Rapid7 Blog

Patrick Bausemer  



How to Save Half a Day Investigating an IT Security Threat and Millions of Dollars Resolving with UserInsight

During one of our latest webcasts, we polled the audience asking them how many hours, on average, it takes to investigate a security threat. The most common answer…half a day! The second most common answer…a day! That is a very large…

During one of our latest webcasts, we polled the audience asking them how many hours, on average, it takes to investigate a security threat. The most common answer…half a day! The second most common answer…a day! That is a very large amount of time considering the fact that the threat has a better chance of being a false positive than an actual problem. In this blog post I will dig a little deeper into this problem that most of you probably deal with on a regular basis and talk about a different option that can help save your over-worked and under-funded security team up to half a week of work every month, or a month and a half of work every year, investigating security threats and millions of dollars resolving.The Average Amount of Time it Takes to Resolve a Security Threat Costs You MillionsThe 2013 Cost of Cyber Crime Study sponsored by HP revealed that the average cost of resolving cyber-attacks against organizations in the US is $11.56 million dollars…$11,560,000.00! That is a 78% increase since the initial study took place in 2009. What I find interesting though is that over this same four year period, the time it takes to actually resolve the vulnerability has also risen to a tune of 130%. The average time for resolution was 32 days in 2013. My calculation shows that on average, an organization is losing $361,250 a day until the threat is mitigated.Depending on your company size and the industry that you work in, these numbers can vary. But one constant is that the number of successful cyber-attacks against organizations is rising. In 2013 the amount of successful cyber-attacks on a weekly basis rose by 20% compared to 2012 (102 successful attacks per week in 2012 compared to 122 successful attacks in 2013). So how can we improve? With cyber-attacks being more prevalent, you would think that technology would help us cut down the time it takes to detect and resolve these problems right? So why are they rising? We believe it is because most organizations are not detecting malicious behavior as it occurs in real time, allowing attackers to burrow deep into our networks undetected. By the time we find out that something is wrong, the damage is usually already done.The Typical Threat Investigation is a HassleEarlier in the blog post I mentioned how the majority of our webcast attendees told us that it takes them, on average, half a work day, or 4.5 hours, to investigate a security threat. What takes so long? Let's look at the typical threat investigation process shall we?Step 1: Your IPS detects malicious behavior at a certain IP addressWho owns that IP address?Step 2: Login to your SIEM to find the host name of the IP addressWell which user committed the malicious behavior?Step 3: Login to your asset management system to find usernameI need more information on the user, what is his name? What office does he work in? How do I contact him?Step 4: Login to active directory to find out who the user isStep 5: Call the user and figure out what happened? Did they fall for the phishing bait? No? Then this is just a false positive. Yes? You need to take action immediatelyStep 6: Try not to be frustrated by the fact you spent all day investigating a false positive OR remediate the problem immediately and save your organization money and a potential brand disaster.With cyber-threats on the rise, shouldn't threat investigation be easier? Shouldn't we also be able to extend our security perimeter to include the cloud services and the mobile devices that our employees use so we can be alerted when mobile malware is detected or even if an ex-employee just downloaded a large amount of data from Salesforce? Wouldn't it be even better if you could do this in ONE platform? With UserInsight you can do just this; monitor risky behavior in real time, see the user associated with the threat with a couple of quick clicks, and not only monitor your network but also cloud and mobile environments too. You can give UserInsight a try here if this sounds like something you would be interested in.As cyber-threats increase, we are seeing a high demand for security pros out in the workforce. Unfortunately the rate of security professionals in the workforce is not rising as quickly as the growth in cyber-attacks. Adding to the stress of your over-worked and under-funded security team is the fact that the majority of tools out there are not built to ease the daily burden of investigating security threats. Security professionals deserve better than this.Have you been able to try UserInsight? What did you think? If you have not been able to take it for a test drive you can do so here for free.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now