Is the cure costlier than the disease?

When I was still an analyst I was part of the mobile workforce, coming into the office maybe once or twice a year. The company owned laptop I was provided ran 4 different security agents, plus several other agents for various systems management functions (asset, configuration, etc) and remote access. Since the majority of the time the company had no ability to manage these mobile systems they would enforce some fairly draconian security policies, such as locking down aspects of the OS, disallowing certain protocols and applications to traverse the network VPN, as well as configuring the various scan-based security technologies to scan the system on a recurring basis (OK so maybe these are all reasonable and I felt they were draconian because I suffer from a Nietzsche “super-employee” complex and believe myself to be above the normal security policies of other employees – coincidentally I stopped using the corporate supplied laptop and switched to a Mac) .

Here is the kicker, my machine suffered from significant performance problems. Not only did it now take a good 5+ minutes to restart, it was unusable during a scan – which meant I was unable to work several hours a week, no research, no ability to view the security hamster wheels so diligently presented to me by the 500 different security companies vying for placement high and to the right, no IM’ing other analyst to make fun of the latest press release promising total compliance and complete security – nothing. I, along with many others, were essentially dead in the water.

As far as I know (and I know this is a slippery slope) the anti-malware, productivity impacting, bloatware never encountered a single instance of digital maliciousness – that doesn’t mean that there wasn’t a compromise or incident, it just means that the technology used to detect and prevent such things was irrelevant either way.

I wondered if the cost of securing the device against a security incident and the impact to annual productivity was justified against the cost of dealing with a virus outbreak or other security incident 1-2 times a month – how many of you just rolled your eyes, and put me at the top of your most hated blogger list? but seriously let’s dig into this…

The cost of desktop security for 5,000 seat environment:

FTE fully loaded employee salary = $100,000/annual

Initial end-point security license for AV/AS/PFW (assumes you sweet-talked your way down to $10-15/end-point) = $ 50,000 – 75,000/annual

Initial license for laptop encryption (assumes a cost of $10per/end-point) = $50,000

Initial license for host-based DLP or device control (assumes a cost of $18 per/end-point) = $90,000

Initial license for patch-management (assumes a cost of $10 per/end-point) = $50,000

Total initial license cost for desktop security $48/per end-point = $240,000 * and that is just the basic stuff at a pretty nice price point
Total desktop security management servers (the stuff that runs the stuff – reporting servers, consoles, databases, aggregaters, updater’s, etc) 2 servers per 2,500 devices = 16-20 servers minimum

Total cost to manage, management servers at $5,000/annual per server = $80,000 – 100,000

Total FTE costs, assumes 1 per technology = $400,000

Total cost = $740,000/annual just for desktop security. Of course folks negotiate and there are different pricing options such as perpetual vs. subscription and aggressive competitive pricing which can command up to 80% discounting for an initial deal, but this is probably pretty close to the pocket.

So a 5,000 seat environment spends around 3 quarters of a million dollars annually just for desktop security. now let’s add-in productivity loss, which although very difficult to quantify I think we can agree probably costs an organization about $250k annually (1 hour / per employee / per week – that is easily accomplished by the reboot times alone)

So a million dollars a year – give or take – to secure the desktop and this doesn’t include the network security or email gateway products one deploys. Seems reasonable right?

I wonder what the cost of an incident is?

Well, “The Computer Security Institute conducted a survey of 538 computer security practitioners in corporations, government agencies, financial institutions, medical institutions, and universities in the United States. Their results revealed that 85 percent of respondents had detected computer security breaches within a twelve-month period. The 35 percent who listed a financial impact reported $377,828,700 in financial losses. Of these, many cited their Internet connection as the point of attack for hackers.”

Now before you jump all over me let me state that I know as well as the next guy that trying to determine financial loss is about as predictable as trying to determine which politician elected to public office, on a platform of morality and decent values, will find themselves in the middle of a Spitzer, Craig, Foley, Clinton-esque sex scandal. That being said, does make you wonder doesn’t it – is security as we know it about to end up in the obituary of dead technologies?


16 thoughts on “Is the cure costlier than the disease?

  1. Amrit, as much as it pains me, I have to admit that you have a good point. Security is going through a time where many companies are spending money w/o really considering the overall cost and it can get very expensive. So they have to decide do they spend extreme amounts of money or take the risk. A time will come where spending the money loses out and more and more companies take the risk. The security industry will have to adapt just as other industries have. There will be a time of uncertainty and shakeup but it will work itself out. It is pretty sobering to consider just how much we spend on technologies all in the name of doing business better. When you take into consideration the cost of other licenses (OS, apps, etc) the hardware, infrastructure to support and the IT staff it get even more shocking. Especially when you probably could do the job the old fashioned way for much, much less. But then you risk losing out because you aren’t keeping up with the competition and therefore are losing business. It’s a catch 22 no matter how you look at it.

  2. Draw the lines differently. Stop letting people pull data out to endpoint systems; make them fully expendable terminals.

  3. Do not allow data to run on the end-points and turn the end-points into dumb, expendable terminals – Hey this is how we used to compute back before the PC.

    Funny but I think the only way to limit much of the security costs and breaches we experience today is to move back to a dumb terminal model, this can be done with current PC technology by combining sand boxing an virtualization and then security can focus their efforts on securing critical infrastructure

  4. the terminal idea makes so much sense in so many ways. I haven’t thought this through but would that collide the whole web app, distributed computing trend that is going on? I’m thinking that it would work hand in hand…viewing the browser as a sort of terminal.

  5. couple of trends that you call out as occurring, such as SaaS, and mobile computing, are well suited for a terminal model. I believe, and have something I am about to post, that talks about the browser as the new OS and that security is about the sand-boxing and isolating of the browser. Cool stuff coming in the world of technology.

  6. As the availability of adequate bandwidth WHEREVER you are, becomes more and more of a reality, the move to hosted software solutions makes more and more sense.

    Look at, how many companies do you know who DONT use it? Why not Office applications?

    This will make the amount of data held at the end point negligable and will allow enterprises to start to secure within the perimeter again.

    Of course, security technologies such as Identity Management and authorisation etc will be all the more important.

    If you are going to trust external devices with access to your internal network, then you need to be sure that they are who they say they are…

    Start up anyone?

  7. Hi, Armit!

    >about the sand-boxing and isolating of the browser
    To have only a browser sandboxed is not enough. E-mail client, multimedia client, IM client must be sandboxed too- that all are the threat gates. Everything that connects untrusted INternet-related content could be a source of infection…

    >Cool stuff coming in the world of technology.
    Cool staff is already here, but most IT/press people are just ignore sandbox HIPS trend- don’t know why 😦

  8. Hey Ilya,

    You can use email, multimedia and IM through the browser, sites such as offer support for a wide variety of IM clients and it works pretty seamlessly.

    The problem with HIPS is that to date it has been very disruptive at the end-point from Cisco CSA to McAfee to eEye to Prevx to Sana to Proventia, to whatever the HIPS du jour is, they all hook into the operating system in a way that causes conflict.

  9. No relation, nothing, zip, zilch, zero – I would contend that almost 2 decades into the mess we call Infosec no one really has any definitive idea of the cost of loss

  10. “no one really has any definitive idea of the cost of loss”

    It seems like this isn’t even the tree they are barking up. Any free business owner would obviously only buy security if he perceived (measured as accurately as possible) that it reduced his loss more than it costed. Duh, right? Much of security seems to be something companies are forced to buy through centralized decision making – regulation – which forces upon them a boilerplate risk tolerance regardless of cost.

    Would you agree or does all this security for the sake of security stem from elsewhere?

  11. Hi, Armit!

    >You can use email, multimedia and IM through the browser
    Then why many corporations are still using Outlook+Exchange bundle? You know, yes, there are a lot of things that could be done with web-oriented SaaS services, but it will takes time to provide as functional-rich products as desktop ones have now.

    >The problem with HIPS
    The only problem with HIPS is that it can be written right way only by the extremely high qualified system programmer. Such the programmers usually do not work for corporations due to freedom-related reasons. My own sandbox HIPS solution do not cause conflicts because of their OS hooks- it is written right way!

  12. @Jon – Most security has been bought as a result of something occurring in the environment (i.e. IPS), due to a compliance or regulatory demand (i.e. SIEM/Log management), or because it is perceived to be a requirement (i.e. Firewalls/AV). I don’t think perceived loss plays as much a role as we all think it does.

    @Ilya – The reason most still use COTS software as opposed to web 2.0 SaaS services has a lot to do with perceived functional, user satisfaction, and control gaps. And I am very happy that you have the world’s only non-intrusive, non-service disrupting, kernel hooking HIPS, hopefully the world will have an opportunity to adopt the technology.

  13. Pingback: Not Bad For a Cubicle » Blog Archive » Amrit rocks the house with some Desktop Security Agent BOTE calc’s

  14. Pingback: You need to think like this sometimes | Security Balance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s