Security Vendors and Social Responsibility
Or why their products should be priced more affordably
The last two or three years have been hilarious. I’ve gone from being a nerdy bastard who needs to shut up about nerdy things and go get another round in, to a nerdy bastard who still needs to go get another round in, but upon my return tell InfoSec horror stories. People love horror stories. Even my grandmother, whom is of very advancing years, mentions InfoSec things she’s seen on the TV when I go visit, because she sort of knows I work in that area, and she’s great like that. In short People (capital P very much intended) now care, which is a great thing no matter how you slice it. The problem with People caring is that some of the People control purse strings for companies. These People are getting nervous that if bad things occur on their watch they will have to pull the rip cord on the golden parachute, or blame that one IT person for not doing that one thing.
So there is now metaphorical blood in the water, and money to spend. Who loves money more than a vendor, well Scrooge McDuck and Mr Krabbs, but I reckon vendors run a close third. I started doing some investigations into the costs associated with ‘Security’ and all the things therein, into what it actually costs to do it ‘properly’. I set up a matrix of ‘Core’ solutions you’d expect and set out to get prices from vendors, no haggling or negotiation just what do they think their service is worth spending on. In the first draft of this I started to present the findings of solutions based around a ‘mythical’ company and a specific scenario. Turns out getting responses, even with a very definite set of (fictional) requirements, is rarely possible without having an introductory call, a presentation and being talked at about how they are simply the best option for all your security needs and they have the minimum of false positives.
Turns out I have neither the time nor energy to do this matrix justice. Trying to highlight specific security controls and get quotes in every area for a minimum of three products was my objective, it didn’t quite pan out that way.
I was working to the following scenario:
You have in your greasy hands, a completely unsecured environment with no security team. You’re a conscientious ‘security professional’ but you’re all knowledge and not an engineer. You know what needs to be done but not how to do it. You’re in at the deep end and you know you need help to present anything resembling a united security front. Your business lives and dies by it’s web presence. You have a team of 250 Developers creating applications for consumption on the web site, which is your revenue stream and is vital to your survival. You run a 80/20 split of Linux and Windows within your data centres of which you have two, one live, one DR. Within these environments you run a 70/30 split of Containers and Virtual Machines to facilitate your web site and associated applications. The combined total of both of these is 2000 hosts. Your corporate environment consists of 1000 employees running either Windows, MacOSX or Linux depending on role, across two separate offices. Managers are allocated corporate mobile devices and home working is allowed. All employees are provided a corporate email account. You take and process card details as part of your business and you also deal with third party entities.
As such I am going to list the ‘control’ and then, where possible, a reasonable average cost, and where not available, just the most expensive option. Vendor names, unlike an early revision of this, will not be used. I also realise this means I am not looking at the cheapest possible scenario, I’d have much preferred to get multiple costs and take averages across everything, told you who was cheapest and most expensive and all the juicy info, I just don’t have that kind of time and there is no online resource I can see to provide these answers in a simple digestible format (someone should build this).
These are things I would personally be considering as a starter for 10 (This is not exhaustive, don’t explode my inbox cos I missed your particular favourite bit of security infrastructure).
- End point protection / Anti-Virus.
- SIEM Platform
- Software to continually test SIEM effectiveness
- Software Delivery Life Cycle Controls
- Static Code Analysis
- Dynamic Code Analysis
- Library and file vulnerability Monitoring.
- VM / Container Anomaly detection.
- Vulnerability Scanner/scanning.
- e-mail malware filters.
- Penetration Testing (PCI Compliance).
- Perimeter Web Application Scanning.
- Data Loss Prevention Solution.
- Logging and Auditing Solution.
- Web Application Firewall.
- DDOS mitigation solutions.
As we can see, there are a lot of whirling parts that security needs to consider. The UK has an average breach cost of 2.5 million quid when viewed across all sectors. Blimey, that's a lot! This goes down when certain controls are in place, but also up when other things exist or occur (third parties) so I left everything turned off for this number.
Faff with the buttons for yourself here: https://databreachcalculator.mybluemix.net/
So how does the costs of ‘securing’ your environment compare to the cost of running the risk?
End point protection / Anti-Virus.
All hosts in a row our scenario is 1000 traditional hosts (the corporate estate) and another 600 VMs. This ended up sitting at around 20k per annum in licenses.
SIEM Platform
This gets interestingly difficult to tie this down, some charge on a throughput basis, some charge on a per device basis, for the sake of conversation I am also treating SIEM as DC IDS/IPS. So in our scenario we have 2 DCs and 2 Offices, 4 SIEM ‘appliances’. Due to the fictitious nature of our scenario and to minimise arguing, I am taking the on site per appliance approach and general pricing seems to average in at 10k per year per device. 40k in our scenario.
Running Total: 60k
Software to continually test SIEM effectiveness/Pen Testing
I was completely unable to get a price out of an unnamed vendor whom offers this service as a agent, and they seem to be the main/only player in this space at the moment so I have had to fall back on more traditional Manual pentesting.
As an average based on querying some pen test companies I have found the day rate is £1000. Assuming a pen test of two weeks, and 3 days of pen testing per web facing application and taking an arbitrary number of 10 apps a year you’re looking in the vicinity of 130k per year.
Running Total: 190k
Software Delivery Life Cycle Controls
Oooh oooh baby, I got a legitimate quite for this one (I quite like build pipeline/SecDevOps/SDLC, so went through the leg work) and wanted the solution to cover off a standard registry go/no go based on push into the registry, the monitoring of files, libraries and associated dependencies, CIS Benchmarking for container build validation and anomaly detection of live hosts. I was quoted an eye watering 400k per year.
Running total: 590k
Static Code Analysis
Having reviewed and got prices against 4 ‘industry leading’ solutions there was quite a bit of variance in the license structure, some were on a per application basis, some on the number of users, some on the different languages you wished to analyse.
Taking averages and using voodoo it comes out at around 50k per year
Running total: 640k
Vulnerability Scanner/scanning.
There are a good number of vendors on this area, and it’s one of the cheaper aspects of security (assuming you don’t dive into managed solutions with fancy portals and what not). I’ve taken an average against 3k hosts and come out approx 4k per year.
Running total: 646k
e-mail spam/malware filters.
Not much to say on this one. 4k
Running total: 648k
Penetration Testing (PCI Compliance).
Pen testing as part of PCI compliance is an interesting thing. I’m not going to add a value in here as we already have SIEM platform/pen testing as a separate thing, a annual pen test from a PCI compliance point of view can be used as evidence.
Perimeter Web Application Scanning.
As with the PCI testing this is an interesting one as we already have vulnerability scanners in the mix, however a perimeter network scan is not the same as a perimeter web application scan, which is not the same as Pen Test. Once again I am going to leave this as a null figure although, arguably, this list isn’t offering a web application perimeter scan.
Logging and Auditing Solution.
This is a bitch to pin down, it is not per se’ a security solution, most aspects of an organisation will be making use of this functionality to track all manner of metrics. Certain logging solutions offer ‘add-ons’ for security purposes but these then begin to resemble SIEM platforms.
The market is not entirely awash with alternatives to the one with a moderately comical name and finding prices was even harder. So for full disclosure and on the assumption that Security is one aspect of overall Capex/Opex spend I am assuming security being responsible for 1/6th of the cost of the solution at 120K
Running total: 768k
Web Application Firewall.
Assuming both a Live and DR WAF within both live and DR data centres, my average based on chats and research is around 4k per device per year for the Web Application component of the firewall. So a WAF will set you back 16k per year.
Running total: 784k
DDOS mitigation solutions.
This depends on what level of protection and pace you require it at. Do you only need layer 3/4 or do you need some layer 7 in there too. I’ve got prices on volumetric based attacks at level 3 and 4 only. This came in at 120k
Running total: 884k
Dynamic Code Analysis
I am treating this as a a build pipeline type interface with an automated tool looking for OWASP top 10 and known CVE, licensed for 25 devs who shall act as mythical QA in this scenario. That comes out at 7k.
Running total: 891k
Data Loss Prevention Solution.
The following white paper makes the assumption that DLP costs $17.50 per user per year for a DLP solution.
Which with some rounding is £13 per user per year in Pounds Sterling. We have 2000 devices so that’s another 26k
Total: 917k
So around 36% of the cost of a breach on a per annum basis. That doesn’t sound much does it, but consider for a moment that this doesn’t include ongoing operational costs, relevantly skilled security personnel to maintain and operate these tools, enterprise support for both the install and continued support of the platforms.
I’m going to take a conservative view and suggest this would be another 30%-ish of this cost on top, so lets round to 275k. So we are effectively looking at, in my ever humble opinion:
Final Total: £1,192,000.
Yep, over a million. Now, for those that have never given any consideration to what a security function looks like to management and C-Levels, that’s what it looks like, a money sink, just on tooling and licensing and a bit of man power to operate it. Gone, and providing tangible cost savings is a wildly difficult task. Now, I am no master of statistics but this cost for a business the size of our example is a BIG chunk of change. This leaves three main things that can occur, you get the lovely monies and protect your infrastructure to the best of today's security standards and offerings, or you get a smaller percentage of your monies and protect what is deemed most critical by the business, or the third option, we don’t deem security important enough to have a real budget for it, sorry. It’s very much the latter two scenarios that have prompted this post.
Conclusions
I didn’t really know what this number was going to come out at when I started this post (I’ve been adding to it on and off for around 2 months at time of finally posting) but I was guessing that it was going to be in the realms of ‘that’s as expensive as a breach!”. It turned out to not be quite that much, which stopped my rant about when security costs as much as a breach it’s incredibly hard to justify the costs. However that’s not what occurred and we are looking at around 47% of the average cost of a breach to put security in place, but don’t forget this is per annum, which is still ludicrous. In a two year period you’re paying almost the same amount in defence as an average breach is going to set you back. My highly unscientific approach to these costs show that the sales guys seem to have landed in a sweet spot where they are charging enough to keep their products viable, just, but only to the big spending companies and corporations. Which brings me to the main crux of my post, from a financial point of view they are leaching as much money as possible, cos you know, vendors. However with the growing trend to breaches and the growing complexity of today's infrastructures in the world of cloud computing and Software as a Service (SaaS), should Vendors not be taking a more socially responsible approach and providing these services at rates more affordable to people that don’t reside in the FTSE 100?
With the upcoming GDPR directive and associated fines:
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
We are entering a world where a vast amount of companies are going to find themselves in need of a Security overhaul, and in my experience, getting a company to treat Security seriously is a tough enough job in it’s own right without the added burden of explaining why you need an additional million a year to do it justice. To myself, it is starting to feel like the global increase in reported security incidents, and certainly headline grabbing breaches, are driving an increase in cost for security products. This blood in the water approach is marginalising those without the vast amounts of cash in the coffers, making them more susceptible to breach, driving further security incidents, further inflating the costs of the security solutions as they are seen to be increasingly critical. It is becoming a self fulfilling prophecy and the Vendors and their pricing is driving this issue.
Lowering costs would also enable the companies to invest in some layer 8 solutions (People) to actually support the large raft of products that are being sold to the fearful C-Levels to stop their sleepless nights, because make no mistake, there isn’t a Vendor in the land who is going to realistically talk to you about the operational and personnel implications of their latest greatest whiz bang solution, that is unless you’re taking the Enterprise Support package that will cover all aspects of maintenance and day to day operation, which ultimately will cost more than standing up a full team and which itself will be staffed by outsourced contractors that have been provided by the lowest possible bidder. Maybe I personally have just never been in the right meetings, but I’ve never heard “this product needs three heads, full time, with a background in vulnerability management and market rate for these people in your location is about £x, so don’t forget to provision for that”.
Consider the following:
Hardware == Security
vs
Hardware + appropriately skilled people + strong internal policies and procedures + C-Level/Upper management support and backing == Security
Which do you think provides the strongest security posture and which do you think a Vendor is trying to sell you? If their true intention was to improve the security posture of your organisation they would be looking at the bigger picture and pricing appropriately and advising on all the periphery considerations less mature businesses might be blissfully unaware of. Like, who is going deal with the alerts your SIEM platform is actually spitting out? Who is going ensure your on premises end point protection solution has the right definitions, is up to date and every install has successfully received these updates?
Security is good for everybody (well not criminals), products in the right places with the right service and support wrappers are good,and by pricing anyone out of the market, Vendors are doing a social dis-service at a time when Security is becoming more and more of a social concern.
