the economics of security

www.niiconsulting.com @kkmookhey

The Economics of SecurityK. K. MookheyFounder & DirectorNetwork Intelligence (I) Pvt. Ltd.

http://www.niiconsulting.com/


AgendaWhat should you invest in?

Solving current problems?Being ready for future ones?

How do you justify this investment to the Board?Some parting thoughts…



Investing in security solutions

Should I buy APT Protection?Or WAF / DLP / IRM / Whatever?



Before we get to the technology…



Because, weak foundations!



Why do I need to invest in X?



Measuring Information SecurityWhat is your Risk?Standard Risk Assessments

More for compliance than for actual business decision making Elaborate Excel sheets Few insights

Taking a different approach War-game exercises Run scenarios

APT attack Insider breach Perimeter breach



Scenario 1: End-point compromise

Typical breaches target the end-point and the attacker then penetrate deeper into the network from there onwards. End-points are compromised due to missing Adobe/Java patches or unpatched browsers being used.

Malware can also get introduced via USB drives.Controls:End-point malware protectionInternet content filteringUSB blockingRemoval of local admin rightsInstalling latest OS patchesInstalling latest non-OS patches (for Java, Adobe, etc.)Email filteringRestrict local admin rightsModify local administrator account password

Observations:Anti-virus protection is working wellMicrosoft patches are being applied properlyEmail filtering is working wellInternet content filtering allows access to file sharing sites and does not block zip/exe downloadsPatches not applied to non-MS software such as Java, Adobe]Internet content filtering can be bypassed by changing WLAN/browser settingsNearly 100 users have local admin rightsLocal administrator password not changed

Recommendations:1. Enhance end-point

security controls2. Enhance Internet

content filtering3. Address systems noted as malware-

infected



Recommendation 1: Enhance end-point & gateway security controls

As a media company and due to various software requirements, we understand that standard end-point security controls are difficult to implement. Yet we cannot stress enough the importance of protecting the end-point as that has become the primary target for attackers:

a. Restrict the Internet access and block Skype / YouTube / Dropbox / Social Mediab. Upgrade firewalls to Next Generation Firewallsc. Ensure patching process covers non-MS software such as Adobe and Javad. Remove local admin rights by working with the provider of Media software e. Block USB access and provide users with an alternate means of file sharingf. Enhance endpoint security to enforce conditional USB / Local Admin controlsg. Evaluate and budget for DLPPriority: Critical



Justifying investments in security



Two major decision points

Choosing the right solution

Choosing the right price



Case Study

Large Telco On-going application security assessments On-going source code reviews Periodic penetration tests Development done by vendors WAF decision pending for a year…

Should they buy a WAF? Should they invest more in application security? Should they implement a GRC solution?



Vulnerability Statistics

Oct-13

Nov-13

Dec-13

Jan-1

4

Feb-14

Mar-14

Apr-14

May-14

Jun-1

4Ju

l-14

0

10

20

30

40

50

60

70

HighMediumLow

The # of High/Medium vulnerabilities are stable – no significant trends emerge! Why?



Insights from data analytics Vendor delays in fixing the issues Multiple reassessments leads to the issues

remaining open and overlapped in subsequent assessments

High level of exposure on the Internet Multiple approaches adopted and strong focus on

appsec in recent times



Hence…Strategy is two pronged1. WAF and other virtual patching

technologies should be implemented2. Vendor management practices and

contractual negotiation should have CISO involvement



Why you need your data Surveys/Reports cover

organizations across industries Do not take into account

nature of the organization’s current web app situation – vendor, in-house, legacy, COTSE, etc.

Do not take into account current level of maturity

Try to draw general conclusions from average/sum of all data



Justifying the investment



Economic Model for Information SecurityParameter ValueTurnover ₹1000 crores

Profit-After-Tax (15%) ₹150 crores

Number of customers 10 lakhs (0.1 crore)

Profit per customer ₹1500

Number of customers that will go away in case of cyber-security incident

5%

Profit reduction (financial impact) ₹7.5 croresRemediation costs (incident response, forensics, legal fees, if any)

₹20 lakhs

Business growth projection 15% - 1.5 lakh new customers

Future customer attrition 5% new customers won’t join

Cost of lost future business ₹1.12 crores

Total cost of the breach ₹8.8 crores



Average Cost of Breach – India



Other economic modelsTheft of intellectual property

Market opportunity cost is much higher

Cost of regulatory non-compliancePenalties to be paid to the regulator; orCost of class-action lawsuit



Solving for the future?Are your investments future-proof?



On the horizon…Cloud adoption – only going to increaseMobility – moving towards mobile-firstShadow ITBig DataSocial Media AccessDevOps Internet of ThingsDeperimeterizationBusiness environments are becoming increasingly VUCA



Changing role of information security



Evolving Role of Information SecurityMore evangelist than checkpointEmbedding information security within the businessEnabling the business to address information security riskReporting structure outside of ITYou will – or have already been – compromised; so be responsive

You can’t protect everything – so strategize and prioritize



Q&A

Thank You!

[email protected]@kkmookheylinkedin.com/kkmookhey


mailto:[email protected]

the economics of security

Technology