Much ink has been spilled over the challenges associated with proving the value of investments in cybersecurity. Among the threads of discourse has been the debate over whether a term such as “ROI” (return on investment) is even appropriate when talking about infosec spending, since traditionally ROI refers to a return—ideally positive—of greater value than what the original investment was. When a company spends money and resources on security, and they enjoy a trouble-free period of time, there’s an ambiguity to proving the value of the expenditures. Did the products of the security investment prevent actual attacks? Or did no one happen to try to attack them during the time period in question? Certainly one could point to the run-of-the-mill background-noise probes and scans that any routable IP address faces, and count these as attacks repelled. But the really costly and dangerous techniques are much harder to detect. A quiet period of time could mean that there were no attacks, or it could mean that an intrusion already underway is successfully stealthy.
One or more confirmed and successfully-repelled attacks of a sophisticated nature can make the value of the security spend much more apparent. But any security pro would be hard-pressed to wish for such occasions because they are high-stress events that seem to occur with depressing regularity late on Friday afternoons. But even when such events do occur, and the security controls and procedures save the day, is this truly a “return on investment,” or is it better categorized as an appropriate value for the expenditure?
It’s not likely that the whole world will ever come to a consensus on which way to put it, but the good news is that there are, in fact, meaningful ways to quantify the wins associated with various security implementations. And so we introduce a study that we commissioned with Enterprise Strategy Group (ESG), an IT analysis and market research firm with extensive experience in the field. We at DomainTools take pride, of course, when we hear success stories from our customers. But these anecdotes don’t really tell us much about the actual business or monetary wins connected to the investments; they are qualitative, not quantitative. This is where ESG came in: we asked them to speak to DomainTools customers and employ a proven methodology to model net gains. Their analysis was endorsed by the customers and is what you’ll find in the pages of the study.
We asked ESG to look at two categories of DomainTools customers: end users (SOC personnel, and other practitioners on the front lines of infosec and brand protection), and OEMs (original equipment manufacturers)—firms who have embedded DomainTools technologies in their own offerings to strengthen and differentiate them in a crowded marketplace.
We won’t recapitulate the whole study here, but a couple of spotlights are worth examining—one from the end-user perspective and one from the world of the OEM.
Finding More Badness, Faster
It’s not controversial to say that when it comes to detecting emerging threats, time is of the essence. ESG asked survey respondents a few questions about how they spent their time and how their use of DomainTools affected that. One of the questions had to do with the rapidity of detection, and what these practitioners reported jibes with our perspective on the Internet—namely that quick detection matters, and that detecting malicious domains before they do harm (which is what lands them on those blocklists) is valuable for SOC teams.
Standing Out From the Crowd
A growing number of security products in the market today use DomainTools data as important inputs into their rules engines and other technologies. The utility of DNS, Whois, and related data points, as well as risk scoring, is evident; but when a company is looking to incorporate those kinds of data into their own products, it is often tempting to consider building the functionality in-house. After all, these are primarily OSINT (open source intelligence) data. But once engineers start to more fully understand the complexities involved in developing these capabilities, many of them opt to OEM the data from DomainTools rather than attempting to build it themselves. This lets them get compelling products to market much faster, and differentiate themselves from competitors.
Conclusion
We hope the analysis is helpful to you, especially if, like many in the field, you face constraints and appropriately incisive questions about your expenditures. The models provided by ESG may be helpful to you in quantifying your own wins (with DomainTools, and/or with other security products and services you consume). We invite you to read the study, and if you have feedback or questions, don’t hesitate to reach out!
