The Business Justification for zvelo Cyber Threat Intelligence

Case Study: The Business Justification for zvelo’s Cyber Threat Intelligence Feeds

This latest case study features the results of an in depth cost analysis and business justification done by one of zvelo’s Clients on leveraging zvelo’s cyber threat intelligence as opposed to pursuing in-house threat ingestion and curation. The bottom line result demonstrated significant cost savings that aligned with the projected financial expectations as well as powerful improvements to their threat detection capabilities.

Client Profile

Client provides SASE cybersecurity services targeting enterprise, healthcare, state and local governments.

Market Challenges

The Client was under pressure to grow its business, continue to provide compelling and competitive SASE offerings, while also closely managing its operating expenses and margins as the window for accessing capital markets began to close and new and larger competitors brought new products into the Client’s target markets, with aggressive pricing to capture market share. Faced with these challenges and more, the Client was under pressure to re-evaluate what was core and strategic to their business to better align with a strategy focused on higher margin revenue growth. The Client’s investors demanded a focus on investing in activities that were core competencies. This forced the Client to examine the various activities, including its threat intelligence ingestion and curation investment.

Business Challenges

The client approached zvelo when it was faced with a decision on whether to continue investing in an in-house approach for curating cyber threat intelligence themselves by using a combination of OSINT and other commercial feeds. The Client had partially implemented a plan to build a team of several dozen staff performing threat ingestion, curation, AI-based models, and data labeling, as well as building the hosting infrastructure necessary to support the activities. It was at that point when economic realities forced an revisit of the business assumptions. Facing an urgent need to manage costs, the Client reached out to zvelo to evaluate zvelo’s cyber threat intelligence feeds.

Solution Requirements

The Client had a number of business requirements that had to be met – from both a financial and technical perspective.

Client’s Financial Requirements:

From the financial standpoint, the list of solution requirements was fairly short – to reduce operational costs without sacrificing any of their solution capabilities that would further impact their profit margins.

Threat Intelligence Cost Analysis

zvelo worked closely with the Client’s executive team to understand the cost breakdown of the current solution to help discover where zvelo’s threat intelligence feeds could lower their operational costs. The costs for the Client to procure, store, and curate threat intelligence feeds required an annual investment of just over $1.6 million USD and was projected to increase by at least 30% annually just to cover the necessary staffing increases.

in-house-cyber-threat-intelligence-case-study-roi-total-investment-cost

Despite operating with a lean team, the Client was spending well over a million US dollars for a Full Time Staff. From the increasing costs of living to the high demand for scarce IT and Cybersecurity resources, maintaining just the minimum staffing requirement became a key area driving up costs and eroding profits. As noted above, this team was projected to increase to over two dozen individuals when fully staffed. The table below offers an overview of the annual salary costs for a lean threat team.

Projected Threat Intelligence Cost Benefit Analysis

After determining the current and project costs and comparing with the zveloCTI prices, the Client was able to identify immediate and significant cost savings. Ultimately, with the savings provided with the zveloCTI offering, the Client was able to retain a number of its current staff and redeploy them in a way that most effectively leveraged the zveloCTI data. The table below is representative of just the biggest budget allocations and shows a projection of costs leveraging zvelo to replace in-house ingested and curated threat intelligence data while still maintaining 50% of current staff. Even by maintaining half of the current staff, the Client would see significant cost savings:

58% Cost Reduction to Procure Threat Intelligence
83% Cost Reduction for Infrastructure
50% Cost Reduction for Staffing Requirements
Overall Projected Direct Cost Savings of $860,600 USD Annually

cyber-threat-intelligence-case-study-roi-annual-cost-savings-benefit

Case-Study-Cost-Savings-v2

With the financial side of the house satisfied with the potential cost savings, the CISO was engaged in the discussions to ensure that cost reduction measures would not negatively impact the Clients SASE offerings and the ability to protect their customers from threats.

Technical Requirements:

From the technical standpoint, the Client required threat intelligence that met or exceeded their current data for the following attributes:

Global threat detection and coverage with the ability to detect threats from any geographic location
Minimal False Positives
Faster Threat Detection speed
Rich metadata to support incident research and response
Simple APIs for accessing and ingesting detections and intelligence
Additionally, as a bonus, the ability to detect threats and attacks they were not able to do previously, what the Client called unique or “uplift” detections

Technical Evaluation Testing Criteria

The Client’s evaluation criteria were very much in line with what zvelo sees from its prospective clients seeking to weigh existing threat detection solutions against zvelo’s threat intelligence feeds. The Client evaluated both of zvelo’s threat feeds — PhishBlocklist and the Malicious Detailed Detection Feed — against key performance metrics to quantify the results. The key areas of performance were as follows:

Percent overlap/coverage compared with their existing phishing and malicious detection feeds
Percent of lift/increase in coverage due to unique detections above what their current feeds provide
False positive rates for phishing and malicious detection
Detection Speed
Richness of threat intel metadata — Brands, detection timestamps, active/inactive status, threat type, threat family, O/S targeted, and more

The Results of the Technical Evaluation

Overlap – 100% Coverage. zvelo threat intelligence feeds detected 100% of the threats covered in the Client’s existing phishing and malicious threat detection feeds.

Lift from Unique Detections – Client saw a 38% uplift in unique phishing threats detected and 27% uplift in unique malicious threats detected.

CTI-economic-case-study-unique-phishing-detections CTI-Case-Study-Unique-Malicious-Threat-Detections

False Positive Rate (FP) – The FP rate for phishing and malicious threat detection from zvelo was less than 1%. Measured against the Client’s current rate for false positives, the reduction to less than 1% was estimated to save about 230 analyst hours per month which would directly translate to an additional annual cost savings of about $116,000.

Detection Speed – zvelo’s threat detection feeds proved to be faster for over 57% of the detections where there was coverage overlap. The existing feeds were faster only ~8% of the time.

The Winning Solution

Having satisfied the Client’s requirements on both the financial and technical aspects of the solution, the results delivered by zvelo’s threat intelligence feeds were unmatched by any of the Client’s alternative options. As the Client had identified zvelo as having the best solution, the final deliberations required intense scrutiny of the projected cost savings to drive their growth strategy. In the end, the Client settled on moving forward with the model that retained 50% of their current staffing requirements. With the reduced strain on the in-house threat team, the Client was able to reallocate most of the 50% of staff on the threat team and leverage their talent to improve other areas that would further position them for growth as the cybersecurity market continues to evolve towards consolidation. In the short term, the Client saw significant cost savings that aligned with the projected expectations as well as powerful improvements to their threat detection capabilities. And in the long term, the Client anticipates that the cumulative cost savings over the next two years, combined with the overall improvement of their threat detection services, will allow them to continue investing in building their business to meet evolving market demands and remain profitable for years to come.