Enterprises Spend $16M on Detect & Respond
February 08, 2018
of an independent global survey have uncovered the surging
hidden costs of reactive, detection-based security intended to
protect the organization. The initial, upfront licencing and
deployment investment in security-detection tools like
anti-virus is dwarfed by the cost of human skills and effort to
manage and assess the millions of alerts and false-positive
threat intelligence generated. The research, based on a survey
of 500 CISOs from global enterprises, is part of a wider report:
The Hidden Costs of Detect-to-Protect.
Key findings include:
•The average annual cost to maintain detect-to-protect endpoint
security is $16,714,186, per enterprise
•Organizations invest $345,300 per year on detect-to-protect
security tools, but this cost is minimal compared to the hidden
•Labor costs are soaring as a direct result of detection-based
technology failures: ◦SOC teams receive over 1M alerts every
year, but 75 percent are false positives
◦SOC teams spend 413,920 hours per year triaging alerts, an
additional 2,448 hours rebuilding compromised machines, and 780
hours on emergency patching
•All-together, that’s 417,148 hours per year; resulting in an
annual labor cost of $16,368,8862, per enterprise
“Detection requires a patient zero – someone must get owned and
then protection begins. Yet, because of this, rebuilds are
unavoidable; false positives balloon; triage becomes more
complex and emergency patching is increasingly disruptive,” said
Gregory Webb, CEO, Bromium. “It’s no surprise that 63 percent of
the CISOs we surveyed said they’re worried about alert fatigue.
Our customers tell us their SOC teams are drowning in alerts,
many of which are false positives, and they are spending
millions to address them.
“Meanwhile, advanced malware is still getting through because
cyber criminals are focusing on the weak spots like email
attachments, phishing links and downloads. This is why
organizations must consider the total cost of ownership when
making security investments, rather than just following the
The research shows that organizations are investing in multiple
security layers to defend against hackers, including: Advanced
Threat Detection (annual spend $159,220); next-generation and
traditional anti-virus (annual spend $44,200); whitelisting and
blacklisting ($29,540 annual spend), and detonation environments
($112,340 annual spend). However, these technologies are
dependent on detection first, and therefore are fundamentally
flawed and only stop the known.
Organizations expect the associated upfront costs for a security
stack, however, as the research shows, the total cost of
ownership is much higher than expected. During evaluations CISOs
need to be asking questions that uncover the hidden costs, such
are most of the attacks happening?
•Are advanced threats getting through current defenses?
•Is employee productivity negatively impacted by current
•How many alerts are being generated? Of those, how many are
•Is it likely that machines will still get compromised and need
to be rebuilt?
“Application isolation provides the last line of defense in the
new security stack and is the only way to tame the spiralling
labor costs that result from detection-based solutions,” Webb
concludes. “Application isolation allows malware to fully
execute, because the application is hardware isolated, so the
threat has nowhere to go and nothing to steal. This eliminates
reimaging and rebuilds, as machines do not get owned. It also
significantly reduces false positives, as SOC teams are only
alerted to real threats. Emergency patching is not needed, as
the applications are already protected in an isolated container.
Triage time is drastically reduced because SOC teams can analyze
the full kill chain.”
For more information about Bromium and to view the infographic
and report, please click here.
The research was conducted by researchers at Vanson Bourne. The
sample consisted of 500 CISOs from large enterprises sized from
1,000 to 5,000+ employees, across the USA (200), UK (200) and