding what additional investigations should be

next

Intelligent Security Automation hexadite.comhexadite.comIntelligent Security Automation


What Should You Automate?


IR Spending Stats


Automation Results


450

2

$162,000

8

Based on your inputs, you spend $324,000 annually to investigate 4% of your alerts. You are paying $80.36 for every investigated alert. 4%

With More Analysts With AutomationIf you were to investigate 100% of your alerts without automation, you would need 57 cyber analysts to manually investigate your alerts

COST ANNUALLY FOR 57 ANALYSTS

$9,112,500.00

COST PER INVESTIGATED ALERT

$55.48

Using automation, you'll be able to investigate 100% of the alerts you receive from detection systems. Using5% of the cost of hiring 57 analysts.

ANNUAL AUTOMATION COST

$455,625.00

ANNUAL STAFF COST

$324,000.00

COST PER INVESTIGATED ALERT

$4.75


5 Prerequisites to Trust AutomationIn order to trust security automation, it must be:1. Repeatable2. Auditable3. Reversible4. Interruptible - Kill Switch5. Able to Learn/Adapt


Thank You!

Nathan Burke: [email protected]

the cybersecurity capacity problem: is automation hype or the only hope?

Business