Enterprise Security Test Part 4 - The Cost of Not Testing for Security Resilience
The real world can be harsh. The media is littered with companies, all with good intentions to secure their networks, who then quickly succumbed when under attack.
After the attack, the organization (and in today’s media-rich environment, the rest of us) considers what happened and what went wrong. What is surprising is that many of these incidents were based on well-understood attack strategies that have not changed much over the years, other than that they are more targeted and persistent. Consider DDoS attacks, where attack strategies from the ‘90s are still used today, but with the ease of creating massive size and long duration from the attacker side. Even though the Target and Sony breach post mortems didn’t reveal any new exotic attack vectors, the impact was far-reaching and costly. Target, Sony and the line of other stricken enterprises, could be a poster child for the need for security resilience.
Do You Know How Your Personnel and Network Will Handle the Inevitable Attack?
Attacks are inevitable in today’s threat environment, which has led to the need for companies to focus on security resilience. The definition of resilience is the ability to bounce back, and every second to defend and recover counts.
Testing technologies, networks, and your personnel with simulated real work-loads at scale while under attack gives the organization advance knowledge on how that organization and its technology will behave, and ultimately define breaking points. With that knowledge in hand, you can then make adjustments to configuration, architecture, and policies to ensure defenses are working properly and will bounce back within a reasonable timeframe after an attack.
There is a high price to pay for a network that is not resilient – not only to attacks, but to difficulties due to ongoing life cycle processes and change management. Let’s explore just a few of the costs.
The Cost of Downtime
No technology, network architecture, or even rigorous disciplined testing can provide a 100% guarantee that issues will not arise in production. After all, attackers are persistent, technologies fail, humans error, and the landscape is always moving.
However, it is a fact that real-world security testing helps you find problems, validate knowns, and discover unknowns in advance of costly security incidents.
Security incidents are costly and can be partially quantified for enterprises in the form of lost productivity due to unplanned downtime. A July 2014 Gartner blog reported that network downtime typically costs enterprises $5,600 per min.
A network resilient to attacks, misconfiguration, bottlenecks caused by integration, and changes from user behavior and patching can be the difference between an inconvenient incident to going out of business for many organizations.
Down time (mins)
Downtime $ impact
Attacks and network incidents are inevitable in today’s application and threat-driven environment. The time it takes to defended and restore to full operation is critical. The $ impact math is simple.
DDoS: Taking Downtime to an Extreme
The number of distributed denial of service (DDoS) attacks is on the rise, and they are growing in size and increasingly using application-layer strategies. Attack timing and duration is most problematic as they are conducted at critical times in the targeted organization’s business window and if successful, cause the equivalent of an unplanned downtime.
The Prolexic Q1 2014 Global DDoS Attack Report revealed that DDoS attacks average 17 hours. That amount of time is staggering by itself, but the crippling inability to defend and recover multiplied by the cost of down time is even more onerous:
17 Hours = 1,020 mins
1,020 mins x $5,600/min = $5,712,000
Once again, security resilience can make the difference between timely recovery and going out of business.
These are just some of the cost impacts that real-world testing can help to eliminate or at least substantially reduce. I challenge you to estimate some of the above numbers for your particular network and see what they tell you. I’m sure you will find that you can’t afford not to test.
Rollbacks and Change Management
Patching and upgrading technologies is a common occurrence in modern networks, and are critical aspects to securing your network, devices, and applications. Unfortunately, most of us have experienced a fair number of patch, feature, and even equipment rollbacks.
Rollbacks are first embarrassing and second, they add cost to operations. No one plans for firmware updates to be brought back to a previous state, so personnel time has to be diverted from what was planned to unplanned. Additionally, equipment and security effectiveness is compromised for the inaccessible periods of time.
These issues can be mitigated if the patch or upgrade is tested against the previous baseline in the staging phase of the rollout, all with the same due-diligence as when the technology is first brought into the organization.
The dollar impact due to rollbacks is not so easy to quantify, as most of the costs have extreme variability: labor ($75-$150/hr.), travel if required, support ticket management from complaining users, trouble-shooting hours of tier 1-3 support, and taking products out of service during the unplanned rollback.
Perhaps we can treat these as inefficiency rather than as a total failure. We will leave it to you to estimate in your own context and chalk it up as more of an embarrassment than a catastrophic event that can rip apart a business bottom line.
Take the Challenge
This is the final blog of my 4-part series on why testing is a critical part of every organization’s battle to ensure network security resiliency that can handle the worst from global attackers. Even if you disregard all other benefits of security testing and look simply from a pure dollar perspective, you can’t afford not to test.
I challenge you skim through this blog and the Part 3 blog, tally up the estimates for your company’s technology implementation, and derive the potential cost if you don’t test. I’d love to hear what your number is.
- Enterprise Security Test Part 2: Why Test, and Debunking Enterprise Testing Myths
- Enterprise Security Test Part 3: Quantifying the Dollars of Data Driven Security Investments
BreakingPoint – Application and Security Test Solution
Application and Threat Intelligence – Intelligence Subscription Service