Endpoint Security, Part 2 of 5: Yes, Anti-Virus Really Does Reduce Risk0
In the blog Endpoint Security: The Risk of Going Unprotected we established a baseline for the risk of unprotected endpoints, so we can now model the risk of protected endpoints. In other words, we can compare the “before” with the “after” – where “after” includes the implementation of an anti-virus / anti-malware solution.
It should go without saying that the purpose of implementing a security solution is to reduce the likelihood of a successful exploit, not to eliminate it – we can all acknowledge that no security control can be expected to be 100% effective. The computers cleaned per mille (CCM) metrics published by Microsoft indicate that:
- For unprotected systems, the infection rates per 1,000 computers is between 11.6 and 13.6 per month
- For protected systems (i.e., a composite of all systems running any kind of anti-virus software), the infection rates per 1,000 computers was between 1.4 and 3.8 per month
This is a dramatic reduction in the number of infections, which we can use as our estimate for the likelihood that exploits will be successful even after the implementation of an anti-virus / anti-malware solution. (Again, if you believe you have access to better information, or estimates that are more specifically suited to your particular computing environment, you should use them!)
The rest of the model can be carried out exactly as before. For an apples-to-apples comparison, let’s focus only on the cost to respond, remediate, and recover from infected endpoints, and the loss of current revenue – which means that we will again be making a conservative, understated estimate of the total risk.
By making the computations over ten thousand independent scenarios, each of which uses a random value from our estimated ranges and distributions, we end up as before with a range and distribution for the annual business impact.
The result is presented in the following figure, which shows the (conservative, understated) risk of 1,000 protected endpoints versus that of 1,000 unprotected endpoints, each with US$10M in revenue from their associated servers:
Probability of … Unprotected Protected
80% that the annual business impact will be greater than $47K $8.5K
50% that the annual business impact will be greater than $73K $14.5K
20% that the annual business impact will be greater than $100K $22K
This is an improvement of about 80%!
But something important is missing from this analysis: the cost of implementing and supporting the endpoint protection solution needs to be accounted for. Because this model is based on CCM data for a composite of anti-virus software, let’s illustrate the concept by assuming that the annual cost is a fixed $15 per endpoint. After incorporating these costs into the model, we end up with the following figure:
The updated model reflects the reality that endpoint protection needs to be implemented on all endpoints – i.e., we can’t have foreknowledge about which specific systems will be infected, so we generally have to protect them all. This means that there is a 100% chance that we will spend $16,500: the cost of endpoint protection for 1,000 endpoints and 100 associated servers. In addition, we can see that there is about a 3% chance (see area “1”) that the annual business impact would be lower with no endpoint protection at all. But the likelihood that we have reduced the organization’s risk, net of the investment in endpoint protection, is about 97% (see area “2”). So we really can say – with near-certain confidence – that yes, anti-virus really does reduce our risk, by about 50%-60% for a composite of all anti-virus solutions.
Imagine how refreshing it would be for the business decision-makers we are advising, if we consistently framed security discussions in the context of the organization’s appetite for risk. For full details, read the full report.
As noted above, this second model is based on a composite of all systems running any kind of anti-virus software. In the next blog let’s get more specific, and look at the reduction in risk from implementing a particular endpoint protection solution: Microsoft Security Essentials. Is “free” A/V really better than nothing? And is it really free?