SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Measuring the high costs of web malware protection
Mon, 5th Sep 2016
FYI, this story is more than a year old

A ransomware attack is terrible for consumers, employees and businesses – and you can put a price tag on recovery.

According to FBI's report in April 2016, “Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers,” as reported by CNN. A typical ransomware might demand a payment of $10,000 or more; such as how the Hollywood Presbyterian Medical Center forked over $17,000 in February.

Just as importantly, the costs of recovering from a ransomware or other cyberattack are well understood…but how much should an organization spend to prevent one in the first place?

CEOs and others accept that they have to invest in cyber-protection. The bad news is that it is difficult to judge if they are spending wisely, not overspending out of fear. The good news is that there are ways to spend smarter, getting a better security posture while also reducing expenditures. Let's get into that shortly, but first, let's look at one of the biggest attack surfaces facing modern businesses: Websites that can deliver malware, including ransomware.

How the web can wreak havoc

Websites are one of the most common malware vectors (along with malicious emails) that can provide the entry point to many other types of hack attacks. Block access to the web, and you've made a dent in overall cybersecurity risks.

There are more than 550 million malware variants, reports AV-TEST, with more than 390,000 new malicious programs being identified every day. There are multiple ways malware gets into an end-user's computer – and from there, the malware might have unfettered access to everything on that computer and other resources on the business network.

In many cases the end user did absolutely nothing wrong… but became infected anyway. Blocking access to these uncategorized sites reduces the chances of malware infection, but introduces a number of problems and hidden costs, such as more help-desk tickets.

The problems with allowing access to uncategorized sites

  • Risk: The risk of malware from allowing access to uncategorized sites it significant. A large Fortune 50 financial services institution tasked their security research team to analyze the sources of malware infections for 3 months. Their internal report showed that more than 60% of the infections were from uncategorized sites. These infections are costly given that a large enterprise can spend an average of almost 600 hours each week on malware containment. Considering $82 per SOC-engineer-hour X 52 weeks X 600 hours per week, that's more than $2.5M spent annually on that one task.  
  • Cost of sanitizing infected machines: Sanitizing infected machines can be quite costly. A large service provider in Asia was forced to re-image and average of eight end-point devices each week because they no longer believed they could successfully disinfect machines using traditional antivirus solutions. An internal analysis showed that this practice cost them US $3-4 million per year in IT and productivity loss.  
  • SOC costs: Allowing uncategorized sites means more security alerts. In Japan, and most regulated industries across the globe, every alert from every security product has to be fully analyzed for possible endpoint compromise. According to the Ponemon Institute, two-thirds of the time spent by security staff responding to malware alerts is wasted because of faulty intelligence. It costs organizations an average of $1.27 million annually in time wasted responding to erroneous or inaccurate malware alerts.  
  • SOC turnover: The average employment term of SOC engineers is roughly a year, after which they resign due to alert-fatigue – that is, they are simply overwhelmed by the repetitive work of responding to all those security alarms. Recruiting costs in this area are high, as it is increasingly difficult to hire qualified SOC engineers. This is because fresh graduates are more compelled to build apps rather than learn security and forensics, a career path with a steep learning curve and a high-degree of expertise required to make sense of the complexities.

Consider a base salary of $170,000, and the typical 25% recruiting costs to fill those jobs. If there's a conservative 40% turnover rate within a 5-person team, the recruitment cost alone is $85,000 per year. If you consider the opportunity cost of two existing SOC engineers spending 25% of their time training two new employees, the cost is an additional $85,000 per year. Combine these, and the total annual turnover cost is $170,000.

The problems with denying uncategorized sites

Number of Trouble Tickets: Denying uncategorized sites creates an overwhelming number of recategorization requests. For a global investment firm, the number of tickets to recategorize per day was approximately 2000 across 250,000 employees. More than 75% of these requests were non-work related like veterinarian research, schools, soccer little league, etc. With more than 5 dedicated people parsing through the requests, the issue was frustrating and expensive, costing approximately $850,000 per year.

Recategorization experts – Recategorization is a manual process. A European insurance provider and a large Japanese manufacturer were inundated with such requests when they began blocking access to uncategorized sites. The issue was compounded by the fact that their secure web gateway could not help them to determine the security posture of the sites in question.

The organizations had 16 and 5 security analysts respectively dedicated to analyzing sites before recategorization. Another global financial services firm had a staff of 20 around the world to, in their own words, “recreate the Yahoo index.” With a conservative SOC staff of 5, this team cost an enterprise over #3 million annually.

Looking at it another way: Blocking uncategorized sites prevents users from accessing legitimate content, which compromises productivity, and generates requests for re-classification of blocked content. Meanwhile, allowing access to uncategorized sites means more malware and phishing attacks reach users, which can lead to breaches and significant losses via data theft and fraud. In addition to user issues, it is very costly (often impossible) for IT staff to chase all alerts generated by unclassified sites, resulting in high costs and reduced security. You just can't win with a traditional approach.

A more effective strategy: Isolation

Isolation technology, by its nature, doesn't open websites on the end-user desktop, notebook or mobile device, but rather, in a secure virtual container on a cloud-based platform. The end user interacts with the site through technology that renders a user experience that is indistinguishable from direct access.  By executing sessions away from the endpoint and delivering only safe rendering information to devices, users are protected from malware and malicious activity.

Malware has no path to reach an endpoint, and legitimate content needn't be blocked in the interest of security. Administrators can open up more of the Internet to their users while simultaneously eliminating the risk of attacks,  

Isolation puts an end to their costly no-win situation:

  • Risk: No active web content reaches the endpoint, thus uncategorized sites present zero risk.
  • Cost of sanitizing infected machines: Isolation eliminates the web as a malware threat vector, drastically reducing number of machines to be reimaged. Reduces the urgency around patching machines for every browser and plug-in vulnerability.
  • SOC costs: Isolation stops threats before they are detected by traditional solutions, eliminating erroneous or inaccurate malware alerts.
  • SOC turnover: Alert fatigue is minimized along with SOC staff turnover.
  • Number of Trouble Tickets: Employees are more productive and are now free to safely explore the web without submitting recategorization requests

Meanwhile, no software needs to be installed on the end-user's desktop, notebook or mobile devices – not only saving IT time and money, but also eliminating concerns about keeping end-user software up-to-date.

With more than 550 million malware variants, and hundreds of thousands of new malware being discovered every day, the traditional approach to malware detection has many hidden costs – in time, in talent, and in staffing, as well as the cost of buying and maintaining security products.