WhiteHat Security White Paper Evaluating the Total Cost of Ownership for Protecting Web Applications WhiteHat Security October 2013
Introduction Over the past few years, both the sophistication of IT security threats and the number of breaches and thefts have escalated, and with more data, applications, IP, and other assets coming online every day, those risk exposures are only increasing. In virtually every industry, nearly every organization faces substantial risks involving lost trust of customers and investors resulting from security breaches. And, while the indirect costs are difficult to measure (though they are inarguably meaningful), the direct costs are painfully easy to see. Consider just two cases that resulted in sizeable monetary losses: Idaho State University recently settled a suit with the U.S. Department of Health and Human Services for $400,000 after the personal information of 17,500 patients was breached. 1 Schnuck Markets could face up to $80 million in losses due to a payment card breach. 2 Unfortunately, these aren t isolated examples and the causes are many. According to DatalossDB.org, 37 percent of all data breaches arise from hacking, Web application exposure, or misconfiguration. 3 Since many sites are datadriven, this is an obvious entry point for attackers and an insufficiently covered area of corporate risk. The Post Breach Boom from the Ponemon Institute supports this: 42 percent of malicious incidents involved applications and 45 percent of losses due to malicious attacks ended up costing organizations an average of more than $500,000. 4 Given the unprecedented exposures and potential for large monetary losses, organizations must quantify the financial impact of security risks, data breaches, and the protective measures associated with total cost of Web application security tools and services that can prevent and/or mitigate them. This white paper breaks down the total cost of Web application security in specific risk categories associated with successful attacks. It will also discuss the costs to protect websites, resulting in a TCO model that can help to quantify the costs of Web application security compared to the costs of data breaches. Understanding the sources of web application security costs The cost of data breach prevention, and of Web application security overall, falls into three major categories. 1. Systems costs, which take two forms: Recurring annual subscriptions. The subscription cost for a Software-as-a-Service (SaaS) security offering can be a factor in some models if these services are in place and employed by the security team. This cost typically consists of yearly subscription expenses. On-premises systems. Depending on the types of Web application security controls and tools, your organization can incur costs for hardware to run those tools and platforms, installed software, and many other associated costs, such as operating system licenses, network components, and more. 2. Services costs, which consist of the labor involved in deploying, learning, managing, and maintaining security tools and controls, as well as the labor required to respond to a security incident. This can include consultants, managed security services, or internal team members. 3. Breach impact, a line item that has traditionally been very difficult to measure. You can kick off the risk evaluation process by using statistics and data from industry reports and surveys to make a reasonably educated guess. In the beginning, this will, by necessity, rely on industry benchmarks and reports. Over time, that can be gradually complemented (and eventually replaced) by more accurate, experiential data if your organization encounters a breach. 2
While the first cost category is essentially the cost of software (SaaS or on-premise), the second and third cost categories are strongly impacted by a Web application security solution s ability to eliminate false positives and false negatives, respectively. False positives happen when tools generate alerts that are not associated with true vulnerabilities. For instance, if the software creates an alert for an older Web server platform that has already been patched and is no longer vulnerable, that alert is not valuable. A large volume of false positives can significantly increase avoidable costs through unnecessary scan reviews. Too often, these avoidable review costs are overlooked. False negatives can be much more destructive and significantly more costly. In these instances, a legitimate vulnerability or deficiency is not detected by the assessment tool(s) and is not reported to analysts. False negatives increase the costs of breaches since important vulnerabilities are overlooked, leading to higher likelihood of a security compromise for a longer period of time. In addition to eliminating false negatives with continuous assessments, scanning technology can also reduce expected breach costs by ensuring that any window of vulnerability is minimized by more frequent monitoring and earlier detection. Calculating the cost of successful attacks When estimating the costs associated with a successful attack, consider the frequency of attacks and the likelihood of penetration (which will vary for every organization). Data from secure-hosting provider Firehost suggests that any given website could experience between 15,000 to 100,000 or more Web application attacks per year. 5 According to Verizon Data Breach Investigation Reports (DBIR) from 2009-2012, the average company experiences between five to six breaches annually. 6 To break down the cost of a successful attack, consider these specific items: Revenue loss. Certain types of data breaches may result in direct monetary losses, such as exposing credit card numbers or having banking accounts directly manipulated. Another source of revenue loss may be a drop in ecommerce revenue due to declining customer confidence in the affected organization. Number of impacted records. The number of impacted records may affect the total breach cost, just starting with the time required to conduct an internal investigation and communicate with affected parties. Certain thresholds can also lead to different legal and regulatory penalties. Cost per data record. Some types of sensitive data may carry a specific cost to recover or replace, such as credit card replacement costs and credit monitoring services for affected consumers. Legal costs and fines. Certain breaches incur specific regulatory and industry compliance fines and charges, ranging from one-time penalties to additional costs for standard business processing. For instance, you might see additional per-transaction costs for handling payment card data after a breach. You may incur other fines and penalties may occur as a result of lawsuits or other legal actions. Brand damage. While the costs associated with damage to the brand are difficult to calculate, they certainly exist, especially in industries that rely heavily on ongoing consumer trust in the safeguarding of sensitive data. In addition, even failed attacks incur costs, primarily related to investigation and the controls that prevent the attacks from succeeding. 3
The four categories for calculating the cost of protection In addition to the cost of attacks, controls and tools for assessment, prevention, and response carry their own costs as well. 1. Protective tools and services costs 2. Operating costs 3. Direct services costs 4. Internal labor costs 1. Protective tools and services Hardware........................... Servers and dedicated platforms / appliances running security products Software........................... The cost of security software Services............................ Can include both consulting services and the professional services associated with implementing a specific control or product Administrative overhead............... Includes the time required to implement a product or service internally, as well as the daily time involved in managing and administering products 2. Longer-term operating costs Hardware and software maintenance..... Include annual maintenance contract as part of total cost breakdown Hosting services..................... Depending on the security solution, hosting costs may need to be factored in if the organization hosts assets in a colocation center or cloud provider. The addition of security platforms and software creates higher hosting charges. 3. Direct services costs Consultants......................... Consulting services for vulnerability assessments and penetration tests can factor into the overall yearly cost for application protection Managed services.................... Managed-services providers charge an annual fee for application protection. Some vendors offer application scanning as both in-house hardware and software, and managed services for appliances Dynamic Application.................. Commonly implemented as Software as a Service (SaaS), DAST tools Security Testing (DAST) scan applications and assess them for flaws and even integrate with code-scanning tools 4. Internal labor costs Vulnerability assessment.............. This is usually the information security team, with some involvement from the development team Vulnerability mitigation................ This is the labor cost for the development and QA teams 4
Developing a TCO model The following worksheet shows how to calculate TCO across a number of different scenarios. Calculate direct breach costs First, calculate the direct breach costs based on the number of annual attacks, the number of annual breaches, the number of records per breach, and the average cost per record. As noted earlier, these estimates are based on industry statistics and available figures: Vulnerability Assumptions Baseline Cloud-DAST No protection In-House scanning Commercial Scanning Managed services Consultants DAST Web application attacks (annual) 25,000 25,000 25,000 25,000 25,000 25,000 25,000 25,000 Expected breaches (annual) - calculated 1 10 7 9 5 8 7 Percent of penetration Average number of customer records impacted per breach Average cost per record Direct cost of breach 0.004% 0.040% 0.028% 0.036% 0.020% 0.032% 0.028% 5,000 5,000 5,000 5,000 5,000 5,000 5,000 5,000 $25 $25 $25 $25 $25 $25 $25 $25 $125,000 $1,250,000 $875,000 $1,125,000 $625,000 $1,000,000 $875,000 Table 1. Direct costs of breaches 5
Determine loss of revenue Next, determine the total revenue loss from a breach based on the overall impact to the business (calculated or estimated). In this case, we ve estimated a weekly loss of $100,000 for two weeks, for a total of $200,000 per breach. Estimate indirect breach costs Finally, we ve estimated the variety of indirect costs associated with a breach: Security consultants: 20 hours per assessment at $250/hour Managed services: 15 hours per assessment at $350/hour Cost of false positives: 25 hours each at $100/hour Legal costs: 80 hours at $250/hour Public relations to handle breach scenario: 65 hours at $85/hour Approximately $300,000 in legal and compliance fines per breach 10 applications assessed six annually In total, the indirect costs came to $325,525 per breach. Tally the full cost of breaches With the direct costs estimated in Table 1, a per-breach revenue loss of $200,000, and indirect costs of $325,325 per breach, the total losses come to the following: ROI Factors Indirect breach costs Cloud-DAST No protection In-house Scanners Commercial Managed services Consultants DAST $325,525 $3,255,250 $2,278,675 $2,929,725 $1,627,625 $2,604,200 $2,278,675 Revenue loss $200,000 $2,000,000 $1,400,000 $1,800,000 $1,000,000 $1,600,000 $1,400,000 Direct breach cost (see Table 1) Total annual losses $125,000 $1,250,000 $875,000 $1,125,000 $625,000 $1,000,000 $875,000 $650,525 $6,505,250 $4,553,675 $5,854,725 $3,252,625 $5,204,200 $4,553,675 Table 2. Total cost of breaches 6
Factor the cost of protection We must finally factor in the cost of protection. In Table 3 the various models are broken down by costs that will be incurred, ranging from hardware and software in some models to internal labor costs for performing scans and remediation. The final results of this are shown in the next table: ROI Factors Cloud-DAST No protection In-house Scanners Commercial Managed services Consultants DAST Direct acquisition costs Hardware $20,000 $20,000 $20,000 $20,000 Software $20,000 $27,448 $169,330 $20,000 $932,000 Implementation services Admin. overhead Direct operating costs Hardware maint. $4,000 $4,000 $4,000 Software maintenance/ support Hosting services Direct services costs $30,000 $4,000 $5,490 $33,866 $69,067 Service expense $300,000 Managed services DAST assessment subscription Internal labor costs Vulnerability assessments/ review Vulnerability repair $315,000 $200,000 $110,000 $150,000 $150,000 $2,500 $17,500 $22,500 $12,500 $20,000 $17,500 Annual system cost Annual services cost Subscription cost Total annual cost $30,000 $0 $48,000 $56,937 $227,196 $40,000 $1,001,067 $2,500 $0 $167,500 $172,500 $327,500 $320,000 $17,500 $200,000 $0 $0 $0 $0 $0 $110,000 $232,500 $0 $188,833 $197,805 $428,476 $333,333 $507,233 Table 3. Total cost of ownership 7
Conclusion Figure 1. TCO broken into individual cost components While many organizations struggle to calculate the TCO of Web application security, you can accurately determine the financial impact. The model presented here illustrates some advantages to selecting solutions that work in a SaaS model, alleviating the costs of hardware and software acquisition, maintenance, and much of the labor cost. While the estimated breach numbers will vary the numbers used in this white paper are estimates, to be sure you can determine the total losses and costs within a reasonable margin. As you consider the likelihood of future breach scenarios, calculate your own total cost of Web application security using a TCO framework such as the one presented here. 1 http://www.scmagazine.com//idaho-state-university-to-pay-hhs-400k-after-investigation-reveals-shoddy-security/article/294679/# 2 http://thesouthern.com/news/hack-on-schnucks-could-cost-chain-m-in-illinois/article_073d9b3c-c364-11e2-8f22-001a4bcf887a.html 3 http://datalossdb.org/statistics 4 http://www.ponemon.org/blog/the-post-breach-boom 5 Source: Dangerous Cross-Site Request Forgery Attacks Up 132 Percent Since Q1 2012, Firehost, April 23, 2013 6 http://www.verizonenterprise.com/dbir/2013/ (and data from years 2009-2012) WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-a-service, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks. Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security for our remarkable innovations, executive leadership and our ability to execute in the application security market. To learn more about WhiteHat Security and how our solutions can support your applications throughout the entire software development lifecycle, please visit our website at www.whitehatsec.com. WhiteHat Security, Inc. 3970 Freedom Circle Santa Clara, CA 95054 1.408.343.8300 www.whitehatsec.com 2013 WhiteHat Security, Inc. All rights reserved. WhiteHat Security and the WhiteHat Security logo are registered trademarks of WhiteHatSecurity, Inc. All other trademarks are the property of their respective owners. 101413