The ROI of Threat Intelligence Making A Clear and Quantifiable Business Case

EXECUTIVE SUMMARY This document guides security decision-makers through the often-painstaking process of obtaining the budget and executive buy-in they need to bring in an external threat intelligence and protection technology solution. Given the complexity of today’s security technology ecosystem and the overwhelming list of priorities plaguing security teams, crafting the right business justification is an exercise more critical than ever.

Gone are the days when budget owners approve new tools and technology based on capability alone. Security leaders must constantly balance the dueling priorities of the business to grow revenue and the operational investment needed to keep the organization protected and threat actors at bay. Successful CISOs must learn how to meaningfully articulate the benefits both as they relate to the business and to the technical and tactical improvements that they will have for their security operational efforts.

Unlike generic threat intelligence and feeds that offer minimal business context, external threat intelligence (ETI) is laser-focused on your organization’s digital footprint and the threat activity associated with it. As a result, ETI generates tangible value back to the business, and your security team, with actionable insight and security automation to neutralize the threats outside the wire putting your organization at risk.

Start first by outlining the high-level benefits that external threat intelligence (ETI) brings to three core security value pillars – i.e., the operational, tactical, and strategic benefits. Operational benefits improve the speed and efficiency of security analysts’ day-to-day work; tactical benefits take shape in the form of risk reduction, as a result of more effective threat prevention, detection, and resolution; lastly, strategic benefits enable CISOs to more aptly forecast and report on the organization’s cyber risk exposure to key executives and the board.

The Quantifiable Value Drivers CISOs too often pigeonhole threat intelligence as a strategic nicety compared to other security technology purchases (e.g., NGFWs). But that’s a mistake. With the right capabilities in place, threat intelligence is one of the best tools in CISOs’ arsenals – whether it’s to calculate and justify security costs or to drastically mitigate cyber risk exposure through rapid threat detection and response.

Either way, it’s clear that security leaders need an array of technical and financial metrics to sway their key budget decision-makers of the clear, immediate need for threat intelligence. The most effective business cases tend to share similar traits, with the value drivers of threat intelligence broken down into seven key areas (see Figure 1):

1. Efficiency gains in security operations (SecOps). There are two main elements of efficiency from an operational value perspective: 1) The amount of time recovered in terms of full-time employee (FTE) hours, and 2) Expanded coverage or scope in terms of FTE hours saved. (i.e., doing more in the same amount of time). For example, Cisco found in its 2019 CISO benchmark study that SOC teams get to about 51% of the alerts they receive; and only 24% of those turn out to be legitimate.1 With external threat intelligence, you improve on both metrics: greater relevancy of alerts and less analyst time spent reviewing them.

2. Reduced risk exposure from data breaches and regulatory fines. Threat intelligence reduces the likelihood organizations succumb to major breaches or regulatory fines. For example, both British Airways and Marriott were hit with major GDPR fines (£183m and £99m fines, respectively). In both cases, external threat intelligence could have helped to:

1 Source: https://www.cisco.com/c/en/us/products/security/security-reports.html.

a) prevent the threat by detecting the attack pre-exploit during the planning phase or before the stolen data is widely distributed, and b) signal its commitment to security (which regulators often use to justify reductions in penalty sizes), so that when the compromised data is detected, it’s dealt with as quickly as possible.

3. Stemmed financial losses with better MTTR. It’s no surprise that the longer a cyberattack goes undetected, the greater its financial impact. This is why the mean-time-to-remediate (MTTR) metric is critical – both for SecOps efficiency and for financial impact reduction. For example, two years ago, thousands of Tesco Bank accounts were compromised leading to customer losses of more than £2.5m and regulatory fines that could’ve reached over £33.5m.2 And Tesco could’ve avoided all of it. Had it actively monitored dark web forums, the bank would’ve seen cybercriminals boasting about the vulnerability two months before the targeted attack.3 £35m saved, a good ROI in itself!

4. Optimized and integrated security stack. TI-driven orchestration and automation is a cornerstone of the valuable proposition for security teams. In the SIEM, TI adds external context to network internals and log data; NGFWs can execute real-time threat blocking against known, malicious indicators of compromise (IOCs). Integration into Active Directory enables real-time monitoring for compromised credentials, etc. When integrated into other security systems and applications, you unleash the real power of threat intelligence by amplifying the power and value of the rest of your security stack.

5. Saved time from threat-related business disruptions. When cyberattacks hit, a huge portion of security and IT teams are part of the response, which takes them off of their other assignments until the event is resolved. With threat intelligence, this loss in security staff productivity is substantially diminished both as a result of the reduction in FTEs affected and the decline of total incidents experienced each year.

6. Domain-specific benefits: cyberespionage, insider threat, vulnerability management, etc. Some of your ROI for TI is dependent on the use-cases you choose. For example, if you’re an organization that places a premium on its intellectual property (IP) as a competitive advantage, then the rapid detection and recovery of your IP when leaked or sold online becomes a key TI ROI metric. For example, for a large pharmaceutical manufacturer, IntSights discovered several attempts of insider threats attempting to sell patents on the dark web before one of its pending biotech acquisitions was finalized. TI offers value in each use-case, it’s important to select yours carefully with TI KPIs and use-cases in mind.

2 Source: https://www.theregister.co.uk/2018/10/01/fca_fines_tesco_bank_164m_for_2016_security_breach/ 3 Source: https://www.ft.com/content/ec81f30a-a82b-11e6-8b69-02899e8bd9d1

7. The benefits—technical and financial—of an all-in-one solution suite. In addition to IntSights Threat Command™ which delivers targeted ETI, alerting, and one-click remediation, you also get the IntSights TIP. Rather than purchasing disconnected TI tools, use IntSights TIP to pull in and enrich all of your threat feeds and IOCs, and conduct investigations right from the TIP dashboard in one consolidated platform. This all-in-one approach gets you to new economies of scale and time wasted on additional TI purchases.

Figure 1: Sample Metrics For External Threat Intelligence

Primary benefit Operational KPIs Business KPIs

SecOps efficiency gains

Improved speed, scope, & productivity of SecOps & analysts

↑% Events investigated

↑% Relevant events reviewed

( Mean-time-to-detect (MTTD)

↑# Current FTE hrs recovered

↑# New/future FTE hrs averted

Risk reduction Lower probability of successful cyber events

↓# Triggered security incidents

↓# Audit findings and reviews

↓# Account resets or escalations

↓# Cyber-related loss events

↓$ Fines & penalties (number & size)

↓$ Incident response costs

Minimized impact exposure

Reduction in the consequences & costs of successful cyber events

MTTR Internal (proxies, ,,,,,,,,,,gateways, firewalls, etc.)

MTTR External (takedowns, ,,,,,,,,,,data recovery)

↓% Account resets (size & scope)

↓$ Losses due to cyber events

↓# Fines & penalties

↓$ Incident response costs

Optimized security stack

Improved security technology & data from TI integrations.

↑# IOCs proactively blocked by ,,,,,,,,,,NGFW, mail gateway, or EDR

↑% Enriched SIEM data & analytics

↑# FTE hrs recovered

↓$ Costs saved from other ,,,,,,,,,,technology investments

Business outage savings

Improved user productivity from fewer cyber-related outages.

↓# Cyber-related events causing ,,,,,,,,,, ,,,,,,,,,,business disruption

↓% Scope duration of business ,,,,,,,,,,, ,,,,,,,,,,disruption from remaining events

↑# FTE hrs recovered due to fewer ,,,,,,,,,,and shorter events

↑$ Productivity gains from other ,,,,,,,,,,affected business units

Domain-specific benefits

Additional ROI from specific use-cases

Time to detect insider threats

↑% Relevant & TI-prioritized CVEs

↑$ Protected asset value-at-risk ,,,,,,,,,,, (VaR)

↓$ Vulnerability management ,,,,,,,,,,,,efficiency gains

All-in-one ETI solution advantages

Advantages of a unified external threat intelligence product suite

↑% Threat data quality from data ,,,,,,,,,, ,,,,,,,,,,processing and enrichment

Seamless investigations, threat ,,,,,,,,,,hunting, and pivoting

↑# FTE productivity gains, improved ,,,,,,,,,,dashboard fatigue

↓$ Bundle savings, two TI tools in ,,,,,,,,,,one solution suite

↓$ Shortened payback period

Retail Case Study: Calculating The ROI Of External Threat Intelligence

ROI calculations can get as intricate and precise as you want. But for our purposes here, we’ll forgo the sophisticated financial instruments and modeling, and stick to the basics. At its core, ROI is the sum of three subcomponents: costs, benefits, and risks. In each area, you first add your known values followed by a list of expected costs in an estimated value or range.

There are several standard ROI calculation methods (e.g., Net present value (NPV), internal rate of return, etc.), but while valuable, they’re unnecessary for our purposes. Especially true in this case given the predominantly software-as-a-service (SaaS) based delivery of external threat intelligence—skewing heavily towards quick, turnkey implementations, subscription-based licensing, and light maintenance and support fees.

Given these factors, we can keep our calculations relatively high-level and remain confident that our calculations are relatively accurate for future years as well, excluding further externalities and environmental conditions.

Figure 2: Company Attributes

Attribute Description Attribute

Company name (fake) DB Athletica

Industry Retail

Annual revenue $5 billion

Employees 20,000

SecOps team size 150 FTEs

Security FTE salary (annual) $120,000 (per year)

Security FTE salary (hourly) $58 (per hour)

Non-Security FTE salary (annual) $55,000

Non-Security FTE salary (hourly) $26.5

Figure 3: Assumptions

Assumption Description Estimate

Probability of a cyber loss event in the next 24 months of any size 29.6%4

Estimated records lost in minor cyber event, based on company size 5,500

Estimated records lost in major data breach, based on company size 55,000

Per record costs of a data breach, excluding detection and escalation as covered throughout (30% of average data breach costs)

$1055 = $150 x 0.70

Probability major breach will incur added regulatory costs due to newly-established laws and regulations (e.g., GDPR, CCPA, etc.)

25%

Additional projected legal and regulatory penalties (2% of annual rev) of major breach, adjusted for uncertainty (by 45%), amortized 5 years

$11,000,000

Strategic IP and asset value-at-risk (VaR), amortized over 5 years $10,000,000

Figure 4: Costs

Cost Description Cost Estimate

IntSights External Threat Protection Suite w/ 3k assets + TIP + integrations + takedowns

$275,000

Regular, weekly security users 5 users

Hours per week in IntSights Suite 3 hrs

Total security FTE hours in IntSights Suite, annually 780 FTE hrs

SecOps FTE costs for IntSights Suite, annually 0.40 FTEs or $48,000

Subtotal Costs $323,000

4 Source: https://ibm.com/security/data-breach 5 Source: Ibid.

Figure 5: Expected Operational Outcomes

Outcome Description Pre-IntSights With-IntSights

Avg qualified security incidents each year 25,000 21,500

Percentage of tier 1 security incidents 93% 91.5%

Percentage of tier 2 security incidents 7% 8.5%

Avg FTE hrs to detect & remediate tier 1 incidents 2 hrs 1.85 hrs

Avg FTE hrs to detect & remediate tier 2 incidents 75 hrs 73 hrs

Probability cyberespionage was main objective & was successful 25%6 20%

Probability attacks leveraged phishing techniques 32%7 10%

Probability attacks leveraged compromised credentials 29%8 12%

Total probability of cyberattacks events using IntSights: IntSights phishing monitoring [0.065 probability reduction]

IntSights credential monitoring [0.056 probability reduction]

29.6% 17.5% 0.065 = (0.296)*(0.32-0.10)

0.056 = (0.296)*(0.29-0.10)

Probability of major breach, with risk reduction to account to address lower likelihood of severe breach

5% 0.05 = (0.296)*(0.17)

3% 0.03 = (0.175)*(0.17)

Non-Security FTE productivity loss due to cyber-related outages 1.75 hrs, per year 0.75 hrs, per year

Security FTE users’ time-saved with IntSights all-in-one ETP solution suite with Threat Command™ and integrated TIP

n/a 195 hrs, per year

Figure 6: Benefits

Benefit Category Pre-IntSights With IntSights $ Benefit

Annual incident management costs (tier 1), by FTE salary $2,697,000 $2,111,128 $585,872

Annual incident management costs (tier 2), by FTE salary $7,612,500 $7,727,050 ($114,500)

VaR from cyberespionage with stolen strategic IP or assets

$2,750,000 $2,200,000 $550,000

6 Source: Verizon DBIR, 2019. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf. 7 Ibid. 8 Ibid.

Business risk of minor data breach $170,940 $101,062 $69,878

Business risk of major data breach $288,750 $173,250 $115,500

Legal and regulatory risk of major data breach $137,500 $82,500 $55,000

Business disruption costs due unplanned outages, by non-Security FTE salary

$857,938 $367,688 $490,250

Productivity gains with IntSights all-in-one ETP Suite $0 ($11,540) $11,540

Subtotal Benefits $1,763,540

Figure 7: Final ROI

ROI Subtotals

Costs $323,000

Benefits $1,763,540

Risk adjustment (15%)

Final ROI $1,176,099

Bring ETI Metrics To Life With Harder-To-Quantify Benefits Numbers alone aren’t enough to win over your executive team – especially when conversations are couched in technical jargon, as is often the case with information security. Fortunately, external threat intelligence provides effective, qualitative context in spades as well. For instance, you can weave in some of intuitive graphical reporting and visuals to bring to life recent threats detected on the dark web, phishing sites, or rogue mobile apps. Regardless, you need more contextual elements to connect with your business peers, such as:

1. Improved physical safety against extortion and kidnapping. Executive or otherwise, you can’t rightly calculate the cost of anyone’s safety and well-being. Yet these jarring scenarios arise from time to time, and while not an everyday occurrence for our clients (thankfully), they up more frequently than you might expect. For example, our executive

threat intelligence prevented a kidnapping attempt of a high-profile executive traveling in South America for one our clients. We discovered chatter on anonymous cybercriminal forums coordinating the planned kidnap. Fortunately, the client’s trip wasn’t for another week and made alternative travel plans.

2. Strategic use of intelligence on threat actor groups, TTPs, and other threat trends. Don’t overlook one of the longstanding uses of threat intelligence: security strategy and resource planning. Understanding your adversaries will help you identify your weak spots and likely high-value targets and entry points.

3. Mitigated brand and reputational risk. The consequences of a tarnished image and the financial risks that come with it will always pique executives’ interest. CISOs can detail the ways in which cyber events inflict real reputational wounds, such as escalated customer churn, diminished margins from discounting unhappy clients, and even the heightened financial burden it leads to due to increased financial costs and interest rates to raise necessary capital. In fact, Deloitte found that 49% of one US health insurer’s $1.68b in losses over a five-year period were due to devalued contract premiums and an additional 26% was due to actual lost customers.9

Take The Next Step: Roll Out ETI Use-Cases In Phases If you’re still having trouble obtaining budget, consider rolling out external threat intelligence capabilities over time. Select the one or two threat scenarios that you’re most concerned about (e.g., rogue mobile apps, phishing threats, or compromised credentials). Once you successfully deploy one use-case, you can demonstrate the value it’s bringing to the organization and use that as evidence to roll out the next one.

9 Source: https://www2.deloitte.com/us/en/pages/risk/articles/hidden-business-impact-of-cyberattack.html

About IntSights IntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that transforms tailored threat intelligence into automated security operations. Our ground-breaking data- mining algorithms and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’ one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York, Tokyo, Singapore and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Blackstone, Tola Capital and Wipro Ventures.

To learn more, visit: https://intsights.com/.

IntSights Cyber Intelligence Ltd. Copyright © All Rights Reserved 2019