SOC challenge: Balancing the trade-offs between cost and risk
The following is a guest article from Slavik Markovich, CEO of Demisto.
Every professional working in a security operations center (SOC) understands that attacks are on the rise.
Criminals who steal credit card numbers to resell on the dark web, hackers who launch ransomware attacks, industrial spies seeking to steal intellectual properties, and state-sponsored hackers who seem to have diverse reasons for selecting their targets have all become much more adept at penetrating security measures.
The financial cost of these breaches is shocking, according to the 2016 Data Breach Study conducted by IBM and the Ponemon Institute.
- Overall, the total cost for a breach averaged $7 million.
- For breaches that compromised less than 10,000 records, the costs were almost $5 million; breaches that compromised at least 50,000 records averaged $13 million in costs.
- The average cost per record was $221.
- Costs per record included $76 in direct costs, including technological investments and legal fees. Indirect costs — increased churn rate, damage to the company's reputation and similar damages — cost companies $145 per record, almost twice the direct costs.
When a company suffers a data breach, the repercussions can be severe. Billion-dollar mergers can be jeopardized, shareholders can rush to sell their stock, and executives can be fired or pressured to resign.
Former employees may even decide to sue the company for failing to protect their personal information. After the Sony breach, for example, lawsuits filed by current and former employees cost the company between $2 million and $4.5 million.
Given the astounding costs that a breach can involve, why are so many CEOs and CFOs resistant to efforts to improve security?
One of the leading reasons is that most of them tend to rely on "hard" numbers when making decisions. The cost of a data breach is a "fuzzy" number, but the cost of new software, additional personnel, infrastructure and similar purchases is clearly stated and unambiguous.
As a CISO, the challenge is to weigh the costs against the potential risks and then translate the information into terms non-technical members of the board can easily understand.
A careful analysis of your business — and the ability to think like a hacker — can help stakeholders identify the most likely targets to help harden defenses and protect critical assets first.
In which industry does your business operate?
The nature of your business can help you identify what hackers will most likely be after. For example, if your business collects or stores health records for individuals, hackers can sell these for as much as 10 times the price of credit card numbers.
If you are a technology company, hackers may be after your intellectual properties and may target employee credentials to access the data.
If you are a retailer, your customers' credit card information may be the primary target. And if you are a military contractor, the hackers may seek to use your system as a back door to infiltrate government systems.
What type of attack would be the most likely?
Keep in mind that hackers typically perform their own analysis of costs versus rewards; a lengthy, complex attack must be worth their effort.
The more that they can automate, the less costly the attack, which is why man-in-the-middle attacks are less common than you might expect.
Denial of service and ransomware attacks, however, are increasing. Phishing attacks are still commonplace, and hackers are becoming more adept at spoofing.
Do you have the right people in the right positions?
Finding qualified talent continues to be a major issue. Would increasing staff or encouraging current team members to upgrade their skills help mitigate your risks better than new equipment or software?
Who are your users?
Different user groups have different levels of security awareness, and you will have varying levels of control over what they do.
For employees, you can provide security training, enforce password complexity, limit the files each employee can access, employ biometric recognition, or require that they change their passwords frequently.
However, if your users are a cross-section of the public, drastic security measures could send them rushing to your competition.
Do you have an incident response plan?
Early containment and threat elimination can reduce your risks substantially. Your plan should be a formal, written policy, and you should conduct drills periodically to ensure that all team members understand their roles should an actual attack occur.
In a world in which technology is evolving so rapidly but which still relies on human interactions, it is impossible to guarantee the complete security of a system. However, by identifying the most vulnerable points, you can prioritize your spending to make your defenses strong enough that attackers will feel that it is simply not worth their effort.