White Paper

www.insightengines.com sales@insightengines.com

ROI of CSI

Return on Investment of Plain English Search and

the Insight Engines Cyber Security Investigator for

Splunk (CSI)

2

ROI of CSI

White Paper

Executive Summary The ability for users to interact with machine data via plain English search, as opposed to

proprietary or complex query languages, unlocks the value of machine data and enables a

wide range of benefits which drive a significant Return On Investment (ROI). This white

paper details the ROI of plain English search.

This paper has been created by Insight Engines which has developed the Cyber Security

Investigator for Splunk (CSI). CSI allows users to interact with machine data in Splunk via

plain English search.

Plain English Search, Insight Engines, and Cyber

Security Investigator (CSI)

Insight Engines develops software which enables organizations to unlock the value of

machine data so it becomes accessible and actionable to anyone in an organization, from

an analyst to an executive. Its unique and powerful technology enables plain English, or

natural language, search queries, such as "show me vulnerable systems with failed

updates," against machine data, thus eliminating the need to learn and use proprietary or

complex query languages. Insight Engines’ flagship product is Insight Engines Cyber

Security Investigator for Splunk (CSI), which allows cybersecurity professionals to run plain

English searches on data in Splunk and return answers and visualizations in real-time. The

result is cybersecurity teams can quickly detect, investigate, and visualize cyberthreats.

Insight Engines’ plain English search is

driven by natural language processing

technology that is much more than

keyword lookups from a dictionary. It is

a real-time parser that examines the

search query in real time to understand

meaning, intent and context. In

seconds, it then produces highly-

efficient queries, accurate results, and

powerful visualizations.

3

ROI of CSI

White Paper

The top row in the image is of an example plain English query against machine data with CSI. Below it is the

same query written via a proprietary search language, in this case the Splunk Search Processing Language, or

SPL. The plain English search is orders of magnitude simpler and of course can be run by anyone in an

organization.

The ROI of CSI

The ROI detail in this paper is

supported by multiple customers of

CSI, including a Fortune 500

customer who did a detailed, internal

ROI study on CSI. Per the image to

the right, this customer saw

aggregate cost savings of 40%, or

$922,000, and CSI paid for itself

within three months. Their ROI is

detailed further in the paper. See a

recording of this customer talking

about the value they derived from

CSI, including the 3-month payback,

at: insightengines.com/product.

The six main benefits of CSI and plain English search lead to a strong ROI via CSI

enhancing existing people, processes, and products.

4

ROI of CSI

White Paper

Benefit 1 - Faster threat detection and remediation lead

to lowered breach costs

The advanced, or unknown, cyber threats of today get in undetected using social

engineering and custom malware. Once in, these threats move fast to steal legitimate

credentials, move laterally, and then locate and exfiltrate confidential data. They evade

detection from signature-based and traditional security products. The resulting data loss

from the breach results in a significant cost due to customers taking their business

elsewhere, customer lawsuits, fines due to non-compliance, and more. The image below

from the Ponemon Institute 2016 Cost of Data Breach Study shows how the average

breach costs an organization $4 million, or $158 per compromised record.

With the plain English search

enabled by CSI, security teams

can quickly leverage their

machine data to detect,

investigate, and remediate cyber

threats. We see customers often

writing 10x or more searches in a

given time period with CSI versus

proprietary search languages.

These teams are no longer

slowed down by having to figure

out how to write complex queries

to ask questions of their data.

And this speed is paramount

because a threat needs to be neutralized before it has time to spread or locate and

exfiltrate sensitive data.

Furthermore, with CSI, security teams can ask a wider range of questions to detect and

investigate the latest advanced threats. These teams can creatively defend against these

new attacks by proactively asking questions relevant to the current threat landscape. This

may include using plain English to quickly correlate new sources of machine data against

evolving sources of threat intelligence.

5

ROI of CSI

White Paper

Analysts can also easily share and iterate collectively on plain English queries, in order to

augment and expand existing rules-based detection as part of an effective, adaptive

response. These teams can easily save their queries and visualizations in CSI, and update

them as needed, to help cast a wider net of detection to identify a greater range of future

threats that might emerge.

The net result of CSI is that security posture is increased as these teams can better detect,

investigate, and respond to advanced threats that otherwise would have evaded detection

and resulted in data loss.

A conservative assumption is that CSI can improve the security posture of an organization

to the point where the chance of a data breach is reduced at least 10%. So if the average

cost of a breach is $4M, this 10% means a cost reduction of $400,000 from using CSI and

is part of the overall CSI ROI.

Benefit 2 - Anyone in the organization can get insights

from machine data; data democratization

Without CSI, a limited number of people in an organization can use machine data platforms

and get insight from the underlying data. These people tend to be highly-specialized and

technical resources familiar with proprietary and complex search languages.

With CSI anyone in the organization, whether an executive, an IT

Security Manager, a Tier-1 analyst in a Security Operations Center

(SOC), or a compliance analyst, can access and query the

machine data via plain English search as data is democratized.

Technical skills are no longer needed to get value from machine

data. Further in this document we discuss a real-world scenario where this was proven out

with non-technical resources at the Fortune 500 customer.

A key benefit of everyone querying the machine data is that it leads to a stronger security

posture with more searches being run to detect and investigate threats, or to identify areas

of non-compliance with cybersecurity regulations. And non-security people often times

think outside the box and come up with creative queries that security professionals might

not have traditionally thought of, thus increasing the odds of threat detection.

6

ROI of CSI

White Paper

Benefit 3 - Lower labor costs as non-security experts

can be used for security

A hard ROI of plain English search and how it democratizes machine data is that labor

costs are significantly lowered because lower-cost, non-cybersecurity personnel can be

used for lower-level cyber threat detection and investigations.

As is familiar to any cybersecurity professional, and is illustrated in the infographic below

from ISACA, there has been an acute global cybersecurity skills shortage for years. This

has driven up the cost of hiring skilled security professionals to high levels.

SOURCES: 1. 2015 Cost of Data Breach Study: Global Analysis, IBM and Ponemon Institute, May 2015 2. ISACA 2-15 APT Study 3. ISACA 2015 IT Risk/Reward

Barometer-Member Study 4. ISACA 2015 APT Study, October 2015 5. The Future of Cybercrime & Security: Financial and Corporate Threats & Migration, Juniper Research, May 2015 6. SACA 2015 IT Risk/Reward Barometer-Member Study, September 2015 7. UK House of Lords Digital Skills Committee 8. State of

Cybersecurity: Implications for 2015, ISACA and RSA Conference, April 2015 9. State of Cybersecurity: Implications for 2015. 10. 2015 ISACA Risk/Reward Barometer-Consumer Study, September 2015 11. Burning Glass Job Market Intelligence: Cybersecurity Jobs 2015 12. Securing Our Future: Closing theCyber Talent

Gap, Raytheon and NCSA, October 2015. NOTE: Employees refers to data security professionals at organizations that potentially have access to PII.

7

ROI of CSI

White Paper

With CSI, an organization can hire non-security resources or cybersecurity novices and

they can quickly start adding value on day one. This is because with CSI and its plain

English interface enable anyone to search and visualize machine data.

A real-world example of this comes from the Fortune 500 customer of CSI referred to

earlier in the paper. With CSI, this customer was able to bring physical security guards,

lower cost personnel who normally carry flashlights and look at video camera footage, into

the SOC to help detect and investigate cyber threats. Within a few hours, these physical

security guards were able to leverage their “out of the box” thinking to run plain English

searches against machine data in Splunk via CSI to detect and investigate threats with

comparable skill as existing Tier 1 SOC analysts. The physical security guards also quickly

came up with several new searches, or use cases, to identify cyber threats. As a result, the

organization in aggregate saved over 40%, or $922,000, from using the lower-cost

resources in the SOC, plus increased their security posture.

Benefit 4 - Lowered costs from less reliance on finding

and training experts on proprietary search languages

Proprietary search languages are typically required to search and visualize the data in

machine data platforms. These languages, including SPL or SQL, are usually complex and

esoteric, and experts in these languages are costly and hard to find, train, and retain. Often

an organization has to spend months and significant money training these experts to get to

at least a level of semi-proficiency, only to see them eventually leave and go elsewhere for

more money or because they move to a different role in the organization. This problem is

exacerbated in the government/public sector where technical professionals are often lost to

higher paying roles in the private sector or they rotate to different departments.

Note the problem here somewhat mirrors the prior section. It is hard to find experts in

either cybersecurity or proprietary search languages; trying to find experts in both is

substantially harder, and when located they command very high salaries.

With CSI and plain English search, there is less reliance on these search language experts

as anyone can query the data. Also, the impact of these experts turning over is minimized,

as new hires can still access and get value from machine data via plain English search.

8

ROI of CSI

White Paper

Additionally, training time decreases with CSI as it shows users the raw proprietary search

language generated by a plain English search. Newbies can view this to learn the

proprietary search language. Even experts in writing searches in the proprietary search

language benefit from this raw detail because they can use it as a shortcut to create

complex searches and to check the accuracy of their queries. A real-world example of this

comes from the Fortune 500 customer of CSI referred to earlier in the paper where they

realized an 80% reduction in Splunk training costs from CSI as their initial annual training

budget of $145k dropped to approximately $30k.

A different, large customer in the healthcare space likewise saw how CSI facilitated training

and shortened the learning curve by providing the raw search queries.

With CSI, ROI comes from spending significantly less money on recruiting and training

high-cost, specialized proprietary search language experts. As the large healthcare

organization using CSI put it:

Benefit 5 - Improved productivity of advanced

cybersecurity analysts

Without the plain English search enabled by CSI, significant time of advanced cybersecurity

analysts is spent writing searches in a proprietary search language like SPL, and this cuts

into time that these analysts should be spending on their core mission of detecting and

defeating cyber threats. These advanced cybersecurity analysts also spend considerable

time creating searches for their more junior colleagues. Some cybersecurity analysts spend

a majority of their day writing these proprietary search queries.

With CSI, this skilled, high-cost security talent now can spend more time detecting and

defeating cyber threats to protect the organization, as the queries run by CSI give results in

seconds and not hours. Advanced cybersecurity analysts are able to generate their own

queries quickly, and no longer need to write queries for junior colleagues who instead turn

to CSI to search on their own.

9

ROI of CSI

White Paper

The ROI here is a combination of better utilization of high-cost cybersecurity analysts as

well as a stronger security posture. A real-world example of this comes from the Fortune

500 customer of CSI referred to earlier in the paper where they realized a 40% increase in

SOC analyst productivity. This productivity estimate was based both on the increased

ticket volume the analysts were able to handle, and how the analysts were able to resolve

difficult cases much faster than before.

Benefit 6 - Better ROI on the investment in existing

cybersecurity products

Organizations typically purchase dozens of expensive point security products to protect the

organization. Typically, these products are layered at the network and endpoint for

perceived defense in depth and are from vendors like Palo Alto Networks, FireEye,

Symantec, McAfee, and Cisco. The full value of these products is typically not realized

because, as mentioned in a prior section, advanced threats typically are “unknown threats”

and evade detection from point security products so alerts are often not raised of their

presence. Often times the only way to detect these advanced threats is to be able correlate

across “harmless” events and also security alerts from multiple products to connect the

dots. And to investigate these threats, often times events going back weeks or months are

required given advanced threats often are in an organization for months before they get

detected.

For event correlation and long-term event logging, organizations often purchase an

expensive machine data platform, such as Splunk, and use it as a SIEM, or a single

product to log and retain events from all point security and “non-security” products to

improve their chances of connecting the dots to detect and investigate anomalous behavior

or alerts that might be an advanced cyber threat.

The problem with machine data platforms, as mentioned previously, is that proprietary

search languages are an obstacle to accessing machine data in a platform/SIEM like

Splunk because only a handful of people in an organization usually are proficient with the

proprietary search language. So when CSI and plain English search makes the data in a

machine data platform/SIEM accessible and usable to everyone in the organization, CSI

improves the usefulness and ROI of the SIEM and all the other point security products that

ABOUT INSIGHT ENGINES

Insight Engines’ software enables organizations to unlock the value of machine data so it becomes accessible and actionable to anyone in an organization, from an analyst to an executive. Its unique and powerful technology leverages natural language, or “plain English”, search queries against machine data, thus eliminating the need to learn and use complex search languages. www.insightengines.com sales@insightengines.com

ROI of CSI

© 2018 Insight Engines, Inc. All rights reserved. All product and company names are trademarks or registered trademarks of

their respective holders. Use of them does not imply any affiliation with or endorsement by them.

feed into it. The full value of all these costly point security products gets closer to being

realized.

Conclusion and Next Steps

In conclusion, the ability for users to interact with machine data via plain English search, as

opposed to proprietary or complex query languages, unlocks the value of machine data

and enables a wide range of benefits which in turn drive a significant ROI, including a

stronger security posture, better utilization of existing or low-cost/non-technical personnel,

and getting more value out of existing cybersecurity products. Real world evidence is the

Fortune 500 customer who saw CSI enable aggregate cost savings of 40%, or $922,000,

and pay for itself within three months.

If you are interested in learning more about plain English search or the Insight Engines

Cyber Security Investigator for Splunk, please contact sales@insightengines.com to speak

with a representative, or visit our web site at insightengines.com to see a demo and learn

more.