Every organization has deployed anti-virus/anti-malware solutions, but how much you have actually reduced your risk?
To recap what we’ve covered in this 5-part blog series, Aberdeen’s analysis and Monte Carlo modeling:
- Confirms the high risk of unprotected endpoints
- Demonstrates that endpoint protection really does reduce risk
- Confirms that “free” endpoint protection (e.g., Microsoft) is better than no protection at all
- Shows that in fact “free” endpoint protection is not really free — enterprise-class endpoint protection (e.g., McAfee) actually reduces risk by 60–70% compared to the “free” solution, even net of the incremental licensing cost
In Endpoint Security: Anti-Virus Alone is Not Enough, I wrote about the bigger picture of endpoint security — and found that while 100% of respondents have deployed an anti-virus / anti-malware solution, most organizations have also deployed one or more complementary endpoint security control as part of a defense-in-depth approach to protecting their users, systems, applications, and data. These include:
- Endpoint protection (anti-virus / anti-malware)
- Patch management
- Configuration and change management
- Intrusion prevention
- Email and web security
- Endpoint data encryption
- Browser-based security (e.g., reputation)
- Application whitelisting
- User behavior (e.g., anti-phishing training)
The reason is that traditional, signature-based approaches to protecting against vulnerabilities, typified by anti-virus / anti-malware solutions — i.e., determining what is “good” by detecting and subtracting what is known to be “bad” — is increasingly being augmented by complementary endpoint security technologies, as part of a comprehensive, defense-in-depth approach.
What I found – in an analysis and comparison of companies whose endpoint security is based on anti-virus software alone, with companies whose endpoint security includes anti-virus and a mix of other complementary solutions – was that the annual business impact for the anti-virus-only group was actually about 1.5-times higher.
Part of this is due to the anti-virus-only group being less operationally efficient — i.e., the top performers generally tend to manage their security initiatives at higher scale and lower cost. Solution providers – such as McAfee – that integrate multiple endpoint security solutions under a comprehensive, integrated management platform also contribute to such operational efficiencies.
But the biggest difference was a result of the anti-virus-only group being less effective — i.e., the anti-virus-only group bore the burden of higher costs not avoided in comparison to companies who deployed greater defense-in-depth to reduce their risk.
Incorporating any of these additional controls into our Monte Carlo model would follow the same basic approach that we have been following so far — that is, starting with informed estimates for:
- The likelihood of successful exploits, post-implementation of any additional controls
- Any changes in the business impact as a result of implementation, e.g., a reduction in the time to respond, remediate, and recover from an incident based on improved operational capabilities
- The incremental cost of implementing and supporting the additional controls
These extensions to the model are beyond the scope of this little 5-part series, but I do plan to continue developing these types of risk-based models in my research and publications going forward. I hope you’ll continue to find them useful!