Threat Intelligence: A CISO ROI Guide — Prevent Data Breaches

Dan Schoenbaum
5 min readApr 5, 2023

--

Threat Reconnaissance that Saves Your Butt and the Budget

Threat hunting and reconnaissance often seem like another hard-to-explain cybersecurity budget item, especially when talking to business counterparts. As a CISO, you know that having an elite team of threat hunters focused on your external attack surface saves the company from a compromise or attack. External threat hunters have the visibility to monitor threat actor infrastructure, see how it evolves, and shut down any communication going to hackers. You know how important this capability is to safeguard the organization, but how about the rest of the company?

Spoiler alert: over the next five parts of this series, we’re going to explain in simple terms how an elite group of threat hunters using Pure Signal Recon were able to effect a total $9m in savings. This threat-hunting team supported cybersecurity needs for key business initiatives and helped their company realize a three year risk reduction savings of $9m.

Half of the $9m in savings can be attributed to avoiding a data breach in the first place, so let’s start our discussion with the biggest area of cost savings and risk reduction. We’ll start where the largest savings were found, with $4.5m of the $9m being attributed to data breach avoidance.

Data Breaches — Proactive Approach for Payback

As a real-world example, we are going to examine the hard dollars that a large multinational retailer saved with their investment in Pure Signal Recon to empower their analysts with unmatched threat hunting and reconnaissance capabilities. This is a company with a mature cybersecurity team that provides cybersecurity defenses to protect a 1m+ workforce, a global corporate organization with an extensive supply chain and ongoing M&A activity.

This write up is based on the original Forrester Total Economic Impact™ (TEI) study, an independently held private collaboration between our client and them. The goals were to determine the cost savings gains that could be achieved by using external threat reconnaissance to support a proactive cybersecurity organization to safeguard company reputation, share value, and careers, from cyber risks.

Defining the ROI of Threat Reconnaissance — What Matters Most

With access to the proper tools, threat hunting empowers analysts to act on threats to your organization in real-time, instead of the usual reactive responses that drain resources and budget. It opens up a new range of preemptive capabilities that can turn your threat analysts into a powerful layer of proactive cyber defense. It has When justifying budgets and helping the business understand the importance of your threat-hunting function consider where it has a direct impact on business outcomes:

  • Stop a data breach from happening with a predictive response to persistent threat actors
  • Reduce the amount of tools needed and lower the swivel chair security tax on your analysts
  • Detect impending data breaches via your supply chain and other 3rd parties
  • Address the business risk of new company acquisitions via M&A
  • Remove tedious analyst work with automation so they could focus on strategic cybersecurity initiatives

Predictive Response Pays Off

First we will focus on the most obvious area where improved threat intelligence pays off; preventing data breaches from happening in the first place. In this real-world scenario, we are profiling a sophisticated cybersecurity team that could already show that they were able to reduce the standard cost of a data breach by more than 75%. As a retail conglomerate and global brand, they are highly targeted and sought after “prize” with threat actors. They wanted to close the gap by another 40% reduction in projected costs due to a data breach.

The team had the skills and experience to further close the gap between corporate risk and cost by transitioning from providing reactive cybersecurity to a more proactive response to threats. They knew about Pure Signal Recon and believed it could give them an understanding of threat actor infrastructure to enable the automatic blocking of threats from getting inside. But they were also realists and knew that some threats do get inside no matter what. So they wanted the ability to preemptively stop any information from getting out should a threat enter the network.

Pure Signal Recon has allowed us to pay more attention to the [bad] actors instead of reading reports about [them]. It has allowed us to create our own intelligence, monitor our stuff better, and react to things much faster.” Lead security analyst

So what did this all accumulate to? What do these capabilities mean in hard dollars? Pure Signal Recon enabled analysts to act on real-time data from outside their perimeter with the ability to:

  • Trace malicious activity back to the source, map threat actors’ infrastructures, and monitor it for changes
  • Map key threat actors' infrastructures and track their infrastructure changes
  • See a threat actor’s back-end infrastructure beyond the C2s (command and control servers).
  • View the infrastructure that they proxy through to get to C2s to retool their attacks
  • Block C2s being stood up as they are being stood up in real-time

It was further estimated that by investing in Pure Signal Recon they realized a 20% reduction of projected data breach costs within 6 months of deployment. In terms of internal productivity, it also paid back $756K in reduction loss productivity. They estimated a data breach would affect at least 5% of the 100,000 corporate employees within scope of the potential attack, with 3.6 hours of downtime per breach with an average cost of $42 per hour.

Having the ability to actively perform reconnaissance on the bad actors that persistently target your company is a critical part of an effective cybersecurity strategy. When paired with the right tools, opportunities, and mindset, investing in a threat-hunting function pays back dividends toward your budget. To learn more about threat reconnaissance please visit our blog here.

CISO Tools:

Learn more about how you can get started on the path towards reducing data breaches and utilizing real-time threat intelligence, request a free copy of the full financial analysis of Threat Reconnaissance here.

Engage directly with our Security Architects and expert practitioners starting here, or visit us to learn more: Team Cymru Website

--

--

Dan Schoenbaum

2x CEO, 2x COO. Growth expert, GTM & PLG Expert, marathoner, Former IDF Sniper, and Proud Father.