A leadership perspectives white paper

Transcription

1 Managed security cyber threat prevention A leadership perspectives white paper Recommended next steps for business leaders Number 5 in a series Executive Summary Enterprise IT security staffs continue to be hampered by not knowing when and from where business information systems could be attacked. This is because the threat landscape is constantly shifting, with different types of attack and new potential vulnerabilities appearing on a daily basis. The costs involved in guarding against such attacks with self-administered information security and onpremise staff using bought in data security tools and systems are considerable and getting bigger. Adoption of a managed security solution not only offers businesses a more comprehensive and proactive defence strategy against cyber threats, but can be more operational and cost-effective than DIY procedures. It is a solution that promises to reduce risk and expenditure.

2 Business case overview Cyber criminals are now employing so many different techniques to spread malware that keeping up with threats has become a full time job. In fact, almost all organisations now have to employ a small IT security administration group to deal with the task. Blocking cyber attacks and fixing vulnerabilities can be hit and miss unless organisations invest in specialist tools and training. Indeed, despite all the precautions taken by enterprise IT, it is estimated that most users PCs contain on average around 12 different vulnerabilities. Locally, the problem is big and getting worse: Intelligence gathered by du shows that a staggering third of a trillion potential security incidents were detected last year across the global. Of these threats, spam was a major segment and around 6% of the world s spam now stems from the Middle East region. Egypt and Saudi Arabia find themselves among the top three targets for online banking virus attacks. The capex investment and opex involved in guarding against such attacks with on-premise selfadministered information security staff are not only considerable but are not wholly effective. 1. With virus attacks, it is said that an IT administrator will take on average around 2.75 hours putting in place corrective measures against successful attacks for each securityrelated event. 2. The security gateways that are now installed across almost all organisations will sieve out hundreds of thousands of spam messages that are normally found among incoming business . Yet a company s IT help desk will still have to spend time responding to service requests from employees helping them retrieve legitimate that has been blocked by an overzealous spam filter. 3. As for data loss through user carelessness or theft there are potentially huge consequential losses at stake, in the form of actual commercial loss and/or reputational damage. Security software vendor Symantec has estimated that large enterprises in the UAE stand to lose $2 million on average due to data loss incidents. 4. A new and authoritative report from the UK government puts another figure on the cost of cyber crime. It calculates that cyber crime is costing UK businesses more than 2.3 billion a year in total from direct online theft, and from the loss or theft of customer data. The report warns, Cyber criminals can range from foreign intelligence services and large organised crime groups, to disreputable (but otherwise legitimate) companies and individuals or small groups of opportunists. These professional criminals exploit vulnerabilities in the use of the Internet and other electronic systems to illicitly access or attack information and services used by citizens, business and the government. Governments across the Middle East are taking the threat seriously and introducing legislation to fight malicious activity across the Internet. In fact, the UAE has taken the lead in this regard. In 2006 it became the first in the region to legislate against cyber crime, with punishments enforceable in the courts. All types of cyber crime Cost of different types of cyber crime to the UK economy 10,000M 9,000M 8,000M 7,000M 6,000M 5,000M 4,000M 3,000M 2,000M 1,000M 0M Online fraud Scareware Identity theft IP theft Esplonage Customer data loss (reported) Online theft from business Extortion Fiscal fraud

3 Assessing the threat and tactics for prevention Guidance issued by the Security for Business Innovation Council (SBIC), asserts that for most organisations, it s a matter of when, not if, they will be targeted by advanced cyberthreats. It says that corporations and government agencies are not inclined to admit they ve been compromised. Despite this reluctance, dozens of sophisticated, targeted cyber attacks involving major corporations have been reported in the news in the past 18 months. Compromised credit and debit card records held by a discount retailer group TJX in the US ended with it paying out millions in fines and compensation to the trade commission, credit card companies, banks, and consumers. A group of 11 hackers were arrested. Sony reported a series of hacking attacks on a number of its websites, with personal data stolen in Canada and leaked in Greece. The company behind the Nasdaq Stock Market disclosed its servers had been breached, leading it to call in outside forensic firms and US federal law enforcement agents. Micro-blogging site Twitter admitted that some of its most high profile bloggers had been targeted by hackers, including those belonging to Barack Obama. Financial statements issued by Heartland Payment Systems indicated that the company accrued $140 million in breach-related expenses after its credit card payments processing processes were compromised. These cases are likely just the tip of the iceberg, and there are many other reports about other organisations in many industries having been affected by cybercrime, including: Broadcast industry Critical manufacturing infrastructure Defense industry Financial-services industry Governments worldwide Oil-and-gas industry Online-gaming industry Marketing-services industry Security industry In an environment where the focus shifts from the almost impossible task of preventing intrusion to the crucial task of preventing damage, SBIC (which is a body that includes executives from 16 global commercial and public sector agencies), recommends several defensive measures that organisations should consider: 1. Up-level intelligence gathering and analysis Make intelligence the cornerstone of your strategy. 2. Activate smart monitoring Know what to look for and set up your security and network monitoring group to look for it. 3. Reclaim access control Rein-in privileged user access. 4. Get serious about effective user training Train your employees to recognise social engineering and compel them to take individual responsibility for organisational security. 5. Manage expectations of executive leadership Ensure the C-level realises the nature of combating threat is fighting a digital arms race. 6. Rearchitect IT Move from flat to segregated networks so it s harder for attackers to roam the network. 7. Participate in intelligence exchange Leverage knowledge from other organisations by sharing threat intelligence. The Middle East is taking the threat of cyber crime seriously introducing legislation to fight malicious activity, and investing in latest security technologies and managed security solutions

4 Security technologies that Middle East enterprises currently have or use and are prioritising for investment by Percentage of respondents Network Security Security Vulnerability Mgt Information Protection Content and Web Filtering Identity/Access Management End Point Security Have now Have in 6 Months Have in 6-24 months Invest within 6-24 months Invest within 6 months Mitigating against threats to business With such guidance in mind, enterprises understandably are taking the threat of cybercrime seriously. Consequently over 40% of large businesses expect to have to spend between 5% and 15% more on information and cyber security in 2011 than they have in the past. Vulnerability management systems, intrusion protection software, and IT applications that will monitor for unsanctioned data leakage across the company firewalls, are areas where larger UAE organisations will spend more in coming quarters. Despite these investments, IT security staffs in a good many organisations actually only become aware of a specific security vulnerability once the consequences of the breach become visible. So although business is investing ever-increasing amounts of time and money on information security operations, organisations find they can be ineffective in the fight against cyber threats. To mitigate against this, and as a means of developing a more proactive stance towards cyber threats, contracting with a managed security services provider (MSSP) is proving popular. As an alternative to the in-house DIY operations of the information security team, an MSSP offers several hard and soft business benefits: A comprehensive security service founded on up to the minute threat intelligence. A proactive service bought at a fixed cost with a measurable return on prevention. Protection of the organisation s fixed networked and wireless assets is taken care of by specialist staffs working 24 x 7 from a dedicated operations centre equipped with the latest software tools. Security software updates occur reliably and are distributed automatically by the service provider, which means the enterprise always has defences in place to deal with the latest threat type. The arrangement allows the organisation to retain complete control of Internet usage policies. The arrangement means that the in-house, onpremise IT security team is freed up and can reallocate time and resources to other businesscritical processes. Experts agree that provision of a 24-hour managed service improves network security posture and lowers security costs. It is worth exploring the costs of running a traditional set up, where information security is monitored and managed on premise by an organisation s own IT security staffs, and comparing this with the innovative managed security solution model of an external specialist service provider.

5 Itemising the comparative cost of cyber security Traditionally, the in-house IT security team spends its time reacting to incidents and taking preventative measures to stop them re-occurring. The fixed costs of labour, premises, hardware assets and software tools for managing firewalls, updating anti-virus signatures, carrying out intrusion tests, monitoring spam filters and preventing unauthorised access make for a high TCO. As the example sketched below indicates, out-tasking just the firewall deployment and management task to a managed solutions provider offers considerable TCO gains, even for an SMB organisation. On-premise security set-up versus managed firewall alternative In-house firewall deployment/management Managed firewall solution Firewall hardware and software $1,345 Service fee ($/month) $150/month Security management platform $7,019 Install $100 Personnel support and training $44,000 Contract length 24 months Cost of capital $2,317 Total cost $54,681 Total cost $3,700 Total savings for a 50 employee site = $50,981 over 2 years or $2,124/month Source: Computer Security Institute Beyond the small business level, the TCO advantages of managed security are even greater as the sample breakdown developed by BAI indicates. Security requirements In-house professional team Managed security service Security staffing requirement 6 employees (24x7x365 coverage) Managed security team 24-hour service Experience/competence of staff Mid-level Expert Monitoring and response SLA 24x7x365 24x7x365 Administration SLA 24x7x365 24x7x365 Backup and recovery SLA Immediate Immediate Vulnerability testing frequency Quarterly Quarterly Staff salaries $70, % overhead x 6 0 IT manager 70% of $80,000 0 Training $5,000/year x 6 0 Hardware Software Four admin PCs, Firewall, Intrusion detection system $12,000 Firewall, intrusions detections software, security systems software $30, Maintenance & Support 20% for PCs; 20%+ for Software 0 Total Annual Costs: $644,400 ($24,000 $36,000 per year on average for 250 users) These cost estimates are based on a 250-user departmental environment, and service fees generally are charged on an annualised per seat basis, so this needs be taking into consideration when comparing scenarios. That said, the costs involved in on-premise self-administered security do not scale with the size of the organisation SMBs pay significantly more for IT security per employee than their enterprise counterparts: hence the popularity of managed security solutions in the SMB segment. All things considered, generally speaking a TCO analysis favours a managed solution, although organisations will have their own preference for upfront capex versus ongoing opex. The benefits of a pay-for-use managed solution can be expected to outweigh the variable cost of traditional on-premise approach. Perhaps the biggest benefit, however, is the way the MSSP will always be ahead of the curve in detecting and proactively defending against latest changes in the threat landscape which is difficult to do at the enterprise level without a dedicated

6 security operations centre. Out-tasking to an MSSP enables businesses to delegate IT security management to specialists who use real-time rule updates that keep pace with fast-breaking spam and virus campaigns. du is perhaps one of only very few suppliers in this region with the resources, the capability and the specialist competencies that are needed to function as an MSSP. Security is not a marginal activity for the UAE telco supplier. It has a dedicated team of qualified, experienced security professionals focused on information and data protection, and a Security Operations Centre that is ISO certified something that distinguishes it among service providers in the region. A preferred MSSP partner like du is able to provide a good spread of services, which can be augmented where needed by custom-built solutions depending on the specific needs of the customer. Included in its portfolio are: Security Consulting Services Security Project Services Security Assurance Vulnerability and Penetration Testing Security Audit Managed Firewall / Managed IDS Managed Firewalls IDS/IPS Services In Cloud Security Services Web and Security Services Monitoring and Management Services Security Event and Information Management Services End Point Security Services Security Services for End-Points, Terminals and Mobile Devices Most all organisations will already be carrying out some or all of these functions as part of its in-house security regime, and will have developed a number of information security controls around them. For some though, those controls tend to be somewhat ad hoc, disorganised and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. The security controls recognised by ISO are rated as systematic and coherent, meaning that du s information security risks are examined closely and rigorously, taking account of all of the threats, vulnerabilities and impacts. As an MSSP, du adopts the same well-orchestrated preventative and remedial security technologies and processes to protect customer assets as it uses to defend its own network assets. In its current set up, du is capable of protecting billions of dirhams of customer assets in the UAE. Conclusions: A mandate for managed security threat prevention Agenda item 1 Explore if, where and how the organisation has experienced downtime, outages or business disruption as a result of a cyber threat which was not detected and went on to compromise some system or business process. Agenda item 2 What is the organisation s view on consequential loss of potential security threat in the context of the cost of downtime, the possible loss or theft of customer data, and subsequent reputational damage to the business. What view is held by the CFO over the current balance of Capex and Opex in regards to existing IT operations? Agenda item 3 Task the CIO or IT director with establishing the cost of on-premise IT security operations to develop a cost of ownership for comparison with out-tasked options provided by a managed security supplier, taking account also of the impact on Capex and Opex. This is the fifth in a regular series of Leadership Perspectives White Papers, produced by du enterprise marketing in association with Ovum, a preferred knowledge partner For more information, please leadershipseries@du.ae or visit