The value of cybersecurity solutions is uniquely difficult to quantify.
As with any risk-reduction investment, the ideal outcome is we simply avoid the outcome we’re defending against. But then how can we understand the value of our security strategy?
Even if we can identify attempted compromises that are thwarted, it’s still challenging to scope out the potential impacts we were able to avert. Was the initial access detected by a managed detection and response (MDR) solution a prelude to a minor headache or a system-wide disaster? Was the phishing email our employees noticed a simple password-scraping campaign or the initial reconnaissance of an advanced threat actor?
For defenders, these questions are impossible to answer. And given many organizations’ privacy about their security strategies and incidents, public information is also restricted. But incident responders have a different perspective.
In this blog post we’ll briefly touch the likelihood of serious cybersecurity incidents based on our experience as an incident responder, and then cover the risk reduction—from incident avoidance to impact mitigation—that we see delivered by managed detection and response (MDR) and incident response preparedness solutions, so that you can understand how security operations can reduce the risk of ransomware, and other serious cyber incidents.
We’ll not only cover the mechanism by which we see these solutions reduce risk, but also work to benchmark the cumulative risk reduction they deliver. There’s a range of analyst estimates out there on this amount, including studies which show a 49% (IBM, 2022) risk reduction from MDR, but in this essay I’ll leverage my years of experience and the full breadth of modern security operations to explain how a comprehensive program can reduce total risk by over 90%.
The Base Rate of Risk
To appreciate the value of a risk reduction, it’s first necessary to quantify the magnitude of the underlying risk. A 90%-plus reduction in risk is impressive—but for a negligible risk, it may not be very important. On the other hand, a 90% reduction in a serious risk is an extremely valuable outcome.
Of course, quantifying cybersecurity risk poses its own challenges. Unlike many other risk domains, cybersecurity risk is subject to systemic swings—meaning that the threat to every organization can change in unison. For example, few analysts anticipated the 2022 Russian invasion of Ukraine, let alone the following reduction in private-sector ransomware attacks.
Furthermore, cybersecurity risk is adversarial, meaning that attackers will evolve their practices unexpectedly to take advantage of newly discovered vulnerabilities or attack strategies. But with those caveats in mind, we can make some general observations.
First, cyber attackers target organizations widely; according to Forrester any organization faces an approximately 60% annual risk of being targeted. But fewer organizations will end up experiencing a serious attack. Research from IBM suggests that the annual risk of a data breach has risen over the past decade to about 15%; the Association of Certified Anti-Money Laundering Specialists puts the annual odds of ransomware a bit lower, at about 9%. Business email compromise (BEC) attacks, which tend to have more limited technological impacts but are still expensive, are more common with an annualized risk of 20% or higher.
Of course, these numbers might shift without warning. And any individual organization faces risks specific to its own circumstances. Though few, if any, can avoid the risk of a cyber incident altogether. But given that IBM found the average cost of a data breach in 2023 was $4.45 million dollars, we can see that cyber attacks represent a serious threat to the business.
In fact, depending on their methodology, analyst reports may significantly underestimate the total cost of a breach, since some reports focus on narrower technical cost categories while ignoring loss of valuation, lost future revenues, and other business impacts.
In general, a holistic analysis arguably should show breach costs quite a bit higher than technical-only estimates.
How Security Operations Can Help Reduce Risk
As the leader of an incident response team, with a decade of experience in the industry, I’ve encountered a wide cross-section of organizations that have experienced security breaches. For me, and my team, each of these breaches is just another day in the trenches. But for the individuals we work with, the breach we’re tackling is the single worst day of their professional lives.
My team is good at what we do, and we’re proud of it too. But you don’t want to find yourself needing to call on us. And with the insights below, maybe you won’t have to.
When we respond to and resolve cyber incidents, we’re able to glean a great deal of information about how the attack might have been prevented. One thing we gain from hard experience: a catalogue of defender best practices, many of which fall under security operations.
Security Operations Incident Avoidance Best Practices
Detection and Response
The first major security operations area to consider is detection and response activities, an umbrella category that includes data collection across attack surfaces and IT systems to both identify attacks in progress and enhance security on an ongoing basis. These practices, when effectively implemented, can drive a 90% overall reduction in incident risk, based on our observations. Practices include:
1. Network detection
In incident response, we see many attacks that could have been stopped in their tracks if detected early through suspicious network traffic, MFA fatigue attempts, exploitation of known bad passwords, or other key network signatures.
2. Agent deployment
The network isn’t the only attack surface where visibility is valuable. Many of the incidents we handle involve the execution of malicious code on the endpoint, a spot where timely detection, containment, and response could have made a difference. In a comprehensive detection and response practice, agent visibility represents a key component of total detections—about 30%, based on our data.
Of course, by the time malicious code is attempting to execute on the endpoint, there’s going to be some amount of response required, but endpoint agents can make the difference between a minor headache and a serious disaster.
3. Security posture guidance
Detection and response solutions can also drive security guidance, including everything from best practices to configurations of other security tools. Such insights can complement and enhance every other security practice.
Vulnerability Management
The next major security operations area that can reduce the likelihood of a cyber incident is vulnerability scanning. Our Arctic Wolf Incident Response research shows that 72% of cases we take on have exploited a known vulnerability for initial compromise. Scanning for these vulnerabilities and implementing a patching cadence to repair the most serious ones can dramatically reduce these incidents.
Of course, what fraction of such incidents can be eliminated through vulnerability management depends on how the program is implemented and the risks it’s seeking to address. In addition, the topline number may vary from organization to organization.
Awareness and Training
It’s not just systems that need to be tuned and protected. Staff require the same investment. Awareness and training programs can build a culture of security, reducing the likelihood that human error will offer an initial foothold to attackers—something we found happened in 28% of cases. Again, identifying what fraction of those 28% of incidents can be eliminated through awareness investments is a complex, case-by-case analysis.
Incident Response Preparedness
There’s one more key practice to keep in mind: preparing for incident response. Organizations that haven’t done any incident response planning are typically caught by surprise in the event of an actual attack. Nobody knows who to call or what to do. This cedes vital ground to the attackers, who have been granted precious hours to run amok, encrypting systems, stealing data, and wreaking other havoc.
With an incident response plan, including backup and restoration strategy, and an emergency team identified in advance, this chaos can be avoided, giving the defenders and responders like me an advantage.
Each of the security practices we discussed above is valuable on its own, and I’d recommend any one of them to an organization hoping not to spend a very stressful day—or week—on the phone with an incident response team. But it’s when these practices are combined through a unified security operations solution we assert it’s possible to achieve dramatic reductions in overall risk.
Based on the cases we’ve seen, organizations that have effectively implemented MDR are typically seeing a 90% reduction in cumulative risk of a serious cyber incident such as ransomware.
And MDR isn’t the end, either. Moving from MDR to a comprehensive security operations approach, including vulnerability management, security awareness training, and more could push that 90% higher and higher, towards 99% and above. That’s the transformative power of depth defense. Attackers rely on a chain of successful operations to disrupt the businesses they target. If defenders can stop just one of those dominoes from falling, they are positioned to protect their organizations from all the disastrous consequences that follow.
