Don’t Get Owned: Security Tool Investment Considerations

Security executives need to build business cases that truly reflect the value of their security stack.

Cyberattacks are not just an IT problem, they impact your whole business. By 2021, cybercrime will cost the world $6 trillion annually, according to Cybersecurity Ventures’ 2019 Official Annual Cybercrime Report, up from $3 trillion in 2016 – so it’s crucial that organizations invest in security tools to safeguard their business health and operations.

Though most would argue that cybersecurity is essential, it is notoriously difficult to calculate a return on investment. Unless a business has just suffered a devastating attack, it’s difficult to justify the investment in security tools, and explain the costs savings and brand protection benefits of preventing a data breach or a malware attack.

Further, it’s challenging to calculate a true total cost of ownership (TCO) for security tools. Initially, there are the upfront costs of the security technology (software and/or hardware), plus the licensing fees. However, security tools that rely solely on detection carry a hefty hidden cost – thousands of security alerts that must be triaged every week, often costing millions in labor. As a result, even if the business provides the funding for cybersecurity tools, security operations center (SOC) teams are typically stretched to a breaking point, putting the business at risk.

Security executives need to build business cases that truly reflect the value of their security stack, as well as the TCO and impact that those technology investments have on their security teams.

Someone Probably Did Get Fired for Choosing IBM

IBM used to play on the fear, uncertainty and doubt of buying something outside the norm with the phrase “nobody ever got fired for choosing IBM.” Today’s vendors are still playing this mind game, particularly in cybersecurity. Detection-based solutions are the de facto standard for safeguarding a business, so, the assumption goes that because everyone else is doing it, I should too. Hold that thought.

First, let’s look at the average cost of detect-to-protect security. Our research has found that organizations are investing $345,300 every year on detect-to-protect tools, with most of them adopting layered defenses. Breaking this cost down, organizations are spending:

  • $159,340 on advanced threat detection;
  • $44,200 on AV solutions;
  • $29,540 on whitelisting and blacklisting; and
  • $112,340 on detonation environments.

While it is important to invest in layered defenses and protect against opportunistic, known threats, investing in these tools alone will never provide the protection needed to defend against today’s advanced threats.

Tools like NGAV, blacklisting and whitelisting are ineffective in the age of polymorphic malware. For example, Bromium identified a new variant of the Emotet banking Trojan that was able to evade NGAV engines because it continually repackaged the malware and the documents used to distribute them, avoiding detection. Bromium engineers observed the C2 (command and control) servers updating the malware faster than NGAV programs could update their awareness.

This is a clear sign that cybercriminals are becoming more efficient at evading detection. They’ve realized that detect-to-protect tools are on the lookout for unusual activity. Cybercriminals will program malware to lie dormant until spurred into action by a human activity, or develop something new that NGAV will miss. NGAV absolutely serves the purpose of detecting and stopping known threats, and should not be forgotten. But, the whole premise of investing in detection-based protection alone is shaky at best, and at worst, irresponsible.

Calculate Your TCO to Avoid a Sting in the Tail

It is not just the upfront costs of tools that businesses should consider when making a purchase. Our research also found that detect-to-protect tools are drowning SOC teams with more than one million alerts every year. This deluge of alerts is triggering workforce costs running into the millions, which is spent on triage of threats, rebuilding compromised machines and issuing patches. Hidden costs like these means there are a few things to ponder when considering your security investment.

First, you want your team to be alerted to real threats to the business, and not swamped by false positives. On average, SOC teams are spending 413,920 hours per year triaging alerts. It’s often impossible to understand the nature of an alert until it has been fully investigated. This is a time-consuming task that greatly impacts an organization’s workforce costs.

Second, security executives must consider how much time and resources will be spent on rebuilding compromised machines. Based on our research, SOC teams are repairing an average of 50-plus compromised devices every month. This is because detect-to-protect tools only detect threats after the fact, meaning organizations have to spend time after an attack has occurred rebuilding owned machines.

Finally, ask yourself, can I see what threats are coming? The threat landscape is constantly changing and many security applications can’t protect you against unknown threats. Detect-to-protect can defend you from what has already been discovered, but anything beyond that leaves you at risk of being owned. You need to be safe in the knowledge that you can defend your business from any threats that come your way.

Don’t Invest in Something That Isn’t Up to the Job

Ultimately, it is important to question our reliance on detect-to-protect tools and start looking at new ways to defend the enterprise. Innovative technologies, such as application isolation and control, augment the existing security stack to stop new threats, helping organizations focus on protection, rather than detection only. This approach uses virtualization to isolate every application in a protective enclave, so that even if malware does pose a threat, it is contained in a virtual environment – the malicious program has nowhere to go and nothing to steal.

This not only helps to reduce risk to the business, it decreases workforce costs by negating the need to rebuild compromised machines, putting an end to false positives and providing detailed threat information that can be used to protect the enterprise at large. Importantly, this approach also provides vital reports that show how many threats have been stopped that would have otherwise infected the enterprise, demonstrating cybersecurity’s ROI.

Sherban Naum

Sherban Naum is SVP, Corporate Strategy and Technology for Bromium. He can be reached at sherban@bromium.com.