Executive Summary
Justifying outsourced spend has long been one of the greatest challenges facing cybersecurity teams. Generally viewed as a cost-center versus a critical component to mitigating business risk, cybersecurity teams find themselves in continuous competition for resources against other business units.
Oftentimes, justification for outsourcing is reactively triggered by security incidents, failed audits or a business-impacting event that gains the attention of executive leadership. Unfortunately, many of these events could generally be avoided if not for perpetual underinvestment in cybersecurity. The continuous pressure on under-resourced and overwhelmed cybersecurity teams to secure an increasing attack surface while keeping pace with business growth far exceeds the people, process and technology available.
As organizations look to mitigate risk with Managed Detection and Response (MDR) providers, justifying spend without a trigger event is not only difficult to calculate but also increasingly challenging to defend against the scrutiny of budget authorities. While many cybersecurity service providers have created calculators to justify MDR investment, the majority lack the ability to take into context an organization’s unique industry, size and contextual threat landscape.
For this brief, we present a model that focuses on the architecture, engineering and construction (AEC) industries. The presented model will enable cybersecurity teams to select inputs applicable to their environment and data at risk in relation to their size and propensity for a security event. The resultant output should serve as defensible risk identification, risk reduction and return on investment scenarios that justify investment in outsourcing MDR services.
Architecture, Engineering and Construction (AEC):
Justifying Outsourced Managed Detection and Response
A defensible model for calculating risk mitigation and ROI.
MAKING THE CASE FOR MDR
What You Will Learn
•
Probability of AEC
security events
•
Probability of AEC security
events to data disclosure
•
Cost of AEC data disclosure
•
Expected yearly AEC risk
•
How to calculate risk mitigation
•
How to calculate return
on investment
• Probability of an AEC security event
• Probability of an AEC security event resulting in data disclosure
• Cost per AEC record when disclosed • Quantity of records at risk
RISK CALCULATION: INPUTS
AEC Probability of a Security Event
It’s important to acknowledge that not all security events result in data disclosure. In fact, very few do. However, probability of a security event involving a bypass of existing security controls is an important factor in calculating yearly risk. While public statistics for AEC security events are available, they are often an inaccurate representation. Studies typically combine events data from small, medium and enterprise organizations as a total probability value for all AEC companies, resulting in skewed data and ultimately inaccurate risk calculation.
In order to determine the yearly probability of a security event contextual to organizational size, eSentire created a propensity model based on 12 months of observed AEC customer data across our Security Operation Centers (SOCs). Using a compounding data model, the table below represents the probability of at least one event bypassing existing security controls over a 12-month period correlative to number of locations protected. The model assumes average number of endpoints, logs and users at each physical location. (Note: it accounts for remote users also)
AEC Probability of a Security Event to Data Disclosure
As stated before, a security event does not typically result in data disclosure. However, for some industries the probability is abnormally high. Security incidents across AEC organizations convert 67.5 percent of the time, according to the 2020 Verizon Data Breach Investigations Report. This conversion percentage is among the highest of measured industries. This statistic only supports the need for MDR as it indicates that once an attacker can bypass existing security controls, they are able to accomplish their objectives a majority of the time.
Cost of Record Disclosure
Our previous inputs, probability of an event and conversion of an event to data disclosure, are only part of our risk equation. To complete the calculation, we need the cost of a record disclosed and how many potential records are at risk. Based on the latest Ponemon Cost of a Data Breach report, industrial organizations have a reported per record cost of $160. We acknowledge that this number is a guiding point, as it is a combination of data across small, medium and large-sized organizations. Security teams are encouraged to adjust this value as they see fit.
Note: In presenting this model, security leaders typically reduce the value by 25 to 50 percent.
Records at Risk
Quantity of records at risk of data disclosure is unique to each organization. For context, a recent study of small and medium-sized organizations (under 1,000 employees) by Ponemon indicated that data breaches resulted in an average of 10,250 records exposed. While this number serves as a benchmark, these values can vary widely from organization to organization. It is important to note that estimating records at risk requires analysis of the location and types of data that attackers will target for financial gain. PII, PHI, blueprints, designs, etc. are only a few of the records that hold value in the underground market. Number of Locations 0% 1 2 3 4 5 6 7 8 9 10+ 20% 40% 60% 80% 100%
RISK CALCULATION: FORMULA
STEP 1: Calculating Probability of an Event and Conversion to Data Disclosure
Leveraging data from the eSentire propensity model and Verizon DBIR report, we can calculate the minimal probability of at least one event converting to data disclosure over a 12-month period for AEC companies. For illustrative purposes, we will simulate a construction company with two locations (36 percent probability). The following represents the formula calculation:
STEP 2: Calculating Total Risk Exposure
Now that we have our probability of event and conversion to data disclosure (24.5 percent), we have to calculate the value of records at risk. Leveraging the Ponemon Cost of a Data Breach study, we know that the average cost per record lost is $160 across AEC organizations of all sizes. Based on numerous conversations with CISOs, this number is oftentimes reduced to account for data breach insurance offset or other factors. For illustrative purposes, we will reduce this number by 25 percent to $120 per record. To complete the formula, we also need the quantity of records at risk. This number is completely contextual to each organization’s unique environment and data they store. For illustrative purposes, we will use the small and medium-sized industry average of records exposed in a data breach: 10,250.
Step 3: Calculating Expected Yearly Impact (Risk)
We now multiply both of our values to calculate the expected yearly impact that our sample AEC organization must account for on an annual basis.
Note: Expected yearly impact is a critical number that will be used in calculating ROI going forward. An MDR Provider’s ability to reduce this number (including cost of the service and other factors covered later) will ultimately determine if ROI can be achieved and to what degree.
X
=
36
%
(probability of at least one event)
67.5
%
(probability of incident to data disclosure)
24.5
%
(probability of at least one security event and conversion to data disclosure)
X
=
$
1,230,000
(Risk exposure) (Probability of a security event
24.5
%
and conversion to data disclosure)$
301,350
(Expected yearly impact)
X
=
$
120
(Potential cost per record lost) (Quantity of records at risk)
10,250
$
1,230,000
ROI CALCULATION: INPUTS
Now that we have calculated expected yearly impact (risk), we need a few inputs to arrive at our ROI calculation: • Cost of operationalizing MDR (DIY)
• Cost of the MDR provider’s service
• Residual risk that MDR provider does not cover
Cost of Operationalizing MDR (DIY)
Operationalizing a 24x7x365 Security Operations Center (SOC) is cost-prohibitive for most small and medium-sized organizations. The people, processes and technology, as well as the expertise built over years of hunting advanced attackers, is almost impossible to quantify. For purposes of ROI, we must take into account the additive costs to
take an organization’s current approach (typically 9 to 5) to 24x7x365 with full threat hunting operations. Implementation of a 24x7x365 SOC that produces the outcomes of MDR providers can be broken down into the following: security tools, personnel, SOC tools, maintenance and implementation. The table below illustrates per unit prices for critical SOC
components. The table below is an example of the yearly cost (minus implementation) for an AEC company with two locations:
Note: Not all of the $1,997,749 costs should be utilized for calculation. Many organizations already have existing people, processes and technology that can be applied to operationalizing a 24x7x365 SOC. For our purposes going forward, we will estimate that our example organization would already have 30 percent of the resources required to get to 24x7x365 operations, thereby reducing annual in-house SOC cost additions to $1,398,424.
Cost Per Unit Quantity Yearly Cost Security Tools
Endpoint forensics $30 200 $6,000
IDS/IPS $10,000 3 $30,000
SIEM platform $150 G/B throughput day 5 $9,000
Vulnerability scanning $35 200 $7,000
Threat intel feeds $5,000 3 $15,000
Personnel
Core analysts $111,633 9 $1,004,697
Sec ops manager $124,433 3 $373,299
Intelligence analysts $95,875 1 $95,875
Network sec engineer $116,360 1 $116,360
Network sec admin $95,418 1 $95,418
Sec Ops Tools
Tools per analyst $25,000 9 $225,000
Operational Expenses
Implementation and integration $100 and hour * hours to
implement 500 $50,000
Product maintenance (hardware) 10% of security tools expense - $6,700 Product maintenance
(labor) 20% of security tools expense - $13,400
Annual 24x7 In-House Costs $1,997,749
Cost of MDR Provider’s Service
Most security service providers are able to offer MDR at a fraction of DIY costs due to their ability to achieve economies of scale. While the cost of service will vary widely from one provider to another, there is typically a single variable used to calculate the cost of MDR, such as per user, per asset, per node, etc. In this case, we will use per user. Let’s estimate the per user cost annually at $500. Our sample AEC organization with two locations has 150 users.
MDR Service Provider’s Residual Risk
Let’s be clear. No MDR provider can reduce risk to zero. No organization catches every single zero-day threat. On a long enough timeline, something will slip through. What we have to determine is what is the miss rate of threats for the MDR provider. Virtually all MDR providers track their success rate; however, none disclose the number. This miss rate is typically used for process improvements and to measure efficacy. Let’s estimate the miss rate is 2 percent. To determine residual risk, we have to apply the following formula:
Putting It All Together: Calculating ROI
Determining ROI requires application of our calculated inputs from the previous sections:
Using these values, the following formula is applied to determine potential ROI:
In addition, annual risk reduction can be calculated using the same values: • Expected yearly impact (risk): $301,350
• Annual DIY cost addition to implement MDR versus existing resources: $1,398,424
• Cost of MDR provider solution: $75,000
• Residual risk of MDR provider solution: $24,600
X
=
$
500
(Cost per user) (Number of users)
150
$
75,000
(Yearly MDR Price)X
=
$
1,230,000
(Risk exposure)2
%
(Miss rate)$
24,600
(Residual risk)Expected yearly impact ($301,350) + annual DIY cost addition ($1,398,424)
Cost of MDR provider solution ($75,000) + residual risk ($24,600)
=
17:1
ROI
=
reduction of risk92
%
Residual risk ($24,600) Expected yearly impact ($301,350)
eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from constantly evolving cyberattacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates and responds in real-time to known and unknown threats before they become business disrupting events. Protecting more than $6 trillion AUM, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.esentire.com and follow @eSentire.
In Summary:
No methodology for calculating ROI or risk reduction is perfect. A multitude of factors both long-term and on a day-to-day basis can change values and overall ROI. However, for AEC organizations, the rising tide of risk is undeniable and the sooner the case can be made for the level of protection MDR can offer, the quicker risk can be mitigated. It’s an unfortunate reality that security teams continue to be under-resourced while expectations remain high for protecting critical data. This continued imbalance is a recipe for eventual compromise.
Without the ability to present potential risk in a form (cost to the business and operational disruption) that resonates with decision makers, AEC organizations will continue to fall prey to a threat landscape that is rapidly evolving to attack gaps in security controls and processes. The objective of this brief is to help guide creation of the business case that is defensible to budget authorities based on real-world observed data contextual to your industry, size and risk exposure. If your organization is interested in finding out more about how to build a business case for investment in MDR services, reach out to an eSentire specialist who can build a customized solution for presentation to executives and budget authorities.