The third conversation in the Party Crashers series opened with a challenge: time how long it takes you to review your logs, pick and IP address from last week, and connect the IP address to a name.

Based on an informal show of hands, 15% of those in the conversation were in a place to participate. Take a few moments now to time yourself working through the challenge.

Once the challenge was complete, we asked how long it took (for the 15%), and how long they'd think it take for those who didn't get a chance to test it out. More than 50% reported the ability to complete the challenge in less than 5 minutes.

How does that compare to your experience

What the challenge revealed, for many, is that the expectations formed in our minds for how many steps something takes, and how quickly we can complete a task are not always matched to what we actually do.

The highlights from the conversation distill down to three key points:

  • Place more budget and focus on detection and response
  • Automate as much as possible, in the right way
  • Tell a better story to get the support - and funding -- necessary to make the changes

The key to detection: focus on signal, focus on credentials


As the world warms to the idea that breaches happen, the response is what defines success. The key to the right response isn't just detection - it's detection with confidence. The context to guide action.
How satisfied are you with your current ability to respond?
We shared some insights in the discussion about how the overwhelming majority of people are discontent with their current response time. Right now, incident detection and response just take too much time.
Perhaps that correlates to the the current spend. According to Gartner:
“by 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches — up from less than 10% in 2014.”
For some in the discussion, even 10% of budget allocated to detection and response would be a step in the right direction. For many, then, this means spending 90% of the available budget on roughly a third of the program (if prevention, detection, and response are equal).
In making the argument to increase funding for detection and response, place an emphasis on detecting compromised credentials. Here's why it pays off:

  • Determine priorities: associating actions -- good, bad, and otherwise -- to actual people presents the insights necessary to make informed decisions and align security with the right priorities
  • Establish patterns in context: capturing the blend of information necessary to detect and act on compromised credentials reveals patterns and provides context that benefits the business and security
  • Cut through jargon: actual insights into how people do their jobs allows security to move past the jargon and connect with others about their needs and how security can best support them

Want more resources? Automate (the right way).


Automation, done right, allows the team to improve capabilities and get more done without necessarily adding headcount. The key to getting it right is to clearly understand the current processes. Then determine the ideal processes and outcomes. Build the automation to the better program over the current efforts.
What is the value of your time?
Use the value of your time to help guide priorities for automation. As a basic measure, remove the last three digits from your salary and divide by two to calculate the value of an hour of your time. If you make $50,000 annual, then divide 50/2 = $25/hour.
When documenting the steps of the process, consider how long it takes -- and how many times the process is used. That provides a rough estimate of the cost of the program. In contrast to the value of the outcome, it helps determine where to place focus.
Focus on automating solutions that improve and speed up the process. Instead of focusing only on the process, take steps to improve the results. Start with the areas of highest priority, and work to reduce the cost while increasing productivity.
Guide the process by asking a few key questions:

  • Does it speed up the process -- not just the process, but the results
  • Are you gaining new insights?
  • What level of confidence do you have? Is confidence increasing?

When automation works for you, it reduces the current workload for the entire team. That allows a focus on on areas of higher importance -- while guiding better actions for response.

The key to funding: tell a better story

Bringing the spend on detection into balance and building better automation often requires the right budget. Broader than a line-item on a spreadsheet, it means finding and making the case for additional funding.

That starts by considering the metrics you capture and share. During the conversation, we asked people what they focused on in their programs.

Note: the blocked number is 4%

As pointed out in the discussion, “The trick seems to me to be to tie metrics that are important to me to metrics that are important to the budgeting staff”

Someone else noted that often, “making the case for more budget is a bit like waiting for the horse to run out of the barn, then point at the open door.”

The simplest guidance for measuring what matters is to understand what is important to the business. Ultimately, focusing on compromised credentials yields that information. In the meantime, consider how to use the current tools and opportunities to paint a picture other people understand and embrace.

When asked about the process to get more funding, we found most people struggle, while a few are working in environments where they make compelling cases and get the funding they desire. 

The key is the story.

The opportunity of detecting compromised credentials is telling a story that the business understands. It's the ability to go ask if someone (usually by name) is working from a remote, but non-typical location. Asking if Joe is working from Costa Rica works as a benefit -- especially if Joe isn't.

When crafting and distilling the story, map the outcome to the business benefit. It changes the level of service you provide, and how you demonstrate it.

One suggestion during the last discussion was to “hire a writer to help you apply for a better tfbudget.” A solid idea.

Make the case to make the change

As the series continues, we're going to look at the skills needed and steps necessary to build a successful monitoring solution. Like the challenge issued here - the way it seems and the way it is are not always in alignment.

The real lesson of this discussion, though, is that the opportunity to implement a better solution is built on the ability to automate and make the case for funding. Use the guidance of the entire suite of content - conversation - column to get started on the program that brings you results.