Advanced threats have security teams under pressure to dramatically improve detection and response times, yet defenders have a limited number of new strategies and workflows they can use to proactively hunt for threats. Investing in new tools can help, but along with the pursuit of big returns, comes potentially high cost and risk.
To help organizations evaluate the potential return on investment from security technology, ExtraHop recently commissioned Forrester Consulting to conduct a Total Economic Impact™ Study of our cloud-based network detection and response solution (NDR), Reveal(x) 360.
As part of the study, Forrester interviewed Reveal(x) 360 customers, then aggregated quantitative and qualitative data on Reveal(x) 360 costs, benefits and risks from those interviews and other research sources to create a composite organization. From there, Forrester formed a financial model to represent the costs, risks and benefits incurred by adopting the technology, which forms the basis of their study.
The result is a thoroughly constructed, independently vetted, and unbiased look into the actual economic impact of a particular technology to help security leaders make informed purchasing decisions. In the case of ExtraHop Reveal(x) 360, Forrester determined that customers realized 193% ROI over three years.
Forrester TEI studies are important tools for organizations who need an accessible and unbiased way to evaluate the risk of new technology solutions, and Forrester has been successfully utilizing the TEI methodology for over two decades.
How to Evaluate ROI with Forrester Data
To offer a realistic assessment of potential value, the ExtraHop Reveal(x) 360 customers represented in the Forrester TEI study were diverse: They included large enterprises and different industries. Because security technology ROI can depend on a variety of factors including integration, end-user adoption, training, and organization size, the actual ROI companies receive may vary, but IT leaders can use Forrester TEI as a framework to help assess ROI and risk prior to adoption.
To help organizations gauge potential ROI, we'll break down Forrester's assessment in two key areas of cybersecurity: threat detection and remediation, and tool consolidation.
Assessing Potential NDR ROI
Threat Detection and Resolution
To calculate the ROI, assess what toolsets your organization currently uses for network security and performance. Many organizations rely on a combination of perimeter solutions like firewalls and intrusion detection systems (IDS), agent-based detection from endpoint detection and response (EDR), log-based security information and event management (SIEM) systems, and basic packet capture (PCAP) tools for network visibility.
One commonly reported challenge associated with using all of these tools is too much data without context. This slows detection and response times, which can be extremely costly and adds risk. To assign a dollar value to response times for current toolsets, Forrester considers how many threats an organization detects and resolves, the time it takes, and the average hourly wage of IT staff.
To break down the math further, the Forrester TEI study assumes that the composite organization detects 40 threats per month, but larger or highly targeted industries including healthcare may see higher numbers. To get your own estimate of costs, multiply the average number of threats per month by the average number of hours it takes to detect threats, plus the hours it takes to remediate them. Next, factor in IT staffing costs to create this simple formula:
([Threats x Detection Time] + [Threats x Remediation Time]) (Hourly Rate) = Current Cost
According to the TEI study, an organization saves 2.5 hours on detection, and 7 hours on remediation after adopting Reveal(x) 360, so by subtracting those assumed hours from your current averages and re-running the numbers, you'll have your assumed cost savings.
We should note, this calculation doesn't factor in false positives. The Forrester TEI study addresses this as a common issue, quoting one ExtraHop customer as saying, "We used to get thousands of alerts per day with no context, and we couldn't even dig through them all because there were so many. And of the ones we did look at, a lot of them were false positives. We're now getting closer to 150 alerts per day, and these are more targeted, so we can detect an issue faster and take action."
False positives are a huge waste of time and resources. For organizations considering NDR, we recommend assessing the number of false alerts the NDR solution produces and the time it takes to respond, multiplied by the average hourly rate for a security analyst to get a sense of pre-adoption costs.
The second way security teams see returns from NDR, and ExtraHop Reveal(x) 360 specifically, is in tool consolidation. Organizations interviewed by Forrester have used this strategy to realize six- and seven-figure savings. According to one IT leader, "we were able to decommission a few homegrown solutions and some network analytics sensors. We're also looking to retire some tools our operations team uses for visibility over the next year. This could lead to savings in the millions."
Among the common tool sets used as part of a network security strategy, some of these are arguably essential. SIEM and EDR, for example, are considered to be a part of the SOC visibility triad, along with NDR, and all three solutions can be integrated as part of a best-in-class XDR strategy.
To assess the value of tool consolidation, the math is fairly straightforward: Subtract the annual expense of decommissioned tools from the cost of NDR adoption. That said, the full number of tool sets that can be retired may not be fully understood until after adoption, but to offer a sense of how others have streamlined their tech stack, it helps to understand the two most commonly decommissioned tools:
Packet Capture (PCAP)
PCAP provides raw, detailed network data that is essential for visibility. It provides an unevadable source of truth, which is why many organizations use PCAP tools to store and analyze this rich dataset. In addition, PCAP data aids HIPAA and Executive Order 14028 compliance, among others.
PCAP on its own is extremely detailed, which means security teams have a vast amount of data to wade through for investigation or forensics. Not all NDR solutions work off of real-time, line-rate packet data, but those that do (like ExtraHop) can easily replace PCAP. Packet data from NDR provides security teams with the context they need to detect threats and allows them to pinpoint the root cause right down to the packet level in a few clicks.
Intrusion Detection Systems (IDS)
IDS has been around in some form or another since the 1990s. Traditionally it uses signature-based detections to spot intrusions using known patterns. Among industry compliance standards, IDS is mentioned specifically in PCI DSS, making it another security staple.
However, IDS is a notorious source of false positives. In addition, its reliance on signature-based detection alone limits its capabilities and makes it easy for attackers to evade. In contrast, NDR can combine behavior-based and rules-based detections to spot more threats with more accuracy. This supports compliance, reduces SecOps workloads, and eliminates the need for legacy intrusion detection platforms.
A support analyst interviewed by Forrester explained how NDR allowed them to retire their legacy IDS solution: "We were able to consolidate tooling. Particularly, we were able to get rid of our IDS/IPS [intrusion detection system/intrusion prevention system] solution once implementing our ExtraHop solution because it wasn't able to do as much for us as ExtraHop can in terms of pinpointing network and security issues."
Other Quantifiable and Unquantifiable Benefits
NDR as a Shared IT Resource
While NDR is primarily considered a security tool, the Forrester TEI study also addresses the benefits for the broader IT organization, including in resolving network performance and downtime. As a source of potential costs, Forrester's downtime calculations factor in remediation time, the number of end-users affected, and even lost revenue.
Cost savings from reduced end-user downtime are an example of a key unquantified benefit identified by Forrester: "Expanding usage to different teams." By sharing resources across security, compliance, and network optimization teams, NDR customers can see more value from a single tool. These benefits extend into improved communication, and even decision-making by leadership, according to Forrester.
One director of security explained the benefits of data sharing to Forrester: "Having a tool where we can all communicate has been key. If I see a threat, I am now able to communicate not only with the people who will be fixing it but also with management to say, 'This is my proof, this is what we're going after, this is what we're trying to lock down.' Reveal(x) 360 has been great for security maturity."
Visibility to Stop More Breaches
The biggest unquantified risk in our eyes is in network visibility. By adding coverage into cloud workloads, encrypted protocols, and all connected devices, NDR adopters are able to improve security hygiene and reduce their risk of a breach. As one technical director interviewed for the study explained, "The Reveal(x) 360 platform gathers a lot of information for us instantly. And with the ability to put our behavioral models and our intelligence models directly into the system and customize the risk scores that the system produces, we can much more quickly respond to things that we see as a greater degree of risk than without it. This definitely recused the deeper and more collateral damage that could occur and probably saves us millions."