ROI of CSI – Part 4

Posted by Grant Wernick on January 9, 2018

Blog Series:

The Return on Investment (ROI) of plain English search and the Insight Engines Cyber Security Investigator for Splunk (CSI)

This is part four of a four-part blog series covering the six main benefits of CSI that drive a strong ROI. See part one here, part two here, and part three here. To see a white paper on the ROI of CSI click here.

Part Four

Benefit 6 – Better ROI on the investment in existing cybersecurity products and Splunk

Organizations typically purchase dozens of expensive point security products to protect the organization. Typically, these products are layered at the network and endpoint for perceived defense in depth and are from vendors like Palo Alto Networks, FireEye, Symantec, McAfee, and Cisco. The full value of these products is typically not realized because advanced threats typically are “unknown threats” and evade detection from point security products so alerts are often not raised of their presence. Often times the only way to detect these advanced threats is to be able correlate across “harmless” events and also security alerts from multiple products to connect the dots. And to investigate these threats, often times events going back weeks or months are required given advanced threats often are in an organization for months before they get detected.

For event correlation and long-term event logging, organizations often purchase an expensive machine data platform, such as Splunk, and use it as a SIEM, or a single product to log and retain events from all point security and “non-security” products to improve their chances of connecting the dots to detect and investigate anomalous behavior or alerts that might be an advanced cyber threat.

The problem with machine data platforms is that proprietary search languages are an obstacle to accessing machine data in a platform/SIEM like Splunk because only a handful of people in an organization usually are proficient with the proprietary search language. So when CSI and plain English search makes the data in a machine data platform/SIEM accessible and usable to everyone in the organization, CSI improves the usefulness and ROI of the SIEM and all the other point security products that feed into it. The full value of all these costly point security products gets closer to being realized.


Conclusion and Next Steps
In conclusion, the ability for users to interact with machine data via plain English search, as opposed to proprietary or complex query languages, unlocks the value of machine data and enables a wide range of benefits which in turn drive a significant ROI, including a stronger security posture, better utilization of existing or low-cost/non-technical personnel, and getting more value out of existing cybersecurity products and Splunk. Real world evidence is the Fortune 500 customer previously mentioned in this blog series who saw CSI enable aggregate cost savings of 40%, or $922,000, and pay for itself within three months.

If you are interested in learning more about plain English search or the Insight Engines Cyber Security Investigator for Splunk (CSI), please see a short demo here, visit our web site at, or contact to speak with a representative.