Cutting the Cost of Application Security

Transcription

1 WHITE PAPER Cutting the Cost of Application Security Web application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage, and customer turnover. This paper describes the financial implications of Web attacks, DDoS attacks, and other Web-based threats. It shows how the SecureSphere Web Application Firewall provides a Return on Security Investment of 2090% by preventing data breaches and Website downtime. One approach to tackling application threats is to manually fix vulnerabilities. However, organizations that undertake this approach must deal with expensive emergency test and fix cycles when vulnerabilities are found. By virtually patching vulnerabilities, SecureSphere saves organizations 530% over five years by eliminating emergency fix and test measures. The Financial Impact of Web Application Threats Web attacks are the single most dangerous threat facing organizations today. Web attacks are prevalent striking Websites once every two minutes on average 1 and they inflict enormous damage, bringing down critical applications and causing brand damage, fines, breach notification costs, and customer turnover. To determine the ROSI provided by the SecureSphere Web Application Firewall (WAF), this paper analyzes the cost of deploying SecureSphere compared to the expense and the risk of a breach or application downtime. 1 Web Application Attack Report, Imperva, 2011

2 The Financial Impact of a Web Application Breach Data breaches are costly, averaging $7.2 million per incident. 2 However, some breaches have proven to be extremely expensive, with one organization alone expected to spend $1 billion to resolve a massive Web application breach in Web application attacks are one of the most common causes for a data breach. In fact, 89% of all records stolen in data breaches were due to hacking and external threats, 3 and Web-based attacks like SQL injection, XSS, and brute force are hackers tools of choice to steal data. The Cost of Application DDoS Attacks In addition to data breaches, Websites are also a target for DDoS attacks. In fact, 74% of businesses reported receiving a DDoS attack in the past year, according to a recent report 4 and approximately 25% of these attacks are application DDoS attacks. Like data breaches, DDoS attacks are expensive. According to a survey of companies, a successful DDoS attack costs, on average, $1.427 million. 5 Traditional Network Security: A False Choice for Web Application Security Almost all enterprises have deployed network firewalls to protect their network infrastructure and their users; most have also provisioned an intrusion prevention system (IPS) or a next generation firewall to detect intrusions and to control user access to applications. While these products may include a handful of Web attack signatures, they do not learn Web application structure or usage and they cannot effectively stop Web attacks. In fact, a recent report indicates that IPS products configured with their default security policies stop about 15 25% of basic Web attacks. 6 Besides Web attacks like SQL injection and XSS, network security solutions cannot detect or stop: Session-based threats like session hijacking and cookie poisoning Business logic attacks like site scraping and comment spam Web-based fraud Furthermore, most cannot inspect SSL-encrypted Web traffic. Organizations that wish to safeguard their applications must look beyond traditional network security solutions. The SecureSphere Web Application Firewall: Intelligent Web Security The SecureSphere WAF offers a powerful defense against hackers: it stops large-scale, automated Web attacks as well as advanced, custom attacks, it thwarts site scraping and comment spam, and it mitigates Web fraud. The market-leading SecureSphere WAF differentiates itself from other Web security solutions with the following features: Accurate Web Attack Protection: Combining Imperva s patented Dynamic Profiling technology with up-to-date attack signatures, cookie and session protection, and correlation rules, SecureSphere detects and stops Web attacks with laser precision. Defenses against DDoS and Automated Attacks: With the industry-first ThreatRadar Reputation Services, SecureSphere detects know attack sources, phishing sites, and the geographic location of Web visitors. SecureSphere also identifies bots by analyzing the rate of request and analyzing browser capabilities to stop app DDoS, site scraping, and comment spam. Web Fraud Prevention: With ThreatRadar Fraud Prevention, SecureSphere can detect and stop Webbased fraud. Ultra-high Performance: Delivering multi-gigabit performance and sub-millisecond latency, SecureSphere can easily scale to meet the most demanding data center requirements. Powerful Centralized Management: The MX Management Server centralizes configuration, monitoring and reporting for multiple WAF gateways. For large, distributed deployments, the SecureSphere Operations Manager can manage multiple MX Servers. Zero-Impact Deployment: SecureSphere offers multiple, transparent deployment options for easy integration into any environment with no impact on existing applications or network. 2 Cost of a Data Breach, Ponemon Institute, March Data Breach Investigations Report, Verizon Business, The Trends and Changing Landscape of DDoS Threats and Protection, Forrester 5 CSI/FBI Computer Crime and Security Survey 6 Analyzing the Effectiveness of Web Application Firewalls, Larry Suto, November

3 Return on Security Investment (ROSI) of the Imperva SecureSphere WAF To evaluate the ROSI, the following table estimates the cost for a medium size enterprise with: Four (4) online applications consisting of two (2) custom applications and two (2) packaged business applications. 200 Mbps average Web application throughput, bursting to 300 Mbps during peak use Proposed SecureSphere WAF Solution: One (1) SecureSphere X2000 Web Application Firewall with integrated management Annual Enhanced Support Subscription providing 24x7 technical support and software Basic Assumptions Probability of a data breach 3% Value Cost of a data breach $7.2 Million 7 Probability of an application DDoS attack (74% 8 risk of DDoS x 20% app DDoS) 14.8% Cost of an application DDoS attack $1.427 Million 9 Annual cost of a full time IT security administrator (in USD) $110,000 Return on Security Investment of the SecureSphere Web Application Firewall Without the SecureSphere WAF Year 1 Year 2 Year 3 Year 4 Year 5 Data Breach Cost = Probability x Impact $216,000 $216,000 $216,000 $216,000 $216,000 App DDoS Cost = Probability x Impact $211,120 $211,120 $211,120 $211,120 $211,120 Total Cost without SecureSphere $427,120 $427,120 $427,120 $427,120 $427,120 Without the SecureSphere WAF Year 1 Year 2 Year 3 Year 4 Year 5 SecureSphere WAF Product Costs $31,000 $0 $0 $0 $0 SecureSphere Maintenance Costs $6,200 $6,200 $6,200 $6,200 $6,200 SecureSphere Operational Costs $7,100 $7,100 $7,100 $7,100 $7,100 Total Costs with SecureSphere $44,300 $13,300 $13,300 $13,300 $13,300 Total Cost without SecureSphere WAF $2,135,600 Total Cost with SecureSphere WAF $97,500 Total Savings with SecureSphere WAF $2,038,100 ROSI with SecureSphere 2090% 7 Cost of a Data Breach, Ponemon Institute, March The Trends and Changing Landscape of DDoS Threats and Protection, Forrester 9 CSI/FBI Computer Crime and Security Survey 3

4 Additional Financial Benefits Beyond Data Breach and DDoS Attack Protection Besides preventing data breaches and application DDoS attacks, the SecureSphere WAF can also stop site scraping, comment spam, and Web fraud and it can help satisfy compliance, such as PCI requirement 6.6. Organizations that need to achieve PCI compliance or that face suffer from fraud, site scraping and spam should factor the following cost savings provided by SecureSphere into their own Return on Security Investment calculations. Site Scraping: The SecureSphere WAF reduces Website traffic load and improves application response time by blocking scrapers. It also improves company competitiveness by preventing rivals from republishing Web content or stealing pricing data or intellectual property. Comment Spam: SecureSphere lowers the amount of man-hours that companies must spend moderating message boards and forum comments. SecureSphere also improves users Website experience by decreasing ads and fake comments. Web Fraud: Web-based fraud can cost organizations millions of dollars in investigation costs, chargeback fees, and reputation damage. Imperva s ThreatRadar Fraud Prevention Services, an add-on subscription to SecureSphere, can lower fraud related expenses and maintain customer loyalty. PCI Compliance: Businesses that process, store, or transmit credit cards can achieve PCI 6.6 compliance with SecureSphere. As a result, SecureSphere can help businesses avoid fines and reduce payment transaction rates. Application Bandwidth Costs: By eliminating botnet traffic and traffic originating from undesirable countries, SecureSphere can reduce Web application bandwidth by up to 50%. SecureSphere WAF and Secure Web Development Fixing Application Vulnerabilities in Production is Expensive SecureSphere not only provides value by eliminating Web-based data breaches and downtime, it can also lower application development costs by avoiding costly emergency fix and test cycles. Fixing a vulnerability in the early phases of the application development lifecycle is much less expensive than fixing it once the application is deployed into production. For this reason, organizations try to catch vulnerabilities as early as possible. Unfortunately, even with good tools, a well trained development staff, and a strong desire to catch problems early, many vulnerabilities become apparent only after the software has been placed in production. Research by WhiteHat Security confirms that most businesses will encounter vulnerabilities in production Websites. In fact, over 80% 10 of Web applications have vulnerabilities and the average site has a staggering 230 serious vulnerabilities. Emergency Test and Fix Costs Design Dev QC Production Cost vs. Production Stage without SecureSphere 10 WhiteHat Website Security Statistic Report, WhiteHat Security,

5 The High Cost of Emergency Fix and Test Cycles In order to protect a business s critical applications and data, a vulnerability must be dealt with as soon as it is discovered. Without a dedicated Web application firewall solution, this means that the application code or underlying software infrastructure must be fixed, and fixed immediately to prevent exploit. Businesses must fix all significant vulnerabilities even though emergency fix and test cycles are very expensive. The hard costs of emergency fix and test cycles can be quantified in terms of the hourly rate of contract or regular IT staff time to fix the problem, fully re-test the application, and deploy the new version into production. Unfortunately, shortcutting this process only adds to the business risk. If the emergency fix and test cycle is rushed, it increases the likelihood of introducing new problems into the application. The Impact on IT Operations Vulnerability remediation not only affects application developers, it can also impact other groups such as IT Operations. Emergency fix and test cycles may force businesses to update application code when the Website is supposed to be frozen or when the IT Operations team is updating application infrastructure. Unfortunately, hackers will not wait patiently until after a Website maintenance window to launch an attack. Therefore, organizations need to remediate vulnerabilities immediately, even if this means disrupting network and application upgrades. So emergency test and fix cycles can disrupt IT Operations as well as application development. SecureSphere Eliminates Emergency Fix and Test Cycles The SecureSphere Web Application Firewall enables companies to significantly reduce their operational costs while simultaneously achieving even higher levels of security. With SecureSphere, companies can be assured that their applications are protected from both known and unknown attacks, including zero-day exploits, without having to change their applications or infrastructure. Unburdened from the need for emergency fix and test cycles, companies are free to implement fixes and patches on their schedule not hackers schedule. Businesses can simply treat any security fix as just another requirement to be included in the next scheduled release, saving significant time and money in the process. The time and cost to fix a vulnerability is effectively pushed back into the development phase of the application lifecycle where the costs are much lower. More importantly, the cost of re-testing after each emergency fix disappears altogether since this testing becomes part of the standard test cycle of the next release. Additionally, businesses avoid the risk of breaking application functionality with rushed application code fixes. Find in Production Fix in Development Design Dev QC Production Cost vs. Production Stage with SecureSphere Copyright 2014, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. WP-FILE-NAME

6 SecureSphere WAF Compared to Manual Vulnerability Remediation To illustrate how SecureSphere cuts operational costs, we will look at the same medium size enterprise that we considered before for our Return on Security Investment (ROSI) calculation, but this time we will compare the cost of the SecureSphere WAF to the cost of manual vulnerability remediation. As shown in the table below, the company estimated the number of times per year that they expected to implement fix and test cycles for both vulnerabilities found in each of the two custom applications and for the deployment of patches to the underlying infrastructure software on each of the two servers. Custom Application Without SecureSphere With SecureSphere 11 Emergency Fix and Test Cycles 6 0 Infrastructure Software Patch Deployments Operating System Patches 4 2 Web Server Patches 4 2 Packaged Enterprise Application Patches 2 1 Total 10 5 Other Financial Inputs The numbers from the table above were combined with other information, such as fully-burdened employee costs for application developers and testers, as well as statistical information about the time required for emergency fix and test cycles. This information was then used as input to Imperva s ROI calculator. 11 With its automated protection against application attacks, SecureSphere eliminates emergency fix and test cycles. SecureSphere also offers virtual patching of operating system, web server and packaged application or application framework vulnerabilities. This virtual patching enables organizations to apply patches during their normal upgrade processes or to wait until new software versions are released, reducing the total number of patches that need to be applied. 6

7 Financial Results SecureSphere vs. Emergency Fix and Test Costs The table below shows the costs of fortifying a Website through manual vulnerability remediation and patch updates both with and without the SecureSphere WAF. Because the SecureSphere WAF eliminates the need for emergency fix and test cycles, it offers a 530% Return on Investment. Five Year Cost Pro Forma without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5 Total Emergency Fix & Test Costs $120,000 $120,000 $120,000 $120,000 $120,000 Total Commercial Software Update Costs $66,500 $66,500 $66,500 $66,500 $66,500 $186,500 $186,500 $186,500 $186,500 $186,500 Five Year Cost Pro Forma with SecureSphere 12 Year 1 Year 2 Year 3 Year 4 Year 5 SecureSphere Purchase $31,000 $0 $0 $0 $0 SecureSphere Software Main/Support $6,200 $6,200 $6,200 $6,200 $6,200 SecureSphere Administration Labor $7,100 $7,100 $7,100 $7,100 $7,100 Emergency Fix and Test Cost $0 $0 $0 $0 $0 Cost of Fix in Scheduled Release $19,200 $19,200 $19,200 $19,200 $19,200 Commercial Software Update Costs $33,250 $33,250 $33,250 $33,250 $33,250 SecureSphere Savings and ROI Present Value of all Costs without SecureSphere $718,952 Present Value of all Costs with SecureSphere $282,903 $96,750 $65,750 $65,750 $65,750 $65,750 Total Savings $436,049 Present Value of SecureSphere Costs (incl. Support & Admin) 2090% SecureSphere ROI 530% Considerations for Manual Application Vulnerability Remediation Organizations should always follow secure coding best practices in order to fortify their Web applications against attack. However, there are several shortcomings to relying on secure coding practices and manual remediation alone. First, Websites may be exposed to attack while vulnerabilities are fixed. Second, it is difficult through application coding alone to prevent threats like application DDoS, site scraping, and comment spam. The SecureSphere Web Application Firewall not only saves businesses money by eliminating emergency test and fix measures, it also provides continuous protection and stops Web attacks that cannot be stopped through secure coding measures. SecureSphere also provides unprecedented visibility into Web application threats and Web server errors, allowing organizations to pinpoint targeted elements in the application and address any Website issues. 12 The investment for SecureSphere is based on a single SecureSphere appliance with an integrated management license, support, and administration labor. Actual costs may differ based on specific environments and needs. 7

8 SecureSphere: The Trusted Choice for Web Application Security With Web attacks disrupting application access and causing multimillion-dollar data breaches every day, organizations need to shore up their Web application defenses. The SecureSphere Web Application Firewall enables organizations to: Protect Web applications from attack and application downtime Stop site scraping and comment spam Prevent Web fraud Virtually patch application vulnerabilities Gain greater visibility into application usage, site errors, and threats Address compliance mandates Compared to no application security measures, the SecureSphere WAF offers a 2090% Return on Security Investment (ROSI). The SecureSphere WAF saves businesses millions of dollars by preventing costly data breaches and Website downtime. The SecureSphere WAF also offers a compelling Return on Investment to organizations that have already implemented secure coding best practices. Over 5 years, SecureSphere saves businesses 530% by eliminating emergency fix and test cycles and reducing the number of patch updates. SecureSphere also discovers application errors by monitoring Web traffic and stops attacks like application DDoS that are difficult to combat through secure coding practices alone. Protecting thousands of organizations around the world, the market-leading SecureSphere Web Application Firewall is the practical, cost-effective choice to secure mission-critical Web applications. About Imperva Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Copyright 2014, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. WP-CUTTINGCOST_APPSECURITY_ROI