• No results found

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

N/A
N/A
Protected

Academic year: 2021

Share "WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

Evaluating the Total Cost

of Ownership for Protecting

Web Applications

WhiteHat Security

(2)

Introduction

Over the past few years, both the sophistication of IT security threats and the number of breaches and thefts have escalated, and with more data, applications, IP, and other assets coming online every day, those risk exposures are only increasing. In virtually every industry, nearly every organization faces substantial risks involving lost trust of customers and investors resulting from security breaches. And, while the indirect costs are difficult to measure (though they are inarguably meaningful), the direct costs are painfully easy to see. Consider just two cases that resulted in sizeable monetary losses:

§ Idaho State University recently settled a suit with the U.S. Department of Health and Human Services for $400,000 after the personal information of 17,500 patients was breached.1

§ Schnuck Markets could face up to $80 million in losses due to a payment card breach.2

Unfortunately, these aren’t isolated examples—and the causes are many. According to DatalossDB.org, 37 percent of all data breaches arise from hacking, Web application exposure, or misconfiguration.3 Since many sites are

data-driven, this is an obvious entry point for attackers and an insufficiently covered area of corporate risk. “The Post Breach Boom” from the Ponemon Institute supports this: 42 percent of malicious incidents involved applications and 45 percent of losses due to malicious attacks ended up costing organizations an average of more than $500,000.4

Given the unprecedented exposures and potential for large monetary losses, organizations must quantify the financial impact of security risks, data breaches, and the protective measures associated with total cost of Web application security tools and services that can prevent and/or mitigate them.

This white paper breaks down the total cost of Web application security in specific risk categories associated with successful attacks. It will also discuss the costs to protect websites, resulting in a TCO model that can help to quantify the costs of Web application security compared to the costs of data breaches.

Understanding the sources of web application security costs

The cost of data breach prevention, and of Web application security overall, falls into three major categories. 1. Systems costs, which take two forms:

– Recurring annual subscriptions. The subscription cost for a Software-as-a-Service (SaaS) security offering can be a factor in some models if these services are in place and employed by the security team. This cost typically consists of yearly subscription expenses.

– On-premises systems. Depending on the types of Web application security controls and tools, your

organization can incur costs for hardware to run those tools and platforms, installed software, and many other associated costs, such as operating system licenses, network components, and more.

2. Services costs, which consist of the labor involved in deploying, learning, managing, and maintaining security tools and controls, as well as the labor required to respond to a security incident. This can include consultants, managed security services, or internal team members.

3. Breach impact, a line item that has traditionally been very difficult to measure. You can kick off the risk evaluation process by using statistics and data from industry reports and surveys to make a reasonably educated guess. In the beginning, this will, by necessity, rely on industry benchmarks and reports. Over time, that can be gradually complemented (and eventually replaced) by more accurate, experiential data if your organization encounters a

(3)

While the first cost category is essentially the cost of software (SaaS or on-premise), the second and third cost categories are strongly impacted by a Web application security solution’s ability to eliminate false positives and false negatives, respectively.

False positives happen when tools generate alerts that are not associated with true vulnerabilities. For instance, if the software creates an alert for an older Web server platform that has already been patched and is no longer vulnerable, that alert is not valuable. A large volume of false positives can significantly increase avoidable costs through

unnecessary scan reviews. Too often, these avoidable review costs are overlooked.

False negatives can be much more destructive and significantly more costly. In these instances, a legitimate vulnerability or deficiency is not detected by the assessment tool(s) and is not reported to analysts. False negatives increase the costs of breaches since important vulnerabilities are overlooked, leading to higher likelihood of a security compromise for a longer period of time.

In addition to eliminating false negatives with continuous assessments, scanning technology can also reduce expected breach costs by ensuring that any window of vulnerability is minimized by more frequent monitoring and earlier detection.

Calculating the cost of successful attacks

When estimating the costs associated with a successful attack, consider the frequency of attacks and the likelihood of penetration (which will vary for every organization). Data from secure-hosting provider Firehost suggests that any given website could experience between 15,000 to 100,000 or more Web application attacks per year.5 According to

Verizon Data Breach Investigation Reports (DBIR) from 2009-2012, the average company experiences between five to six breaches annually.6 To break down the cost of a successful attack, consider these specific items:

Revenue loss. Certain types of data breaches may result in direct monetary losses, such as exposing credit card numbers or having banking accounts directly manipulated. Another source of revenue loss may be a drop in ecommerce revenue due to declining customer confidence in the affected organization.

Number of impacted records. The number of impacted records may affect the total breach cost, just starting with the time required to conduct an internal investigation and communicate with affected parties. Certain thresholds can also lead to different legal and regulatory penalties.

Cost per data record. Some types of sensitive data may carry a specific cost to recover or replace, such as credit card replacement costs and credit monitoring services for affected consumers.

Legal costs and fines. Certain breaches incur specific regulatory and industry compliance fines and charges, ranging from one-time penalties to additional costs for standard business processing. For instance, you might see additional “per-transaction” costs for handling payment card data after a breach. You may incur other fines and penalties may occur as a result of lawsuits or other legal actions.

Brand damage. While the costs associated with damage to the brand are difficult to calculate, they certainly exist, especially in industries that rely heavily on ongoing consumer trust in the safeguarding of sensitive data.

In addition, even failed attacks incur costs, primarily related to investigation and the controls that prevent the attacks from succeeding.

(4)

The four categories for calculating the cost of protection

In addition to the cost of attacks, controls and tools for assessment, prevention, and response carry their own costs as well.

1. Protective tools and services costs 2. Operating costs

3. Direct services costs 4. Internal labor costs

1. Protective tools and services

Hardware . . . .Servers and dedicated platforms / appliances running security products Software . . . .The cost of security software

Services . . . .Can include both consulting services and the professional services associated with implementing a specific control or product

Administrative overhead . . . .Includes the time required to implement a product or service internally, as well as the daily time involved in managing and administering products

2. Longer-term operating costs

Hardware and software maintenance. . . . .Include annual maintenance contract as part of total cost breakdown Hosting services . . . .Depending on the security solution, hosting costs may need to be

factored in if the organization hosts assets in a colocation center or cloud provider. The addition of security platforms and software creates higher hosting charges.

3. Direct services costs

Consultants . . . .Consulting services for vulnerability assessments and penetration tests can factor into the overall yearly cost for application protection

Managed services . . . .Managed-services providers charge an annual fee for application protection. Some vendors offer application scanning as both in-house hardware and software, and managed services for appliances Dynamic Application . . . .Commonly implemented as Software as a Service (SaaS), DAST tools Security Testing (DAST) scan applications and assess them for flaws and even integrate with

code-scanning tools

4. Internal labor costs

Vulnerability assessment . . . .This is usually the information security team, with some involvement from the development team

(5)

Developing a TCO model

The following worksheet shows how to calculate TCO across a number of different scenarios.

Calculate direct breach costs

First, calculate the direct breach costs based on the number of annual attacks, the number of annual breaches, the number of records per breach, and the average cost per record. As noted earlier, these estimates are based on industry statistics and available figures:

Vulnerability

Assumptions

Baseline Cloud-DAST No pr

otection

In-House scanning Commer

cial

Scanning Managed services Consultants DAST Web application attacks (annual) 25,000 25,000 25,000 25,000 25,000 25,000 25,000 25,000 Expected breaches (annual) - calculated 1 10 7 9 5 8 7 Percent of penetration 0.004% 0.040% 0.028% 0.036% 0.020% 0.032% 0.028% Average number of customer records

impacted per breach 5,000 5,000 5,000 5,000 5,000 5,000 5,000 5,000

Average cost

per record $25 $25 $25 $25 $25 $25 $25 $25

Direct cost

of breach

$125,000 $1,250,000 $875,000 $1,125,000 $625,000 $1,000,000 $875,000

(6)

Determine loss of revenue

Next, determine the total revenue loss from a breach based on the overall impact to the business (calculated or estimated). In this case, we’ve estimated a weekly loss of $100,000 for two weeks, for a total of $200,000 per breach. Estimate indirect breach costs

Finally, we’ve estimated the variety of indirect costs associated with a breach:

§ Security consultants: 20 hours per assessment at $250/hour

§ Managed services: 15 hours per assessment at $350/hour

§ Cost of false positives: 25 hours each at $100/hour

§ Legal costs: 80 hours at $250/hour

§ Public relations to handle breach scenario: 65 hours at $85/hour

§ Approximately $300,000 in legal and compliance fines per breach

§ 10 applications assessed six annually

In total, the indirect costs came to $325,525 per breach.

Tally the full cost of breaches

With the direct costs estimated in Table 1, a per-breach revenue loss of $200,000, and indirect costs of $325,325 per breach, the total losses come to the following:

ROI Factors Cloud-DAST protectionNo

Scanners Managed

services Consultants DAST

In-house Commercial Indirect breach costs $325,525 $3,255,250 $2,278,675 $2,929,725 $1,627,625 $2,604,200 $2,278,675 Revenue loss $200,000 $2,000,000 $1,400,000 $1,800,000 $1,000,000 $1,600,000 $1,400,000 Direct breach cost (see Table 1) $125,000 $1,250,000 $875,000 $1,125,000 $625,000 $1,000,000 $875,000 Total annual losses $650,525 $6,505,250 $4,553,675 $5,854,725 $3,252,625 $5,204,200 $4,553,675

(7)

Factor the cost of protection

We must finally factor in the cost of protection. In Table 3 the various models are broken down by costs that will be incurred, ranging from hardware and software in some models to internal labor costs for performing scans and remediation. The final results of this are shown in the next table:

ROI Factors Cloud-DAST protectionNo

Scanners Managed

services Consultants DAST

In-house Commercial

Direct acquisition costs

Hardware $20,000 $20,000 $20,000 $20,000

Software $20,000 $27,448 $169,330 $20,000 $932,000

Implementation services Admin. overhead

Direct operating costs

Hardware maint. $4,000 $4,000 $4,000

Software maintenance/

support $30,000 $4,000 $5,490 $33,866 $69,067

Hosting services

Direct services costs

Service expense $300,000 Managed services $315,000 DAST assessment subscription $200,000 $110,000

Internal labor costs

Vulnerability assessments/ review $150,000 $150,000 Vulnerability repair $2,500 $17,500 $22,500 $12,500 $20,000 $17,500 Annual system cost $30,000 $0 $48,000 $56,937 $227,196 $40,000 $1,001,067 Annual services cost $2,500 $0 $167,500 $172,500 $327,500 $320,000 $17,500 Subscription cost $200,000 $0 $0 $0 $0 $0 $110,000 Total annual cost $232,500 $0 $188,833 $197,805 $428,476 $333,333 $507,233

(8)

WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-a-service, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks.

Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security for our remarkable innovations, executive leadership and our ability to execute in the application security market.

Figure 1. TCO broken into individual cost components

Conclusion

While many organizations struggle to calculate the TCO of Web application security, you can accurately determine the financial impact. The model presented here illustrates some advantages to selecting solutions that work in a SaaS model, alleviating the costs of hardware and software acquisition, maintenance, and much of the labor cost.

While the estimated breach numbers will vary—the numbers used in this white paper are estimates, to be sure— you can determine the total losses and costs within a reasonable margin. As you consider the likelihood of future breach scenarios, calculate your own total cost of Web application security using a TCO framework such as the one presented here.

1 http://www.scmagazine.com//idaho-state-university-to-pay-hhs-400k-after-investigation-reveals-shoddy-security/article/294679/# 2 http://thesouthern.com/news/hack-on-schnucks-could-cost-chain-m-in-illinois/article_073d9b3c-c364-11e2-8f22-001a4bcf887a.html 3 http://datalossdb.org/statistics

4 http://www.ponemon.org/blog/the-post-breach-boom

5 Source: “Dangerous Cross-Site Request Forgery Attacks Up 132 Percent Since Q1 2012”, Firehost, April 23, 2013 6 http://www.verizonenterprise.com/DBIR/2013/ (and data from years 2009-2012)

References

Related documents

For all the experiments, we have defined two equivalent versions of the same policy: the rules in Listing 6 (version # 1) are more tightly coupled to the configuration model when

That an institution subjects itself to liability merely by administering a race-based scholarship appears draconian in application. In these cases, it is not necessarily its own

Finally, the swelling behaviour when gels with multiple thicknesses were washed in methanol, pre-swollen in a pH 2 glycine buffer and then immersed in a pH 4

A statistically significant negative correlation was dem- onstrated in the study cohort between the maternal serum PIGF levels, foetal heart rate (FHR), birth weight and length,

In the first place, the KNF Office states that the practice of an investment firm evoking false impressions concerning the nature or way of provision of a

This is important in project management terms, as one of a project manager’s main objectives should be to increase the engagement and motivation within their team, in order to

[r]

Through studyand practice of the course, students can grasp the basic idea of digital manufacturing; The entire product realization process of “digital modeling, engineering