The Economics of Failure: Cybersecurity and Standing Tall

You are failing.

You scan your employee card, as you step into the corporate headquarter of your enterprise. The security guard at the desk greets you with a nod, and soon you’re stepping into an express elevator. Before you can even consider the security posture of the SCADA system holding the metal box far above any terminal velocity line, you’ve been delivered safely, walking away toward your corner office. Your mind is on something else. The board is worried about “Anonymous” and the last tweet some journalist picked up on, a vague threat toward your general industry vertical. As the CIO, the board will expect you to talk to this and you dread having to explain that in spite of 10 million dollars budget allocated last year to security, it’s simply not enough to stop them.

So what did you do wrong? The two resources you hired last year, are by all accounts the best firewall experts money could buy, and unlike your three consultants, they accepted to exchange a pager between the two of them, finally giving you the 24/7 SOC you had envisioned. You have upgraded the IPS to the manufacturer’s latest model, and you fought a hard political crusade with IT, getting to sign on your 30 day patching cycle. You’ve even pulled a fiscal magic trick, squeezed and borrowed just enough to buy one of those SIEM you kept getting pitched on. Now, if someone could just manage to configure it, you would have full visibility into your network. You feel like you’re squeezing blood out of a stone, and still, you know you are vulnerable. You feel like you have said that “security is a journey, not a destination” one time too many.

Of course, you failed. You sat at the wrong poker table.

The sad truth is that security is simply too expensive a proposition, for anyone to afford on their own. This is how governments were born, because a sheep farmer on the edge of the North Sea could never afford enough guards to turn away a Viking raiding party on his own.

The words on the paper ring true, but you’re not convinced. You have spent most of your life winning the hard fights, and never ever listening to people who told you it couldn’t be done. So you take out a pad and a pen, and you start breaking it down.

To have a truly operational SOC, you’ll need a strict minimum of 8 resources, all of which must be immune to all disease, take little to no vacations, be willing to work on rotation (night/day), and have either very understanding family at home, or none at all. Better yet, hire 14, and you can expand your hiring criteria to actual human beings. These resources will cost you each a six figure salary or you will spend your time training them on their way to the next better job.

To accomplish this, they will need support and training. You will need incident response team, two to four resources to start. They will need to be highly trained in a variety of fields, and have experience under their belts. This will not come cheaply. On that subject, you’ll also need a SIEM, and another team of experienced content developer, let’s say another two resources. Besides being as rare as unicorns, the price of those two will be equally legendary. You are starting to lose confidence, but like a true corporate general, you press on.

You will need firewalls and IPS for every network segment, and some type of antivirus and hips combo for all your workstations and servers. You’ll need a patch management tool, and an endpoint protection and remediation tool.

A WAF for your webservers and a source code review tool to prevent the developing team from making a horrible mistake, while trying to integrate the backend with that flashy frontend your company is developing overseas to save money.

You will need forensic equipment, in case you want to take someone to court. You will also need two resources full time, to answer any e-discovery request you might get, and another two to collect evidence for your own cases. You will need threat intelligence with a big data platform… but that’s too expensive, you think it might fit better as a roadmap item.

These services will have to be architected, engineered, deployed and maintained. You know how to cut corners, so you might be able to squeeze this down to an additional 10 resources.

It is a good start. Not a perfect plan, but you only have been noting down items for 5 minutes or so. You do a quick tally.

34 resources… and immediately it dawns on you. Almost half of your budget is gone. Non-capital operational expenditure, not your enterprise favorite type of spending. The best part is that most of these resources will sit in a room, and for all intent and purposes, accomplish nothing all day. After all, the better the operations team is at securing the network, the less hits the SOC will receive. It’s great from a security POV, but it’s always difficult to explain 5 Millions of OPEX without any metric to demonstrate the value.

And it doesn’t stop there

Even if you capitalized the support at purchase, the licensing of the appliances would eventually catch up. You can only afford a fraction of the equipment you actually need, leaving several gigantic holes in your security infrastructure, while you spread the cost of acquisition across five years. You simply cannot win.

Even if you did, in the end you would eventually be breached, since this simply cannot be avoided. The losses or embarrassment suffered at that moment would drown out your cries of victory, that it took your team 20 days to find the leak, where the average is currently 223 days. No one would care. They would ask why your enterprise has been spending 10 million a year, only to lose 5 million to a foreign hacker group that can never be prosecuted.

You exhale deeply. You need help; you are slowly realizing this now.

Every year, most enterprises dedicate a relatively small budget to security, which is understandable, since security does not bring revenue, and it is best measured through its failures, than its success. This budget represents their failure line, the place they decided to give up. “It’s good enough”. “It’s a journey, not a destination”. “We’ve significantly increased our posture”. ”We have a roadmap”. They all amount to the same thing, the acceptance of failure. What if they could spend a fraction of what they are spending now, but reach the destination?

Sheep farmers understood long ago, that forming communities for protection is the only security strategy. Where we all fail as individual, a single managed provider can succeed. A 24/7 fully staffed SOC becomes a reality, unburden from boredom and false positive fatigue, it acts across multiple customer environments to achieve a higher posture at significantly lower individual costs. Experience makes the security practitioner, and the greater the footprint covered, the greater the practitioner.

Standing tall alone is great for people who like to lose gracefully. Winners, on the other hand, like to show up to a fight with some friends.

Author: mahervieux

Growing up, my Sunday afternoons were filled with movie detectives, wise cracking mavericks that would catch bad guys and save the day with a bullet. Sadly, the days of Dirty Harry are now gone, his kind, an outdated measure in a world were bad guys can strike at you from a world away. I am a visionary security leader and architect, that won’t rest until he gets his man. I am a practicing paranoid, and a dedicated command-line warrior. I strongly believe that engineering is more than opening a ticket with a manufacturer; it’s the art of taking a taking some paper clips and a few rubber bands, and building a big data analytic platform out of it. I learned from the military that leading from the front is not a leadership style; it’s the only way to do it. I learned from failures and the lethal weapon series that building relationships is more important than standing tall on your own. I build SOC out of people, not hardware. I am the friendly, unshakably positive, never-say-die problem solver, that’s not afraid to start the difficult discussions that will save you millions of dollars. I am fluent in executive, hacker, and data scientist. Data science and machine learning are changing the face of our industry. Do you think you’re ready for it, well do you… punk?

Leave a Reply

Your email address will not be published. Required fields are marked *