Measuring and Optimizing Enterprise Security Search Costs

This white paper discusses the challenges and costs associated with enterprise security searches, particularly focusing on the measure known as Analysts' Searches per Investigation (ASPI). It outlines how the increasing complexity of managing multiple security consoles and data sources leads to higher operational costs and inefficiencies for security analysts. The paper details the typical workflow of an investigation, including the initial search and subsequent pivots that analysts must perform across various platforms. It introduces a formula for calculating ASPI, which considers factors such as the number of entity pivots, consoles, and data sources, as well as the percentage of relevant paths followed by analysts. By optimizing ASPI, organizations can potentially reduce mean time to respond (MTTR) and achieve significant cost savings in licensing and infrastructure. The intended audience for this document includes security professionals seeking to improve data access and reduce costs related to cybersecurity investigations.