Don’t Be an Asymptote! Understanding the Cost of Delayed Threat Response

Figure1 – Example of an asymptote of a function that approaches infinity on the y-axis.

It should be the unwritten rule of cybersecurity: Don’t make an asymptote of yourself or your team members. As you may recall from high school math, an asymptote is a graphical representation of a function that trends endlessly either toward zero or infinity. In the case of threat response, the potential cost of a delay can resemble the latter — draining the corporate wallet at an ever-accelerating pace. For those of you who miss Algebra II, Figure 1 offers an example of what we’re talking about.

How can cybersecurity get asymptotic? (Just to bring in a little SAT prep and AP English while we’re at it…) The problem stems from the increasing level of business impact from an unchecked threat. As the model in the table shows, as each day goes by with a delay in threat response, costs start to add up.

Day Security Team Senior IT Leadership Executive Leadership Legal Public Relations Outside Security Consultants Settlements and Fines Reputation Damage Cumulative Total Cost
1 $50               $50
2 $500               $550
3 $1,000 $2,500             $4,050
4 $5,000 $5,000 $5,000 $5,000         $24,050
5 $5,000 $5,000 $5,000 $5,000 $5,000       $49,050
6 $5,000 $5,000 $5,000 $5,000 $5,000 $10,000     $84,050
7 $5,000 $5,000 $5,000 $5,000 $5,000 $10,000     $119,050
8 $5,000 $5,000 $5,000 $25,000 $20,000 $10,000     $189,050
9 $5,000 $5,000 $5,000 $25,000 $20,000 $10,000     $259,050
10+ $5,000 $5,000 $5,000 $20,000 $100,000 $10,000 $1,000,000 $1,000,000 $2,484,050

How Threat Handling Costs Can Grow Quickly

This model shown in the table is highly simplified example. What matters are the pattern and trend, which are realistic. Threats generally don’t get cheaper the longer they are ignored or not noticed. A malicious intrusion, if caught immediately, might have a negligible cost to fix. If the intrusion turns into a breach, the security team will have to start devoting many person-hours to figuring out what happened, what’s been affected and how to make it go away.

If the problem starts to affect the business itself, such as by slowing down or corrupting critical systems, senior business leadership will have to get involved. Everyone’s time is valuable. When the CEO is focusing on a security breach, that’s time he/she is not spending on making the company grow. More people, including expensive outsiders like attorneys, PR firms and security consultants, may get involved if the threat metastasizes into a true disaster. What started as a simple threat might end up triggering multi-million dollar fines and settlements as well as reputation damage. Figure 2 depicts the cumulative cost of a delayed threat response, taken from the Table, in graphic form. As you can see, it’s asymptotic.

Figure 2 – Cumulative cost of a delayed threat response over a 10-day period (For illustrative purposes only.)

Speeding up Threat Response

New advances in security operations management and automation have made it possible to speed up the process of detecting and responding to a threat. Known as “automated incident response and security orchestration” tools, they offer security teams an integrated collection of processes and tools working in concert to automate otherwise tedious and time-consuming security management tasks.

Security orchestration relies on standards-based software and open application programming interfaces (APIs) to enable broad, easy interconnectivity between security systems. Taking advantage of the flexibility of open standards and RESTful APIs, the security team can simply and quickly connect SIEM, IDS, endpoints, threat intel and other security tools with the automated incident management portal and orchestration capabilities.

An automated incident response and security orchestration solution enables the security team to model its alert response processes and automate them. It can triage and enrich alarms, open and close tickets, update rule sets, send emails to key stakeholders, and so forth, drastically cutting down on the time-consuming manual process of responding to threats. The team can assess 100% of threats as they arise. In contrast, most teams are limited to examining less than 30% of threats and triaging the rest.1 This approach can easily let a threat pass by that later turns into a costly incident.

The Swimlane Solution

Swimlane offers an automated incident response and security orchestration solution that centralizes security operations activities. The Swimlane solution manages and automates the response to security alerts and incidents identified by existing monitoring and detection systems. The Swimlane approach utilizes security orchestration to replace slow, manual threat response capabilities with machine-speed decision making and remediation.

Swimlane tracks all enterprise security tasks, providing centralized access to cases, reports, dashboards and metrics for individuals and teams. It standardizes response and notification processes to mitigate risk, speed resolution and streamline communications. Its automation leverages vendor APIs and Software Defined Security (SDSec) methods to rapidly respond and prevent attacks earlier in the kill chain.

Working with Swimlane, the security team can speed up its pace of threat response and increase the percentage of threats it examines. Both of these improvements in security threat handling cut down on the risk of a costly delayed response.

To arrange for a demo of the Swimlane solution or to speak with one of our security architects to see if security orchestration would be helpful to your organization, please contact us at 1.844.SWIMLANE or email us.

1. The State of Malware Detection & Prevention, Ponemon Institute, LLC

Improve your Security Operations