The Risk vs. Cost of Enterprise DDoS Protection

Transcription

1 WHITE PAPER The Risk vs. Cost of Enterprise DDoS Protection How to Calculate the ROI from a DDoS Defense Solution 1

2 Every day, we hear more about distributed denial of service (DDoS) attacks. DDoS attacks can impact organizations of all sizes and across all industries, while disabling infrastructure resources, applications, and business operations. An effective DDoS defense system can safeguard business operations against DDoS-related outages. This paper provides a simple, step-by-step approach for evaluating the financial return on investing in a DDoS defense system. Using industry averages for attack frequency and outage costs, the results show that investing in an effective DDoS protection system, such as Bright House Networks Enterprise Solutions DDoS Mitigation, provides a strong positive ROI and lowers financial risk. Understanding the Risk of Attack Few studies focus on the probability that a business will experience a DDoS attack of significant impact. However, survey information from Forrester Research and Arbor Networks provides insight into the risk of such an attack. Forrester Research conducted a survey of 400 companies with significant online operations. 1 The survey s objective was to gather basic information on the DDoS threat to these businesses, which included online financial services, media, news, political sites, gaming, entertainment, web hosting, and ecommerce. Among the results, over 70% reported at least one DDoS attack in the previous 12 month period. Attack durations were highly variable, but the most common duration for attacks that had operational and business impact was two to six hours. Arbor Networks annual Worldwide Infrastructure Security Report 2 is an excellent source of more detailed information on the frequency and nature of DDoS attacks on Internet service providers (ISPs) and Internet data centers (IDCs). Based on the responses from 287 service providers, hosting companies, and enterprises, survey data shows that these organizations are experiencing a high frequency of DDoS attacks equating to multiple attacks per month (see Figure 1). Figure 1: Attack Frequency 6% 0 7% % % % % % More than 500 2

3 % of Survey Respondents McAfee 3 also surveyed IT and security executives from seven industry sectors and found the frequency and impact of DDoS attacks to be similar to those reported by Arbor. Arbors more recent survey in October 2014 reveals nearly half of enterprise, government, and education respondents seeing DDoS attacks during the survey period, with almost 40 percent of those seeing their Internet connectivity saturated. Just over a third of respondents indicated an increase in security incidents in 2014, with about half indicating similar levels to the previous year 4. The most frequently observed threats targeting enterprise, government, and education respondents are DDoS attacks, accidental data loss, and bottled or otherwise compromised hosts. Each of these categories garnered around a third of respondents (see Figure 2). This data clearly indicates that DDoS attacks are now seen as one of the top threats to enterprise, government, and educational organizations. This backs up anecdotal information, outside of this survey, indicating that a growing proportion of these organizations are looking for DDoS defenses. Figure 2: Most Significant Operational Threats 39% Internet connectivity congestion due to DDoS attack 33% Accidental data loss 32% Botted or otherwise compromised hosts on your corporate network 26% Accidental major service outage 26% Internet connectivity congestion due to genuine traffic growth/spike 18% Advanced Persistent Threat (APT) on corporate network 18% Exposure of sensitive, but non-regulated data 17% None of the above 15% Web defacement 13% Exposure of regulated data 13% Theft 12% Malicious insider 9% Industrial espionage or data exfiltration 8% Other The capacity to unleash a large DDoS attack is available to anyone simply by renting a botnet. Table 1 shows the results of a survey on botnet rental pricing. In short, the resources needed to carry out large-scale DDoS attacks are low cost and readily available. 3

4 Table 1: Botnet Rental Pricing PRICE DURATION HOURS BANDWIDTH MBPS $ $ $ $ $ $ ,000 $ ,000 $ ,000 $ ,000 $ ,750 $1, ,750 $5, ,750 $6, ,750 Botnets are not the only source of DDoS attacks. Social media sites can coordinate large numbers of willing users to carry out DDoS attacks as illustrated by the WikiLeaks inspired attacks in late Coordinated through Twitter, large numbers of end users downloaded a simple attack tool and directed attacks at numerous companies deemed complicit in interfering with what the users viewed as the legitimate activities of WikiLeaks. These attacks successfully targeted high profile companies, including PayPal, MasterCard, and Visa. The attacks went both ways as well. The provider hosting WikiLeaks had to remove the site from its infrastructure because DDoS attacks directed at WikiLeaks were impacting service to all its customers. The overall impact of a DDoS attack is a function of the time it takes to detect the attack, the time needed to mitigate it and the extent of service degradation both before and after mitigation. For many, detection consists of simply waiting for an attack to occur, and mitigation consists of dropping all traffic destined to the resource under attack. This is far from what mitigation should be. How quickly organizations respond to detected threats is hugely important, and has been highlighted as an issue in other studies. Arbor Networks 2014 Worldwide Infrastructure Security Report 4 asked organizations to estimate their average response times to security incidents. Enterprise, government, and educational organizations reported impressive response times (Table 2), although they are generally slower than those of service provider organizations. Table 2: Incident Response Time MINIMUM MAXIMUM AVERAGE Time from compromise to discovery 10 minutes 6 months 1 week Time from discovery to internal reporting 1 second 1 month 1 day Time from reporting to resolution 30 minutes 6 months 1 week 4

5 % of Survey Respondents About two-thirds of organizations reported having both an incident response plan and at least some dedicated resources (Figure 3). Fifteen percent of respondents indicated having no plans or resources, while another 18 percent have plans but no resources. Figure 3: Incident Response Posture 46% We have an incident handling plan with limited resources 18% We have an incident handling plan with a well resourced team 17% We have an incident handling plan with no dedicated resources 15% We do not have an incident handling plan or team 4% Incident response is outsourced to a third-party organization/service Understanding the Cost of an Attack Organizations observed a number of different business impacts as a direct result of DDoS attacks. About half cited operational expenses (Figure 4) and nearly 40 percent indicated reputation or customer loss due to DDoS attacks. One-fifth indicated direct revenue loss, with other impacts including employee turnover and stock price fluctuation. The costs associated with DDoS attacks are multi-faceted, and organizations should factor all of these into their calculations when looking at their investment strategies for defensive solutions. Figure 4: Business Impact of DDoS Attacks 49% Operational expense 37% Reputation damage/customer loss 20% Revenue loss 8% Employee turnover 4% Stock price fluctuation 2% Loss of executive or senior management 18% Other The cost of outages due to DDoS attacks is comprised of operational costs and revenue impacts. Lower-impact and lower-duration attacks may result only in added operational costs. Higher impact attacks will also negatively affect revenues as business operations are partially or fully impaired. The elements contributing to the overall cost of DDoS consist of some or all of the following: 5

6 Personnel time spent addressing and recovering from the outage Incremental help desk expenses Lost sales Customer credits and refunds Lost employee productivity Cost of customer defections and lost or missed sales Degradation of reputation resulting in higher customer acquisition costs and a lower rate of business growth The specifics of how outages result in financial losses vary with the type of business. Businesses that are transactional in nature, such as ecommerce, suffer loss as the result of lost sales that are not made up later and lost future business as customers go to alternative suppliers on an ongoing basis. A generic approach to calculating cost regardless of business type can be based on the annual company revenue and the percent dependence of the business on the IDC. Some businesses, such as ecommerce, are effectively closed when their data center is unavailable while other businesses can partially function during an outage. However, for virtually all businesses, the impact of an outage increases exponentially with the length of the outage. For example, 40% of businesses surveyed reported that a 72 hour outage would put their survival at risk. 5 Such impacts that extend beyond the period of the outage itself can be accounted for as lost future business. Table 3 illustrates this generic approach to estimating the cost of DDoS induced outages using an example of a business fully reliant on its IDC and with $50M in annual revenue. Table 3: Modeling Cost of Outages Due to DDoS ATTACK DURATION HOURS OPERATIONS #hours x # staff x cost/person/hour HELP DESK # hours x calls/hour x cost/call LOST CURRENT REVENUE Enterprise revenue x % business loss x outage duration LOSS OF FUTURE BUSINESS Present value of 1 year lost growth TOTAL COST PER ATTACK x 4 x $75 4 x 25 x $20 $50m / 8760 x 4 0% x $50m x 2.49 $26, x 4 x $75 9 x 25 x $20 $50m / 8760 x 9 0% x $50m x 2.49 $58, x 4 x $75 18 x 25 x $20 $50m / 8760 x % x $50m x 2.49 $428, x 4 x $75 30 x 25 x $20 $50m / 8760 x % x $50m x 2.49 $817,773 Combining the DDoS attack risk profile with attack cost estimates produces the expected cost over three years, as shown in Table 4. Table 4: Three Year Expected Cost of DDoS Attacks ATTACK DURATION HOURS EXPECTED NUMBER OF ATTACKS OVER 3 YEARS COST PER ATTACK EXPETCED COST OVER 3 YEARS $26,031 $49, $58,570 $81, $428,390 $385, $817,773 $245,320 TOTAL EXPECTED COST $762,327 6

7 This cost can now be compared to the alternative of investing in a high quality cloud-based DDoS defense system, which can be expected to eliminate the extraordinary expenses of dealing with DDoS attacks through traditional methods (e.g., black holing customer traffic, removing domains, etc.). The cost of an effective hosted DDoS protection solution is generally a function of mitigation capacity that is, how much attack traffic the device can handle. This example assumes that a system capable of mitigating 2.5 Gbps is sufficient and can be purchased for $3,000 MRC (monthly recurring cost). Using the data above, Table 5 shows the cost-savings of a three year investment in a cloudbased DDoS defense system. Table 5: Cost-savings of a DDoS Defense Solution 3 Year Investment in Cloud-Based DDoS $3,000 MRC $108,000 3 Year Expected Cost of DDoS Attacks $762,327 Total Cost-Savings Over 3 Years $654,327 Payback 5.1 Months Choice of DDoS protection solution matters. Traditional perimeter security products, such as firewalls and intrusion prevention systems (IPS), are unable to address the DDoS threat to availability. The attack traffic has already reached the network by the time it hits the firewall. A cloud-based DDoS defense system captures the traffic in the providers network mitigating the threat and ensuring business operations continue as usual. To realize the projected benefits of deploying a DDoS mitigation solution, due diligence is needed on the part of the technical staff when selecting a solution. DDoS Mitigation from Bright House Networks Enterprise Solutions protects an organization from DDoS attacks by removing the threat before it reaches the network, ensuring business continuity. Battling multi-vector DDoS attacks requires a full array of mitigation tools and security expertise, which could cost hundreds of thousands to set up internally. Investing in a high-quality cloud-based defense system like DDoS Mitigation can reduce capital expenditures, labor costs, and eliminate false positive alerts that add to the cost and workload of internal staff. An added advantage to the Enterprise Solutions service is network ownership end-to-end, allowing a single point of accountability and response to incidents. Conclusion The volume, intensity, and frequency of DDoS attacks all continue to grow. Any organization with a significant web presence or that is reliant on Internet connectivity for business continuity, is a potential target and should consider the protection levels required to maintain normal business activity. Given the high bandwidth capacity needed to handle today s volumetric attacks, the cost and complexity of DDoS protection, and the expertise needed to stay up to date on the latest threats, tackling DDoS attacks on one s own can be a daunting challenge for an organization. Bright House Networks Enterprise Solutions DDoS Mitigation addresses network and service DDoS protection requirements for the enterprise providing the traffic visibility and actionable intelligence into threat activity to help secure network services and improve performance. 7

8 For more information and resources visit Bright House Networks Enterprise Solutions at www. or call References 1 The Trends and Changing Landscape of DDoS Threats and Protection, Forrester Consulting, July Worldwide Infrastructure Security Report, Arbor Networks, January In the Crossfire: Critical Infrastructure in the Age of Cyber War, Authors: Stewart Baker, distinguished visiting fellow at CSIS and partner at Steptoe & Johnson; Shaun Waterman, writer and researcher, CSIS; George Ivanov, researcher, CSIS; McAfee, Worldwide Infrastructure Security Report, Arbor Networks, October Ontrack-2001 Cost of Downtime Survey Results, Bright House Networks. Some restrictions apply. Serviceable areas only. Service provided at the discretion of Bright House Networks. 8