How to Save $1 Million with Targeted Security Automation – MSSP Alert

by D3 Security Sep 1, 2022

In previous articles, weve explained how MSSPs can pick the low-hanging fruit of automation, and how SOAR can help improve analyst-to-customer ratios. These articles covered how there are major gains to be found in both profit and quality of services through different levels of automation. In this article, well illustrate the benefits of targeted automation particularly valuable for small or mid-sized MSSPs through a hypothetical case study.

In this case study, well show how a small MSSP could save as much as $1 million per year with a strategic approach to automation that minimizes overhead and time-to-value.

Lets say our imagined MSSP has seven analysts serving 30 clients, with plans to double their client base as soon as possible. They have an annual revenue of approximately $1.2 million USD.

They are experiencing stagnated growth because their analysts are struggling to keep up with an unending stream of low-fidelity alerts from their clients. Adding new clients wouldnt just mean hiring more analysts; it would also require more administrative work to track billable hours and SLAs.

They dont want to commit to deploying a full SOAR platform because they think it will cost too much and require too much time to implement and maintain. Theyre swamped enough as is.

A targeted use of automation is the solution we would prescribe this MSSP. Given their specific problems, they can focus on alert-handling and basic investigation, which are the processes that have been taking up so much of their time.

In addition, they need full multi-tenancy and automation that extends to administrative work, like SLA tracking and reporting. They cant double their capacity if thats going to double their paperwork and administrative time too.

With just two playbooks, they can automate exactly what they need, without getting bogged down in an overly complicated project. First, they need an alert-level playbook that integrates with the subset of tools that generate the most alerts in their clients environments e.g. EDR, network security, and identity management. This playbook will triage every incoming alert by extracting artifacts (e.g. usernames, IPs, and device IDs), checking them against global lists, and making the decisions to dismiss or escalate the alert.

The second playbook they need is an incident-level playbook to investigate escalated alerts. In this playbook, incidents are enriched with threat intelligence and related incidents are retrieved from the incident database. The results are summarized in an automated report for the analyst, so they can decide to dismiss the incident or notify the client with an automatically generated incident report.

Now lets do some back-of-the-napkin calculations on how much our hypothetical MSSP could save with this type of targeted automation.

We estimate that the alert-level playbook we described would turn a 15-minute process into one that takes just seven seconds. And the incident-level playbook cuts a 45-minute process down to 11 seconds. Even adding in five minutes for the analyst to review the results, thats still a time-savings of almost 90% for the second playbook alone.

So, based on these estimates, if the MSSP is ingesting 300 alerts per day, that means theyre saving around 75 hours of labor per day, from the alert-level playbook alone. At a conservative estimate of analyst salaries, thats an annual saving of $810,000.

Then, if 10% of those alerts are escalated to incidents, 30 incidents are going into the second playbook. Based on our estimate that includes five minutes of manual review on each incident, the MSSP is still saving around 20 hours per day. Thats $270,000 in salaries per year.

Between the two playbooks, thats over $1 million in annual savings, just from this targeted use of automation. For our hypothetical MSSP, that means theyll have the capacity to double their client base with minimal increase in headcount or budget.

Thats why we think its not an exaggeration to say that even a small MSSP can save $1 million per year by being strategic in how they use automation. This type of security automation is a game-changer for MSSPs who have previously written off SOAR because they think it will be too expensive or require too much time to get up and running.

D3 Security supports MSSPs in every corner of the globe and enables high-value services with our next-generation SOAR platform. D3 Securitys SOAR platform supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, were vendor-neutral, so no matter what tools your clients use, our 500+ integrations will meet their needs. Our new offering for MSSPs, D3 Chronos, is a streamlined SOAR package that is designed to start paying for itself within two weeks while increasing your capacity 10x through automation.

Blog courtesy ofD3 Security. Read more D3 Security guest blogshere.Regularly contributedguest blogsare part of MSSP Alertssponsorship program.

See the rest here:

How to Save $1 Million with Targeted Security Automation - MSSP Alert