ROI of CSI 12.17 - Insight Engines · 3 ROI of CSI White Paper The top row in the image is of an...
Transcript of ROI of CSI 12.17 - Insight Engines · 3 ROI of CSI White Paper The top row in the image is of an...
White Paper
www.insightengines.com [email protected]
ROI of CSI
Return on Investment of Plain English Search and
the Insight Engines Cyber Security Investigator for
Splunk (CSI)
2
ROI of CSI
White Paper
Executive Summary The ability for users to interact with machine data via plain English search, as opposed to
proprietary or complex query languages, unlocks the value of machine data and enables a
wide range of benefits which drive a significant Return On Investment (ROI). This white
paper details the ROI of plain English search.
This paper has been created by Insight Engines which has developed the Cyber Security
Investigator for Splunk (CSI). CSI allows users to interact with machine data in Splunk via
plain English search.
Plain English Search, Insight Engines, and Cyber
Security Investigator (CSI)
Insight Engines develops software which enables organizations to unlock the value of
machine data so it becomes accessible and actionable to anyone in an organization, from
an analyst to an executive. Its unique and powerful technology enables plain English, or
natural language, search queries, such as "show me vulnerable systems with failed
updates," against machine data, thus eliminating the need to learn and use proprietary or
complex query languages. Insight Engines’ flagship product is Insight Engines Cyber
Security Investigator for Splunk (CSI), which allows cybersecurity professionals to run plain
English searches on data in Splunk and return answers and visualizations in real-time. The
result is cybersecurity teams can quickly detect, investigate, and visualize cyberthreats.
Insight Engines’ plain English search is
driven by natural language processing
technology that is much more than
keyword lookups from a dictionary. It is
a real-time parser that examines the
search query in real time to understand
meaning, intent and context. In
seconds, it then produces highly-
efficient queries, accurate results, and
powerful visualizations.
3
ROI of CSI
White Paper
The top row in the image is of an example plain English query against machine data with CSI. Below it is the
same query written via a proprietary search language, in this case the Splunk Search Processing Language, or
SPL. The plain English search is orders of magnitude simpler and of course can be run by anyone in an
organization.
The ROI of CSI
The ROI detail in this paper is
supported by multiple customers of
CSI, including a Fortune 500
customer who did a detailed, internal
ROI study on CSI. Per the image to
the right, this customer saw
aggregate cost savings of 40%, or
$922,000, and CSI paid for itself
within three months. Their ROI is
detailed further in the paper. See a
recording of this customer talking
about the value they derived from
CSI, including the 3-month payback,
at: insightengines.com/product.
The six main benefits of CSI and plain English search lead to a strong ROI via CSI
enhancing existing people, processes, and products.
4
ROI of CSI
White Paper
Benefit 1 - Faster threat detection and remediation lead
to lowered breach costs
The advanced, or unknown, cyber threats of today get in undetected using social
engineering and custom malware. Once in, these threats move fast to steal legitimate
credentials, move laterally, and then locate and exfiltrate confidential data. They evade
detection from signature-based and traditional security products. The resulting data loss
from the breach results in a significant cost due to customers taking their business
elsewhere, customer lawsuits, fines due to non-compliance, and more. The image below
from the Ponemon Institute 2016 Cost of Data Breach Study shows how the average
breach costs an organization $4 million, or $158 per compromised record.
With the plain English search
enabled by CSI, security teams
can quickly leverage their
machine data to detect,
investigate, and remediate cyber
threats. We see customers often
writing 10x or more searches in a
given time period with CSI versus
proprietary search languages.
These teams are no longer
slowed down by having to figure
out how to write complex queries
to ask questions of their data.
And this speed is paramount
because a threat needs to be neutralized before it has time to spread or locate and
exfiltrate sensitive data.
Furthermore, with CSI, security teams can ask a wider range of questions to detect and
investigate the latest advanced threats. These teams can creatively defend against these
new attacks by proactively asking questions relevant to the current threat landscape. This
may include using plain English to quickly correlate new sources of machine data against
evolving sources of threat intelligence.
5
ROI of CSI
White Paper
Analysts can also easily share and iterate collectively on plain English queries, in order to
augment and expand existing rules-based detection as part of an effective, adaptive
response. These teams can easily save their queries and visualizations in CSI, and update
them as needed, to help cast a wider net of detection to identify a greater range of future
threats that might emerge.
The net result of CSI is that security posture is increased as these teams can better detect,
investigate, and respond to advanced threats that otherwise would have evaded detection
and resulted in data loss.
A conservative assumption is that CSI can improve the security posture of an organization
to the point where the chance of a data breach is reduced at least 10%. So if the average
cost of a breach is $4M, this 10% means a cost reduction of $400,000 from using CSI and
is part of the overall CSI ROI.
Benefit 2 - Anyone in the organization can get insights
from machine data; data democratization
Without CSI, a limited number of people in an organization can use machine data platforms
and get insight from the underlying data. These people tend to be highly-specialized and
technical resources familiar with proprietary and complex search languages.
With CSI anyone in the organization, whether an executive, an IT
Security Manager, a Tier-1 analyst in a Security Operations Center
(SOC), or a compliance analyst, can access and query the
machine data via plain English search as data is democratized.
Technical skills are no longer needed to get value from machine
data. Further in this document we discuss a real-world scenario where this was proven out
with non-technical resources at the Fortune 500 customer.
A key benefit of everyone querying the machine data is that it leads to a stronger security
posture with more searches being run to detect and investigate threats, or to identify areas
of non-compliance with cybersecurity regulations. And non-security people often times
think outside the box and come up with creative queries that security professionals might
not have traditionally thought of, thus increasing the odds of threat detection.
6
ROI of CSI
White Paper
Benefit 3 - Lower labor costs as non-security experts
can be used for security
A hard ROI of plain English search and how it democratizes machine data is that labor
costs are significantly lowered because lower-cost, non-cybersecurity personnel can be
used for lower-level cyber threat detection and investigations.
As is familiar to any cybersecurity professional, and is illustrated in the infographic below
from ISACA, there has been an acute global cybersecurity skills shortage for years. This
has driven up the cost of hiring skilled security professionals to high levels.
SOURCES: 1. 2015 Cost of Data Breach Study: Global Analysis, IBM and Ponemon Institute, May 2015 2. ISACA 2-15 APT Study 3. ISACA 2015 IT Risk/Reward
Barometer-Member Study 4. ISACA 2015 APT Study, October 2015 5. The Future of Cybercrime & Security: Financial and Corporate Threats & Migration, Juniper Research, May 2015 6. SACA 2015 IT Risk/Reward Barometer-Member Study, September 2015 7. UK House of Lords Digital Skills Committee 8. State of
Cybersecurity: Implications for 2015, ISACA and RSA Conference, April 2015 9. State of Cybersecurity: Implications for 2015. 10. 2015 ISACA Risk/Reward Barometer-Consumer Study, September 2015 11. Burning Glass Job Market Intelligence: Cybersecurity Jobs 2015 12. Securing Our Future: Closing theCyber Talent
Gap, Raytheon and NCSA, October 2015. NOTE: Employees refers to data security professionals at organizations that potentially have access to PII.
7
ROI of CSI
White Paper
With CSI, an organization can hire non-security resources or cybersecurity novices and
they can quickly start adding value on day one. This is because with CSI and its plain
English interface enable anyone to search and visualize machine data.
A real-world example of this comes from the Fortune 500 customer of CSI referred to
earlier in the paper. With CSI, this customer was able to bring physical security guards,
lower cost personnel who normally carry flashlights and look at video camera footage, into
the SOC to help detect and investigate cyber threats. Within a few hours, these physical
security guards were able to leverage their “out of the box” thinking to run plain English
searches against machine data in Splunk via CSI to detect and investigate threats with
comparable skill as existing Tier 1 SOC analysts. The physical security guards also quickly
came up with several new searches, or use cases, to identify cyber threats. As a result, the
organization in aggregate saved over 40%, or $922,000, from using the lower-cost
resources in the SOC, plus increased their security posture.
Benefit 4 - Lowered costs from less reliance on finding
and training experts on proprietary search languages
Proprietary search languages are typically required to search and visualize the data in
machine data platforms. These languages, including SPL or SQL, are usually complex and
esoteric, and experts in these languages are costly and hard to find, train, and retain. Often
an organization has to spend months and significant money training these experts to get to
at least a level of semi-proficiency, only to see them eventually leave and go elsewhere for
more money or because they move to a different role in the organization. This problem is
exacerbated in the government/public sector where technical professionals are often lost to
higher paying roles in the private sector or they rotate to different departments.
Note the problem here somewhat mirrors the prior section. It is hard to find experts in
either cybersecurity or proprietary search languages; trying to find experts in both is
substantially harder, and when located they command very high salaries.
With CSI and plain English search, there is less reliance on these search language experts
as anyone can query the data. Also, the impact of these experts turning over is minimized,
as new hires can still access and get value from machine data via plain English search.
8
ROI of CSI
White Paper
Additionally, training time decreases with CSI as it shows users the raw proprietary search
language generated by a plain English search. Newbies can view this to learn the
proprietary search language. Even experts in writing searches in the proprietary search
language benefit from this raw detail because they can use it as a shortcut to create
complex searches and to check the accuracy of their queries. A real-world example of this
comes from the Fortune 500 customer of CSI referred to earlier in the paper where they
realized an 80% reduction in Splunk training costs from CSI as their initial annual training
budget of $145k dropped to approximately $30k.
A different, large customer in the healthcare space likewise saw how CSI facilitated training
and shortened the learning curve by providing the raw search queries.
With CSI, ROI comes from spending significantly less money on recruiting and training
high-cost, specialized proprietary search language experts. As the large healthcare
organization using CSI put it:
Benefit 5 - Improved productivity of advanced
cybersecurity analysts
Without the plain English search enabled by CSI, significant time of advanced cybersecurity
analysts is spent writing searches in a proprietary search language like SPL, and this cuts
into time that these analysts should be spending on their core mission of detecting and
defeating cyber threats. These advanced cybersecurity analysts also spend considerable
time creating searches for their more junior colleagues. Some cybersecurity analysts spend
a majority of their day writing these proprietary search queries.
With CSI, this skilled, high-cost security talent now can spend more time detecting and
defeating cyber threats to protect the organization, as the queries run by CSI give results in
seconds and not hours. Advanced cybersecurity analysts are able to generate their own
queries quickly, and no longer need to write queries for junior colleagues who instead turn
to CSI to search on their own.
9
ROI of CSI
White Paper
The ROI here is a combination of better utilization of high-cost cybersecurity analysts as
well as a stronger security posture. A real-world example of this comes from the Fortune
500 customer of CSI referred to earlier in the paper where they realized a 40% increase in
SOC analyst productivity. This productivity estimate was based both on the increased
ticket volume the analysts were able to handle, and how the analysts were able to resolve
difficult cases much faster than before.
Benefit 6 - Better ROI on the investment in existing
cybersecurity products
Organizations typically purchase dozens of expensive point security products to protect the
organization. Typically, these products are layered at the network and endpoint for
perceived defense in depth and are from vendors like Palo Alto Networks, FireEye,
Symantec, McAfee, and Cisco. The full value of these products is typically not realized
because, as mentioned in a prior section, advanced threats typically are “unknown threats”
and evade detection from point security products so alerts are often not raised of their
presence. Often times the only way to detect these advanced threats is to be able correlate
across “harmless” events and also security alerts from multiple products to connect the
dots. And to investigate these threats, often times events going back weeks or months are
required given advanced threats often are in an organization for months before they get
detected.
For event correlation and long-term event logging, organizations often purchase an
expensive machine data platform, such as Splunk, and use it as a SIEM, or a single
product to log and retain events from all point security and “non-security” products to
improve their chances of connecting the dots to detect and investigate anomalous behavior
or alerts that might be an advanced cyber threat.
The problem with machine data platforms, as mentioned previously, is that proprietary
search languages are an obstacle to accessing machine data in a platform/SIEM like
Splunk because only a handful of people in an organization usually are proficient with the
proprietary search language. So when CSI and plain English search makes the data in a
machine data platform/SIEM accessible and usable to everyone in the organization, CSI
improves the usefulness and ROI of the SIEM and all the other point security products that
ABOUT INSIGHT ENGINES
Insight Engines’ software enables organizations to unlock the value of machine data so it becomes accessible and actionable to anyone in an organization, from an analyst to an executive. Its unique and powerful technology leverages natural language, or “plain English”, search queries against machine data, thus eliminating the need to learn and use complex search languages. www.insightengines.com [email protected]
ROI of CSI
© 2018 Insight Engines, Inc. All rights reserved. All product and company names are trademarks or registered trademarks of
their respective holders. Use of them does not imply any affiliation with or endorsement by them.
feed into it. The full value of all these costly point security products gets closer to being
realized.
Conclusion and Next Steps
In conclusion, the ability for users to interact with machine data via plain English search, as
opposed to proprietary or complex query languages, unlocks the value of machine data
and enables a wide range of benefits which in turn drive a significant ROI, including a
stronger security posture, better utilization of existing or low-cost/non-technical personnel,
and getting more value out of existing cybersecurity products. Real world evidence is the
Fortune 500 customer who saw CSI enable aggregate cost savings of 40%, or $922,000,
and pay for itself within three months.
If you are interested in learning more about plain English search or the Insight Engines
Cyber Security Investigator for Splunk, please contact [email protected] to speak
with a representative, or visit our web site at insightengines.com to see a demo and learn
more.