High Return on Investment, Low Return on investment SecOps

A key element missed in ‘Likelihood x Impact’ style risk management is it does not reflect the Return on Investment (ROI) of the SOC or security operations. Despite the wishes of popular risk management frameworks. Return is only realized when something goes wrong. Serious events do happen and when they do irrevocably demonstrate if you are a high impact team not.

It's easy to say executives don't care about information security, and in a way they don't. They care about profit. Profit from taking your products and services to market and selling them. It might be obvious to say the amount of profit is directly related to the amount of value produced or destroyed across everything to go into production of these goods and services but this is where the SecOps and it’s components start from. A serious compromise can cause a huge loss in value cf. Mearsk, Travellex, MediSecure, KNP. Too large an investment in the SOC can also cause a loss in value.

It's easy to understand why some execs simply aim for a percentage of operations budget to be spent on security and call it a day. One might imagine they feel cheated investing all this money for no return when everything is going right, one would absolutely feel cheated finding they invested all that money for little return when things did not go as planned.

How do we maximize the ROI here, bring realize security as the profit center it is?

Considering the incident response lifecycle and vulnerability management in particular; the following are a few modes that SecOps can operate across.

Most modes have a point of diminishing returns, so a mixed strategy is a good option. Often teams will be working in a few of them at once and the mix would be expected to change over time as operations mature. The last note here is we (always) assume operational excellence, if teams aren’t able to execute for whatever reason, that’s a different issue to address. There’s no return without investment, but investment existing doesn’t create return.

Sensible Baseline Configuration

In the top left corner we have sensible baseline configurations. Activities here include setting up firewalls to block traffic by default, allowlisting applications, installing some kind of EDR, applying least privilege, keeping applications updated and so on. They have great return for relatively little investment. At some stage the exceptions will mount up and the effort will increase. For instance handling the first 80% of the ASD essential 8 with some gentle guidance is in reach for almost everybody. That last 20% can take more resources than everything else combined.

Handling Business as Usual

If we consider the distribution of return on investment for each alert, for each CVE that gets reported, and each unreported vuln that is discovered, the Business As Usual (BAU) ones for the majority.

The first ROI challenge with this mode of operation comes from compressing serious events into too few buckets. These minor alerts become the focus, they develop fine gradients along the escalation path and complex assessments. Then suddenly a serious alert comes along and the the playbooks leave only wake up the CISO and run at the server cabinet with an axe.

One justification for this type of approach is it shows readiness for when catastrophe does strike. It certainly can, but there is no guarantee.

We know security incidents follow a heavy tailed distribution because if an incident is serious it is very easy for it to get much worse. A Gaussian type distribution states that there is no statistical relationship between an event becoming more serious if it’s already serious or equally likely to be less serious.

With the vast difference in scale it is like learning how to run all of Costco or Arizona Iced Tea by considering how the corner store operates. Unless it's a focus from the start handling 30 or even 300 machines will not have anywhere near the same process or familiarity right when you need it most.

Meeting Compliance Obligations

Compliance obligations can loom large, particularly in early stages of the business, and rightly so. In many cases operations cannot continue without them. Sarbanes-Oxley, SOC2, NIST, HIPAA, GDPR and so on are important. What they also can be is a huge value sink. Teams handling the compliance needs can balloon in size without seeing appreciable return on investment. Outside of allowing operations to continue they do not provide any kind of return or guarantee incidents will be less impactful, the certifying body usually won’t step in to help. In this way they provide great return on investment, to a point.

Preparing for Catastrophe

It is unlikely that operations can suddenly boost productively by 20%. What is assured though is eventually you and most likely your competitors are going to be hit by a huge event that becomes an incident. Take log4J for instance, in one world it had teams scrambling, pulling resources away from SecOps and other value generating activities, engineers pulled off dreaming up new features, a lot of late nights and teleconference bridges with dozens of people on them, to find no evidence of compromise and patching was timely. In another world the team, the company, was prepared for wide reaching vulnerabilities, complied a report on the key aspects, rolled out the update and ran the same validation process they do every week. To be in one of these worlds rather than the other provides a real edge over the competition. In an industry where the margins might be slim this might be all the assurance the board need to know their money was well spent while their competitors struggle. Not losing 20% of productivity while everyone around you does is a larger return on investment than a 20% gain.

Product Differentiation

In a developed market products are going to look more or less the same. Similar features, same great taste, comparable reliability. In some cases components for entire industries are sourced from only a few key suppliers. What can set a product apart from another here is trust.

The consumer’s belief that the brand behind will work as a steward of their data, act transparently and in their best interest, while the other brand will produce a product full of unpatched vulnerabilities, leak their data, see their personal details and credit card information for sale online or worse. "No evidence of data exfiltration", "No material impact", "Vulnerability has mitigating controls" and the like need to be believed by the people making the purchases, the people signing up for subscriptions. How could they not switch to a competitor otherwise? Being able to be clear and transparent about capability and stewardship, to act in line with your stated values when others around you are not is a dream scenario for any board.

Terminal Presentation

Risk is often thought of in the future tense, what could happen. Using backwards induction, starting at the end and working backwards is more powerful. Imagine you are in front of the United States Congress or a magistrate, perhaps a gigantic class-action. Here you want to be able to say "We did everything we could, we considered the standards, we asked the experts if there was anything else we should consider, they said no. That's why we did what we did." How much would this have been worth to a certain large social media org some years ago. They could have saved billions by having their ducks in a row, for their brand and the reputation of everyone involved. Going back one day before, how much investment would it take for a different outcome or at a personal level to save millions of meme where you’re perceived to drink water in an unflatteringly? Not much, certainly not billions. In this sense the return on investment is immense how could any board or executive refuse?

With apologies to Mikko Hyppönen, SecOps is not only invisible when we’re doing our job right, we’re invisible when we’re doing it poorly too. Something big happening tells us which bucket we’re in.