Measuring the ROI of Better Threat Defense: A Healthcare Study

In the absence of hard figures, improved threat detection can be difficult to sell to executive management, especially when competing with mandated projects and buzzword-rich initiatives.

We’ve created a program that helps CISOs influence and drive urgency through quantifiable business outcomes that speak to organizational goals. Here’s an example of how this worked for a hospital as they tried to improve their detection rates. You can extrapolate to your business, or contact us to customize this process. Our value management office calculated these numbers based on this company’s estimates, modelled against a baseline derived from industry statistics and peer organizations.

Like many companies, this hospital was not keeping up with Indicator of Compromise (IoC) data. In this case, they were investigating only about one-third of IoCs. That’s not unusual: In research of relatively sophisticated security operations centers, McAfee research found that on average 1 in 4 alerts are not triaged. What’s the cost of not evaluating these IoCs? Here’s the math.

Statistics that influence costs:

  • Percent of IoCs that lead to an actual compromise                                5%
  • Percent of successful threats that are major incidents                         .01%
  • Average cost of a major incident (Source: Ponemon)                          $5.8 million
  • Average cost of a minor incident                                                              $397
  • Average annual growth in security threats and events                          30%

This hospital’s calculation:

  • Average number of IoCs received per day                                                 50
  • Number of IoCs addressed with current resources                                 18
  • Gap of unaddressed IoCs                                                                              32
  • Number of IoCs addressed daily after McAfee ESM deployed             144
  • Savings from avoided cost                                                               $574K per year

I know most of you are burning to ask why the hospital would want to overprovision their ability to address IoCs. Like many health care providers, this hospital is growing, pursuing mergers and acquisitions. While managing increasing volumes of events, they are looking to improve detection of targeted threats and ransomware. Additionally, they know that their patient data represents particularly lucrative targets for cybercriminals. So the additional capacity provides them breathing room to accommodate more signals and respond to more sophisticated threats.

McAfee Enterprise Security Manager (ESM), McAfee’s SIEM solution, can ingest IoCs and other threat intelligence via standard interfaces, as well as data from hundreds of systems. This hospital wanted to validate data from specific devices, including (XYZ applications/sensors). ESM can collect events from these devices, and then use dynamic content packs to flag data exfiltration, database monitoring, HIPAA compliance, and other risks to prioritize alerts. It can also automatically consume and report historical and real-time hits from third-party threat intelligence and IoCs from targeted malware and ransomware. With the advent of threat intelligence from industry organizations such as the National Health Intelligence Sharing and Analysis Center (NH-ISAC), as well as use of McAfee Advanced Threat Defense to reveal malicious artifacts within malware, the hospital will be able to filter alerts against high fidelity data sources to better detect attacks.

IoC evaluation wasn’t the hospital’s only reason to buy a SIEM, but at $574K x 3 years = $1.72 M, the cost avoidance was greater than their entire investment in ESM and other McAfee products.

If you’d like to learn more about this program, email vmo@mcafee.com, and visit mcafee.com for examples of successful SIEM deployments in health care, public sector, financial services, and more.