t cht lk
and validates the impact of the threat,
and consolidates redundant or related
security events in to a single ‘conclusion’
and gives security operations analysts all
the information, context, guidance and
tools they need to investigate, contain and
remediate the attack.
As such, the new thinking of ADR enables new
metrics that drive results, that impact not only
security posture, but also the bottom line of
the business, as detailed below.
Cost per incident (CPI)
CPI can be measured as (the time per
incident) x (average hourly rate for a Tier
One analyst). To get a baseline, run that
formula through your IR playbook for
88
INTELLIGENTCIO
“
THE NEW THINKING OF ADR
ENABLES NEW METRICS THAT DRIVE
RESULTS, THAT IMPACT NOT ONLY
SECURITY POSTURE, BUT ALSO THE
BOTTOM LINE OF THE BUSINESS.
each phase of a response from detection,
decision to escalation and investigation to
response determination to response and
remediation execution. Then run it again
with an ADR platform in place in a Proof
of Concept (POC) or even as a table-top
exercise. A further extension of this metric
involves the empowerment of Tier One
and Tier Two analysts. When Tier One and
Tier Two analysts are empowered with an
ADR Platform to perform or augment the
work of a Tier Three analyst (a very scarce
resource!), then substantial effectiveness
savings can be quantified.
www.intelligentcio.com