Endpoint Security, Part 1 of 5: The Risk of Going Unprotected
Making a business case for investments in information security has never been easy. We make these types of investments to protect against bad things from happening, and the results pretty much come in one of two flavors:
- Bad things didn’t happen (at least so far as we know), or
- Bad things happened anyway (in spite of our investments)
That’s a bit of an oversimplification, but it pretty much sums up the mental pretzel we typically get ourselves into when faced with making a business case.
Over the course of five blogs, I’d like to illustrate how we as security professionals can do a better job at communicating security-related risks, and at showing how investments in security controls actually reduce those risks. And isn’t this what the business decision-makers have always wanted us to provide?
For illustrative purposes, let’s focus on endpoint protection – or what we might more commonly call anti-virus or anti-malware solutions. Aberdeen’s research on enterprise security has shown that virtually all organizations have deployed this basic endpoint protection – so let’s use that widespread familiarity and acceptance to our advantage.
The first thing we need to do is establish a proper understanding of what we mean by risk. To be blunt, security professionals have developed a tendency to be extremely sloppy and imprecise in our language around these matters – we tend to talk a lot about threats, vulnerabilities, and exploits, and about the many security technologies that can be used to protect against them. But none of that is really talking about risk.
When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact. If we aren’t talking in these terms, then we aren’t actually talking about risk. No wonder we have trouble with making the business case.
But how do we estimate the likelihood of endpoints becoming infected? And how do we estimate the resulting business impact? This is another area where security professionals tend to have a problem. The probabilities and magnitudes that we need to speak about are not certain, and we tend to be people who place a high value on technical detail and engineering-caliber precision.
Yet making decisions in the face of uncertainty is what happens in business every single day. To be effective in communicating properly about security-related risks, there are a couple of things that we as security professionals need to get comfortable with:
- Our estimates are never going to be certain – after all, if we knew with certainty what was going to happen and how big an impact it would have, it wouldn’t be a risk!
- Reducing the uncertainty even a little bit is better than doing nothing at all – even if we can estimate only a subset of the risks, it still contributes to a better-informed decision.
To illustrate how to communicate about security in terms of risk, properly defined, let’s use the specific example of deploying anti-virus / anti-malware solutions. We can begin by establishing a baseline: What is the risk of leaving our endpoints unprotected?
Probability of Exploit
It’s tempting to start out by talking about the high volume of known malware, and about the growth and trends in malware over time – and in fact, this kind of information is widely available from the leading solution providers. But do you see how this would just be falling back into the old patterns of talking about threats, vulnerabilities, and exploits? What we need to do is estimate the likelihood that potential exploits will be successful; i.e., what is the probability of infection?
One useful source for this estimate is provided by Microsoft, which regularly reports a metric called computers cleaned per mille (CCM) – that is, for every 1,000 computers scanned by the Microsoft Malicious Software Removal Tool (MSRT), CCM is the number of computers that needed to be cleaned. For the first six months of 2012, the infection rates per 1,000 computers with no endpoint protection was between 11.6 and 13.6 per month.
Does your organization have better information, or estimates that are more specifically suited to your particular computing environment? If so, fantastic – you should use them! The point is that we should use the best information available to calibrate our estimates, and ultimately to reduce the uncertainty.
Magnitude of Business Impact
Having established an estimate for the likelihood of an infected endpoint, what can we say about the business impact? A reasonable, generic list of possibilities could easily include:
The cost to respond, remediate, and recover from the infection
**Cost of lost productivity for users
**Cost of responders
Other opportunity costs
**Loss of current revenue (e.g., business that was lost while work could not be done)
**Loss of future revenue (e.g., negative impact on brand, reputation, or trust)
**Loss of carrying out the organization’s mission (e.g., for business impact that might be best expressed in non-financial terms)
Loss or exposure of sensitive data
**Fines, legal fees, make-good costs
**Compromise of intellectual property (this is another example of loss of future revenue)
For the purposes of this illustration, let’s focus only on the cost to respond, remediate, and recover from infected endpoints, and the loss of current revenue – which means that we will be making a conservative, understated estimate of the total risk. In other words, the actual risk from infected endpoints will be even higher. But keep in mind that if the objective of the analysis is to demonstrate that an investment in endpoint protection is justified by a reduction in risk from unprotected endpoints – then meeting that threshold is enough!
To carry out our computations, we’ll actually need to make a number of estimates:
- For every 1,000 unprotected endpoints, how many endpoints are likely to become infected? (we have this already)
- How many users does this affect? (e.g., we might assume that there is a one-to-one relationship between endpoints and users)
- How many associated servers are there? (e.g., we might assume a ten-to-one relationship between endpoints and servers)
- How long does it take to respond, remediate, and recover from an infection?
- What is the fully loaded cost per user for this unproductive time? (note that most users will be at lower pay grades, but infections could also happen to the most highly-paid executives)
- How much of this time is actually unproductive? (e.g., users may still be able to do other productive work, so not all of their time is lost)
- What is the fully loaded cost per responder for this time?
- For every US$10M in revenue associated with the servers, how much is lost if they become infected? (e.g., how much revenue is lost, as opposed to merely delayed or deferred)
For the full details on the assumptions I made, and the source for making them, you can read the full report here.
Modeling the Risk, Using Probabilities and Magnitudes
Note that all of these estimates involve ranges and distributions – i.e., none of them can really be known with precision, so doing computations based on precise, static values would not be doing a very good job at expressing the risk to the business decision-maker.
Instead, we can carry out the computations for many (say, ten thousand) scenarios, each of which uses a random value from our estimated ranges and distributions – a proven, widely-used approach called Monte Carlo analysis. The results of these computations are likewise not a single, static number; the output is also a distribution, which gives us probabilities and magnitudes – exactly what we are looking for!
The result is presented in the following figure, which shows the (conservative, understated) risk for 1,000 unprotected endpoints and $10M in revenue from their associated servers:
- An 80% probability that the annual business impact is greater than $47K
- A 50% probability that the annual business impact is greater than $73K
- A 20% probability that the annual impact is greater than $100K
This analysis does not tell us what the ultimate business decision will be. One decision-maker might conclude “I approve your request to invest in endpoint protection”, while another decision-maker might conclude “that’s a risk I’m willing to live with.” But that’s exactly the point: this type of analysis helps to make decisions within the organization’s appetite for risk.
In the next blog, we’ll expand on this approach to address another task that has never been easy – to show the business decision-makers how an investment in information security actually reduces risk.