Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost

Transcription

1 y Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost An Osterman Research White Paper Published January 2009 SPONSORED BY onsored by Phone: TREND sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington Phone: Fax: info@ostermanresearch.com

2 Improved Security Saves 40% in Security Management Costs Malware, spam, and other Web threats are a clear and present danger to organizations of every size and in every industry. The consequences of malware infecting an organization are numerous and include a wide variety of problems, ranging from minor annoyances to the destruction of data. Worse, data-stealing malware, such as keystroke loggers, can enter a network, intercept sensitive or confidential content, and send it to unauthorized parties. Further, this information can be stolen by merely opening a Web page on malicious, fraudulent, or hijacked sites. The Web has become the primary means of distributing malware, infecting users that follow dangerous links in spam, follow poisoned search results, or visit hijacked legitimate sites. Defending against malware can make it difficult to conduct business safely. Compounding the problem is the fact that malware is becoming more virulent, more stealthy and more difficult to detect. Worse, the lifecycle for many malware variants can now be measured in minutes, not hours or days many variants appear, do their damage and then disappear long before new pattern files or signatures can be deployed and propagated to servers and clients on the network. Each year in an enterprise of 5,000 employees: 2/3 of endpoints get infected However, if an organization could dramatically reduce the length of time required to access threat intelligence using in-the-cloud reputation databases to block new malware and spam variants before they even reach the network, it could reduce the rate of endpoint infection, lower its security management and lost productivity costs, and reduce the likelihood of security breaches. Further, if an organization opted to combine these activities with the consolidation of its content security infrastructure to just a single vendor, the advantages and cost savings would be even greater. This white paper discusses the many benefits of faster access to threat intelligence, using a cloud-client architecture for immediate protection, as well as the benefits to enterprises of consolidating to a $197,300 is lost cleaning endpoints $160,300 is lost in employee productivity >$100,000 is lost by >10% of companies for each security breach suffered But they can save almost $60 per employee each year if using a comprehensive content security solution with a cloud-client architecture instead of their conventional approach 2009 Osterman Research, Inc. 1

3 single vendor for content security infrastructure. Together these benefits can save over 40% of an enterprise s total security management costs, not to mention savings on reduced productivity loss, a reduced number of security breaches and other, less tangible costs. The paper discusses the cost model developed by Osterman Research specifically for this white paper, as well as the solutions offered by Trend Micro that can significantly improve an organization s content security infrastructure. METHODOLOGY AND BACKGROUND As part of this white paper development effort, Osterman Research completed a survey with more than 100 respondents during December 2008 on the number of endpoints (clients and servers) in each organization, the amount of time spent on IT labor, the frequency with which malware pattern files/signatures are updated and a variety of other issues to better understand the impacts of a cloud-client architecture and vendor consolidation for content security. The organizations surveyed, which are based in North America and Europe, have a median of 4,500 employees. For the purposes of this paper, we will use examples based on 5,000 employees. The Status Quo Doesn t Work So Well A GROWING NUMBER OF ENDPOINTS There are a growing number of endpoints through which malware can enter an organization s network, including servers, traditional clients on desktop and laptop computers, corporate and personal Webmail, Web browsers, collaborative environments, corporate and personal mobile devices, instant messaging clients, home computers, USB storage devices, and more. Every endpoint represents a potential entry point for a virus, worm, Trojan horse or some other form of malware to gain a foothold in the corporate network. Today, malware is part of a cybercrime economy and cyber criminals are using multiple endpoints and delivery mechanisms to steal data and resources. The more popular the use of the business tool, the more often it is targeted by the cyber criminals. MALWARE IS GETTING WORSE BY THE MINUTE Gone are the days when single variants of spam, viruses, and worms were created and propagated slowly over the Internet, spreading over the course of several weeks. Instead, today s malware can morph into hundreds or thousands of variants and can propagate in minutes, infecting large numbers of endpoints in a very short period of time. NEARLY 2/3 OF ENDPOINTS ARE INFECTED EACH YEAR The result of the growing number of endpoints, coupled with more virulent and more capable malware, is that endpoint infections are numerous. The research we conducted for this study found that during an average month, a mean of 5.4% (median of 2.0%) of the endpoints in the organizations we surveyed became infected. This means that in an organization of 5,000 employees, a mean of 270 endpoints are infected each month, or just fewer than 3,250 are infected each year. Statistically, then, if your organization is 2009 Osterman Research, Inc. 2

4 typical you can expect that in any given year nearly two-thirds of your organization s endpoints will become infected. IT STAFF TIME IS WASTED, PRODUCTIVITY IS LOST Aside from the most serious consequences of data loss or the interception of sensitive content that can be experienced when an endpoint is infected, IT must spend time cleaning endpoints while employees whose machines are disabled are rendered less productive. For example, our research found that it takes a mean elapsed time of 95 minutes (median of 60 minutes) for IT to clean one endpoint. That means that a large percentage of an IT department s valuable time is spent cleaning infections, during which time employees are less productive while waiting for their machines to be cleaned. During a typical month, IT will spend a mean of 428 person-hours simply cleaning infected endpoints. If we assume that the fully burdened salary for an IT staff member is $80,000, IT will spend $16,442 per 5,000 employees on IT labor each month just to clean endpoints from malware. However, because employees are often idle while their systems are being cleaned, employee productivity suffers as a result of infections. If we assume that the fully burdened salary for the typical employee infected with malware is $65,000, then productivity loss from infected endpoints equals $13,359 per 5,000 employees per month. The bottom line is that organizations spend significant amounts just on cleaning endpoints from various types of malware infections: the combination of IT and non-it costs totals over $357,620 per 5,000 employees each year. SECURITY BREACHES ARE ANOTHER THREAT Our research found that slightly more than one-half of organizations have suffered a security breach during the previous 12 months, such as spyware infections, botnet infections, etc. The result of these breaches were varied, including: Lost employee productivity (cited by 78% of respondents) Network was down (24%) Customer records were compromised (10%) Customer records were unavailable (10%) Customers were alienated (8%) The network was damaged (6%) Data security regulations were violated (6%) Company reputation was damaged (6%) Customers had to be informed of the data breach (6%) Minor financial losses (6%) Only 4% of organizations that have suffered a security breach during the previous 12 months have not experienced any negative consequences. Further, respondents told us that when a security breach occurred, their network was down for a mean of 74 minutes (median of 18 minutes) Osterman Research, Inc. 3

5 DATA BREACHES CAN BE EXPENSIVE We also asked organizations about the potential cost of a security breach. As shown in the following figure, nearly one-half of respondents indicated that a typical, single security breach would cost up to $25,000, while 10% believe that a security breach would cost more than $100,000. Based on an average of the data shown in the figure below, Osterman Research estimates that the average cost of a security breach is $48,698. This was calculated by taking the midpoint of each cost range shown below (and estimating an $800,000 cost for the more than $500,000 range ) and multiplying by the likelihood of each cost. Estimated Total Cost of a Single Security Breach We also asked organizations about the likelihood of a security breach occurring during the next 12 months. While no respondents told us that there is almost no chance that a security breach will occur and 5% told us that a security breach is a virtual certainty, the average was just under 45%. In other words, organizations believe there is a 45% chance that a security breach will occur in their networks during the next 12 months. Using traditional quantitative business analysis methods, if we multiply the average cost of a security breach by the likelihood of its occurrence, then the average cost of a security breach that organizations will experience during the next 12 months is $21,839 ($48,698 * 44.8%). However, this represents the low end of the cost of potential security breaches. For example, a breach of personally identifiable information can result in a requirement to send each victim a letter explaining the breach, the cost of credit reports and the like. A single breach can actually reach millions of dollars, not to mention the tremendously negative impact on an organization s reputation Osterman Research, Inc. 4

6 CONTENT SECURITY MANAGEMENT IS ALSO EXPENSIVE The research program we conducted for this white paper found that IT labor costs are high; for example IT accrues the following costs for content security related issues: There is a mean of 216 employees supported for every IT staff member. This varies widely, from much lower numbers in small organizations to much higher numbers in large ones. If we assume that the fully burdened salary for an IT staff member is $80,000 annually, the cost of IT labor per employee is $370 per year, or just under $31 per employee per month. During a typical week, IT staff spend the following lengths of time on various tasks in a 5,000-employee organization: o o 62 person-hours managing pattern files, signatures and other critical endpoint issues. 51 person-hours on managing false positives and related issues caused by the security infrastructure. Additionally, IT staff in an organization of 5,000 employees spends 1,674 personhours per year on upgrading resource capacity to add bandwidth, storage, new servers or appliances, etc., or the equivalent of just over 0.8 full-time equivalent (FTE) staff members. Using the $80,000 figure as above, the cost of these three activities totals almost $290,500 per year, or the equivalent of 3.6 FTE IT staff members. Add this to the cost of cleaning infections and organizations of 5000 employees are spending at least $487,700 on content security management. COST SUMMARY Based on the analysis above, the annual costs experienced by organizations of 5,000 employees are the following: IT labor to address endpoint infections: ~$197,300 per 5,000 employees per year Employee productivity loss: ~$160,300 per 5,000 employees per year Security breaches: ~$48,700 per security breach The IT labor cost per year for managing pattern files, signatures and other critical endpoint issues is $124,000 The IT labor cost per year for managing false positives and related issues caused by the security infrastructure is $102,000 The annual IT labor cost for upgrading resource capacity for security is $64, Osterman Research, Inc. 5

7 Content security management is expensive and much of this cost is related to antimalwarefocused tasks and resources. Organizations spend a considerable amount trying to defend against malware, including labor costs to manage pattern files, deal with false positives as well as additional bandwidth, storage, new servers or appliances, and other network upgrades needed to support the increasing size of pattern files and signatures downloaded to the endpoints to protect against the numerous spam and malware variants. Even with these efforts, organizations using conventional content security methods have 2/3 of their endpoints infected each year adding the cost of cleaning these endpoints. These costs also do not consider the additional benefits the enterprise would receive if the IT staff could be used on higher priority initiatives that increase productivity and generate more revenue. What If You Could Get Immediate Protection? SECURITY UPDATES DO NOT OCCUR FREQUENTLY One of the fundamental problems with the status quo is that many organizations have employed security systems that are updated only infrequently. For example, our research found that 24% of organizations update their pattern files/signatures less than once per day, while 37% of these update pattern files/signatures once per day. We found that only 25% of organizations update files more than twice each day. This creates a serious problem in a world in which malware lifetimes can be measured in minutes but businesses only update their security once or twice a day. With few updates there is a security gap between when malware is released and when the protection is deployed across clients and servers. The result is that a new malware variant can appear, do its damage, and then be replaced by a new variant before the first pattern file or signature can be deployed to combat it. As cybercriminals become even more adept at creating their wares, the problem will get worse. Malware lifetimes are often measured in minutes, but our research found that organizations tend to update pattern files only once or twice a day: 24% of organizations update less than once per day 37% of organizations update only once per day 25% of organizations update more than twice per day 2009 Osterman Research, Inc. 6

8 FASTER ACCESS EQUALS BETTER PROTECTION The obvious method for combating the problems caused by slow pattern file/signature updates is to provide faster access to threat intelligence, ideally as close to real time as possible. As threat volumes increase, so do the size of pattern files. An approach that relies solely on traditional methods to distribute pattern files and signatures is unsustainable because this deployment mode is simply too slow. Instead, threat intelligence should be maintained in the cloud, using queries from a lightweight client. This type of cloud-client architecture saves on resources and provides faster security with enterprises no longer waiting for pattern file deployment to be protected. This approach allows security systems to detect and remediate newly discovered threats more quickly, thereby reducing the number of infected endpoints and security breaches. This will result in lower costs and fewer negative consequences for users and organizations alike. We asked survey respondents the following question: Imagine that your server and endpoints could be updated 10 times faster with new pattern files/signatures after a new threat has been detected (for example, going from eight hours to update signatures to 15 minutes). Note that the survey phrased the faster access to threat intelligence as a pattern file / signature update instead of trying to explain a cloud-client architecture in the survey. However, the key to the survey response is that the organization has access to threat intelligence within 15 minutes. One of the important advantages of faster protection would be to reduce the chances of a security breach. For example, instead of an almost 45% chance of a data breach occurring during the next 12 months as discussed above, respondents told us that with faster protection there would be a 36% chance of such a breach. FASTER ACCESS EQUALS LOWER COSTS Not only can faster access to threat intelligence reduce the risk of data loss and the cost of IT labor spent on remediating endpoint infections, it can also reduce the overall cost of managing security. Osterman Research developed a cost model specifically for this white paper that allows an organization to estimate the cost advantages it might obtain from having faster access to threat intelligence. For example, we have estimated the following for an organization of 5,000 employees: Endpoint infection rate would go from 5.4% to 2.0%. There would be a 25% reduction in IT staff investments in managing pattern files, signatures and other critical endpoint issues. There would be a 10% reduction in IT staff investments for upgrading resource capacity to add bandwidth, storage, servers or appliances, etc. There would be a 2% reduction in IT staff investments for managing false positives and related issues Osterman Research, Inc. 7

9 Based on these assumptions, Osterman Research estimates that the total security management cost savings an organization would receive by getting faster protection through a cloud-client content security solution would equal 34% of the total content security management costs. Add this to the lost productivity costs saved and security breaches avoided and, for an organization of 5,000 employees, this would equal roughly $268,936, or annual savings of $53.79 per employee per year more than what an organization saves with their current, conventional content security solutions. WHAT IF YOU HAD JUST ONE CONTENT SECURITY VENDOR? Many organizations use multiple vendors for their content security infrastructure our research found that there is a mean of four vendors used to provide content security (median of three). However, many organizations are attempting to reduce the number of vendors to lower costs by obtaining volume discounts, reducing IT labor investments in managing multiple vendors products, simplifying patch management, and so forth. Consolidating security can cut costs An average of 4 vendors is used for content security We asked organizations that are using multiple content security vendors, If you could use just one best-of-breed vendor for all of your server and endpoint security requirements, what percentage of IT staff time devoted to content security management do you think you might save during a typical week? While 14% of respondents told us there would be no savings from the consolidation of vendors, 22% told us there would be savings of up to 5% in IT labor costs, another 41% told us labor savings would be between 6% and 10%, and A 5000-employee enterprise can save 9.5% in content security management costs by using one best-of-breed vendor 23% told us savings would be greater than 10%. The average savings was 9.5%. This can result in major cost reductions, particularly for large organizations. THE BOTTOM LINE Faster access to threat intelligence, coupled with the use of a single content security vendor, can result in significant savings. In the 5,000-employee organization discussed above, the total content security management costs are estimated at $487,731. The total savings for faster security would equal approximately 34%, or would be $163,713. After applying these saving, organizations would receive a benefit of another 9.5%, or $30,780, reduction in their security management costs when using one vendor. Add this to the savings from a reduction in productivity loss and fewer security breaches, and a 5,000- employee organization would save almost $300,000 when using a cloud-client solution from a single vendor. The breakdown of these savings is shown in the following figure, although it should be noted that the enormous potential cost savings of avoiding a single security breach could outweigh all of the other costs shown Osterman Research, Inc. 8

10 Estimated Annual Savings About Trend Micro TREND MICRO SMART PROTECTION NETWORK Trend Micro Enterprise Security offers content security that provides immediate protection in a tightly integrated offering of products, services, and solutions. At the core of these products and services is the Trend Micro Smart Protection Network, a newly introduced cloud-client architecture designed to provide fast protection with minimal network resources. This approach combines in-the-cloud reputation databases and lightweight client infrastructure to quickly and automatically protect information wherever and however an enterprise s employees connect. Threat information is analyzed using the global knowledge of over 1,000 dedicated content security experts at TrendLabs, Trend Micro s global network of research, service, and support centers. This data is correlated across three types of reputation databases Web, and file. If one element shows a bad reputation, it is automatically blocked across all threat delivery methods providing immediate protection at every point of attack spam sources, embedded links, dangerous files, and web sites with malicious content. These reputation databases are constantly updated, and mutually reinforcing to provide significantly better protection than would be possible using any of these technologies by itself. THE BENEFITS OF A CLOUD-CLIENT ARCHITECHTURE With a cloud-client architecture, Trend Micro can update the in-the-cloud reputation databases in real time and the light-weight client can quickly access this information as needed no longer waiting for periodic downloads of static pattern files to be 2009 Osterman Research, Inc. 9

11 protected. And this protection can also be accessed by roaming users when both on and off the network. This immediate access to threat intelligence lowers exposure to dangerous spam and malware, reducing malware infections and security breaches. The reputation databases also stop threats at their source, limiting the amount of spam and malware on the network and saving on costly resources. A UNIFIED DEFENSE: ONE VENDOR FOR CONTENT SECURITY The Smart Protection Network powers Trend Micro Web, messaging and endpoint security, creating a unified defense throughout the network between the reputation databases. Whether an enterprise chooses one Trend Micro product or a complete security solution, businesses can access the correlated threat information between these reputation databases to get network protection faster. Trend Micro s comprehensive content security enables customers to use one vendor for immediate, effective protection built into flexible content security that is easy to acquire, deploy, and manage. TREND MICRO ENTERPRISE SECURITY SAVES COSTS Trend Micro s cloud-client architecture provides faster protection than conventional approaches that rely solely on pattern file updates. Trend Micro also provides a comprehensive solution that enables enterprises to use one vendor for content security. This combination supports the benefits discussed earlier in this paper, providing enterprises with a solution that can save them over 40% of their total security management costs in additional to providing increased employee productivity and fewer security breaches. Here is a summary of the additional amount enterprises can save using Trend Micro Enterprise Security versus more conventional content security across multiple vendors: Number of Employees Estimated Content Security Mgmt. Savings with Faster Protection Savings by Using One Vendor % of Overall Content Security Mgmt. Costs Additional Content Security Savings Per Employee Annual Savings with Trend Micro 1,000 $32,743 $6,156 40% $24,473 $ ,000 $163,713 $30,782 40% $105,223 $ ,000 $327,426 $61,563 40% $206,160 $59.51 Trend Micro Enterprise Security powered by the Smart Protection Network provides immediate protection with less complexity, offering lower business risks and costs to enterprises Osterman Research, Inc. 10

12 Summary Malware is bad and getting worse. Malware variants are becoming more numerous, more virulent, more difficult to detect and their lifecycle is becoming dramatically shorter. Organizations that employ a more traditional content security infrastructure whose pattern files and signatures are updated only once or twice each day are at a serious disadvantage, since malware variants can enter a network, do their damage and then disappear before the enterprise deploys the latest pattern files or signatures to address them. Instead, organizations should employ an integrated content security infrastructure that accesses the latest threat intelligence through a cloud-client architecture, providing immediate protection against the latest spam and malware threats. This will reduce the chance of security breaches, reduce the number of endpoints that become infected and reduce IT labor costs focused on security management. Coupled with the use of a single content security vendor, the savings from doing so can be significant. Trend Micro provides just such a solution with Trend Micro Enterprise Security powered by the Smart Protection Network. This approach provides immediate protection in an integrated solution that combines web, messaging, and endpoint security. This comprehensive content security saves cost today while also providing a sustainable architecture as threats evolve in the future Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Osterman Research, Inc. 11