I mentioned in my last blog that we actually have a chance to measure and demonstrate the real value of insurance precisely because real data and real numbers are going to exist as part of Cyber Insurance (and Cyber Reinsurance), showing how and why security can reduce the chance and damage of incidents (which I called “C” and “D” in my primitive actuarial equations). This is a great thing for our industry because, like the CIO 15 years ago, the CISO’s biggest challenge is “alignment with the business” and not being perceived as just another IT tax.
Let’s dig into that a bit with a concrete example around DDoS. For reference, I’ll restate the basic equation from my last blog:
What is the real value of Anti-DDoS protection in this sort of world?
To start with, an anti-DDoS solution should have maximum impact on “C,” making the cost for attackers higher to carry out successful DDoS attacks higher due to the requirement for better coordination, more sophistication and frankly more resources to achieve the same effect. This last point is vital: in a world where some targets are protected and others aren’t, the attackers rapidly identify those with protection. This deterrence value is hard to measure because it means that the number of attacks a particular victim sees against themselves goes down or even approaches will, while other victims of DDoS will see a small rise across the whole population.
Then there is the direct impact in “D,” which isn’t just a measure of lost earnings or revenue due to a service going away or penalties from failed SLAs, although that’s a big part of it. Well protected organizations will also have the least cost in IT due to reductions in mitigation complexity and redundancy, less indirect damages due to returning to a “normal business state” fastest and least wast of Human resources in response and management and better ability to do forensics and detection on all North/South traffic.
There’s the further benefit of not being able to disguise more complex attacks under a deluge of DDoS designed to create a high Noise-to-Signal ratio or even due to overwhelmed security controls (like exhausted state-based firewalls) or storage (in the case of packet capture and detection devices).
Looking into our ASERT data, we see a lot of the actual data about who is being attacked and for how long in each case. The data makes it quite clear what meaningfully reduces C and D in this equation. We see the move to larger attacks to gain more effect: 16% in 2014, 17.7% in Q1’15 and 20.8% in Q2’15 of attacks climbing to >1Gbs and a big jump in the 50-100 Gbps range in June and nearly 51 attacks >100 Gbps so far in 2015.
This is all true with any anti-DDoS protection, but where all of these elements increase is with advanced DDoS protection when we have a multi-layered, cloud signaling-enabled with burst protection solution. We then also see highest return for the most difficult and insidious application-layer attacks and subtle risks to integrity and confidentiality too. Digging into the data gain, we’re seeing the proportion of attacks targeting TCP/80 going up (17.8% vs. 13.3%, Q115 vs. Q114) and similar but smaller increases in UDP/53 and TCP/443.
Tying this off to other recent topics, the best way to “invert the pyramid” is to embrace the data and drive metrics for management and discussions of risk reduction to the real, quantifiable value of security. To get there, work with your vendors, talk to your peers and embrace internal business partners but also talk early and often to your insurance carrier about what really reduces risk of all your practices, skills and tools.
The post Finding the Real Value in Security appeared first on Arbor Insights - Our People, Products and Perspective.