Bromium has publisheded the findings of an independent global survey uncovering the surging hidden costs of reactive, detection-based security intended to protect the organization. The initial, upfront licencing and deployment investment in security-detection tools like anti-virus is dwarfed by the cost of human skills and effort to manage and assess the millions of alerts and false-positive threat intelligence generated. The research, based on a survey of 500 CISOs from global enterprises, is part of a wider report: The Hidden Costs of Detect-to-Protect.
Key findings include:
- The average annual cost to maintain detect-to-protect endpoint security is $16,714,186, per enterprise
- Organizations invest $345,300 per year on detect-to-protect security tools, but this cost is minimal compared to the hidden human costs
- Labor costs are soaring as a direct result of detection-based technology failures:
- SOC teams receive over 1M alerts every year, but 75 percent are false positives
- SOC teams spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching
- All-together, that’s 417,148 hours per year; resulting in an annual labor cost of $16,368,886, per enterprise
“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” said Gregory Webb, CEO, Bromium. “It’s no surprise that 63 percent of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them.
“Meanwhile, advanced malware is still getting through because cyber criminals are focusing on the weak spots like email attachments, phishing links and downloads. This is why organizations must consider the total cost of ownership when making security investments, rather than just following the detect-to-fail crowd.”
The research shows that organizations are investing in multiple security layers to defend against hackers, including: Advanced Threat Detection (annual spend $159,220); next-generation and traditional anti-virus (annual spend $44,200); whitelisting and blacklisting ($29,540 annual spend), and detonation environments ($112,340 annual spend). However, these technologies are dependent on detection first, and therefore are fundamentally flawed and only stop the known.
Organizations expect the associated upfront costs for a security stack, however, as the research shows, the total cost of ownership is much higher than expected. During evaluations CISOs need to be asking questions that uncover the hidden costs, such as:
- Where are most of the attacks happening?
- Are advanced threats getting through current defenses?
- Is employee productivity negatively impacted by current security measures?
- How many alerts are being generated? Of those, how many are false positives?
- Is it likely that machines will still get compromised and need to be rebuilt?
“Application isolation provides the last line of defense in the new security stack and is the only way to tame the spiralling labor costs that result from detection-based solutions,” Webb concludes. “Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned. It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyze the full kill chain.”