Measuring the ROI of Better Threat Defense: A Healthcare Study

By on

This blog was written by Barbara Kay.

In the absence of hard figures, improved threat detection can be difficult to sell to executive management, especially when competing with mandated projects and buzzword-rich initiatives.

We’ve created a program that helps CISOs influence and drive urgency through quantifiable business outcomes that speak to organizational goals. Here’s an example of how this worked for a hospital as they tried to improve their detection rates. You can extrapolate to your business, or contact us to customize this process. Our value management office calculated these numbers based on this company’s estimates, modelled against a baseline derived from industry statistics and peer organizations.

Like many companies, this hospital was not keeping up with Indicator of Compromise (IoC) data. In this case, they were investigating only about one-third of IoCs. That’s not unusual: In research of relatively sophisticated security operations centers, McAfee research found that on average 1 in 4 alerts are not triaged. What’s the cost of not evaluating these IoCs? Here’s the math.

Statistics that influence costs:

  • Percent of IoCs that lead to an actual compromise                                5%
  • Percent of successful threats that are major incidents                         .01%
  • Average cost of a major incident (Source: Ponemon)                          $5.8 million
  • Average cost of a minor incident                                                              $397
  • Average annual growth in security threats and events                          30%

This hospital’s calculation:

  • Average number of IoCs received per day                                                 50
  • Number of IoCs addressed with current resources                                 18
  • Gap of unaddressed IoCs                                                                              32
  • Number of IoCs addressed daily after McAfee ESM deployed             144
  • Savings from avoided cost                                                               $574K per year

I know most of you are burning to ask why the hospital would want to overprovision their ability to address IoCs. Like many health care providers, this hospital is growing, pursuing mergers and acquisitions. While managing increasing volumes of events, they are looking to improve detection of targeted threats and ransomware. Additionally, they know that their patient data represents particularly lucrative targets for cybercriminals. So the additional capacity provides them breathing room to accommodate more signals and respond to more sophisticated threats.

McAfee Enterprise Security Manager (ESM), McAfee’s SIEM solution, can ingest IoCs and other threat intelligence via standard interfaces, as well as data from hundreds of systems. This hospital wanted to validate data from specific devices, including (XYZ applications/sensors). ESM can collect events from these devices, and then use dynamic content packs to flag data exfiltration, database monitoring, HIPAA compliance, and other risks to prioritize alerts. It can also automatically consume and report historical and real-time hits from third-party threat intelligence and IoCs from targeted malware and ransomware. With the advent of threat intelligence from industry organizations such as the National Health Intelligence Sharing and Analysis Center (NH-ISAC), as well as use of McAfee Advanced Threat Defense to reveal malicious artifacts within malware, the hospital will be able to filter alerts against high fidelity data sources to better detect attacks.

IoC evaluation wasn’t the hospital’s only reason to buy a SIEM, but at $574K x 3 years = $1.72 M, the cost avoidance was greater than their entire investment in ESM and other McAfee products.

If you’d like to learn more about this program, email vmo@mcafee.com, and visit mcafee.com for examples of successful SIEM deployments in health care, public sector, financial services, and more.

Similar articles

Here's some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps? Nope. The job we're talking about is a cybersecurity specialist and, because of the increase in cyber ...
Read Blog
The latest update to the McAfee® ePolicy Orchestrator® platform offers a new add-in to provide insight into the latest analysis carried out by McAfee Labs and the Advanced Threat Research team. The Security Resources section of the McAfee ePO™ console Version 5.10.0 will contain multiple windows providing the latest news. The first window in the section shows an ...
Read Blog