With the increased need to monitor more data sources, respond to security events, and analyze and investigate threats, enterprise security search costs are soaring. An oversized portion of that spend is for  licensing and infrastructure costs associated with consoles to investigate cybersecurity data – SIEMs (Splunk, QRadar, etc), log management platforms (Elastic, Splunk, etc.), and data lakes (Amazon S3, Blob, etc.).

Large enterprises have not just one such console, but multiple. They are often across different cloud accounts, on-prem data centers, functional departments, geographies, and application types, which means these enterprises are not only managing different data subsets in different stores, but also duplicating a significant amount of data. Often, current live data is active in one platform, its historical data is stored in another platform, and its long-term data archived in a third.

During an investigation, analysts are running multiple searches across these platforms, and pivoting to a large number of “sources of truth” such as Active Directory, Cloud Consoles, CMDB, Email Security, Threat Intel, Ticketing, etc. to work on their investigations. (Side note: See Eric Parker’s blog on Why So Many Tabs). This drudgery has an impact on human costs and reduces their value/efficiency. Life is not easy for analysts, burnout rates tell the story, but a reduction in data-driven costs that also yields day-to-day efficiencies makes life easier on everyone.

Exploring Enterprise Security Search Costs

This blog is part 1 of a 4-blog series on Measuring and Optimizing Enterprise Security Search Costs. While KPIs and metrics like MTTR (Mean Time to Respond) exist, we need a more fine-grained way if we want to understand what can be impacted and improved. In this series, we will define the measure “Analysts’ Searches per Investigation” (ASPI), and propose ways to reduce/optimize the number of analyst driven manual searches needed to complete an investigation. 

Optimizing ASPI will not only improve MTTR, reduce human costs, and optimize analyst efficiency, but also lead to significant budgetary savings in the form of licensing and infrastructure costs driven by common cybersecurity data centralization platforms.

Open Federated Search for Security reduces ASPI by an order of magnitude. This comes from its abilities to run parallel searches across all external platforms and automatically run followup queries for relevant entity lookups.

Next up: Measuring “Analysts’ Searches per Investigation” (ASPI)