back to article Security SEE-SAW: $3 MEEELLION needed to fight a $100k hack

It costs a whopping $3.1m to defend against a $100,000 advanced attack, a security duo claims. The imbalance - well-known to security pros - was illustrated in research presented by Microsoft security strategist Paul McKitrick and founder of security startup ICEBRG William Peteroy (@wepiv) at the Kiwicon hacker fest in …

  1. Richard Taylor 2 Silver badge

    Not Surprising.

    Defence, especially against an 'insurgent' (OK not great equivalent, but worth thinking about) will always be more expensive. I am surprised the ratio is so low.

    1. Bloakey1

      Re: Not Surprising.

      Exactly! A small band of rum coves called Algie, Bertie and Josh whose collective value is ten groats, can cause havoc roaming through the land. So ... we have to build a bastion, ramparts, a castle etc. that starts getting pricey, then we have to man it and to protect outlying areas. So yes, the cost of defense is much greater than the cost of offence.

      Twas ever thus and if any one disagrees, well then call me a Hoplite.

      1. Trevor_Pott Gold badge

        Re: Not Surprising.

        There are really two schools of thought on this.

        The first is that a highly mobile attacker can harry the hillsides and strike at weak points, drawing gout the limited manpower that an entrenched static defended can spare and whitting them down over time through ambushes. The mobile attacker sets the tone of the engagement and chooses the time and place.

        A well prepared defender, however, can whether a siege for years. By being static they can bring to bear far heavier and more powerful weaponry, making even approaching the fortress spectacularly costly. A well prepared defender has either alternative (underground) routes of ingress/egress and thus can bring in supplies to weather the siege or they have internal generation capacity that means so long as the attackers can be held at bay, they can live there indefinitely.

        A mobile attack force has easy access to it's own supply lines easily, and could theoretically discover the emergency routes for the static defender. But the mobile force is vulnerable to cavalry sent out by the static defender to harry them behind their lines.

        War is not so simple as to boil it down to "a mobile force will always beat a static defender." Ask the Germans in WWII what they thought of the British 17 pounder anti-tank installations!

        War is a game of knowing your enemy, and customizing your tactics to suit. The side with the best intelligence wins. If I am defending a great big fat target I have two options: try to hit the attackers way before they get within firing range or try to make it so costly to get within firing range that they wouldn't dare try.

        The first approach requires me to know how many of the attackers there are, what they're equipped with, where they are and where they are going. That's four points of data needed to successfully find and kill an attacker using a mobile force.

        The second approach requires me only to know two things: how far can they shoot and how hard do those shots hit? If I know that then I can design my static defenses to shoot farther than them and I can make rational choices about "shoot more things to wipe them out before they get in range" or "invest in armour so that I can tank a few hits whilst I mow them down."

        They'll change tactics and maybe even invent new weapons. As the defender, I have to know about that before their own soldiers do and be able to develop countermeasures before they can bring them to bear. I'd also be well advised to keep a light cavalry regiment on hot standby in case I happen actionable intelligence. Never underestimate the blow to morale that a successful cavalry raid can cause!

        If what you are defending is a small target - man portable, say - then by all means splinter into a thousand different groups and dissappear into the hillsides. So long as you have a means of communicating you can coordinate counterattacks against any attacker and use guerrilla tactics to drive them out of your land.

        But that's really the question, isn't it? What are you trying to defend? Purpose dictates options, and limits on options are limits on available strategies. Once you've picked your strategies, it comes down to the tactics of the individual units, thier ability to communicate...

        ...and the quality of the intelligence you've based your battle plan on.

        Infosec has four parts: prevention, detection, mitigation and response.

        It is impossible to prevent all attacks. It is impossible detect all attacks. It is impossible to mitigate damages from all attacks such that they require no response. Anything that makes it to the "requires response" layer will be huge, so have your response well rehearsed.

        Prevention is a lock on a front door. It might keep a few people out, but it falls to a good swift kick. Detection lets you know when someone has kicked in the door and allows you to react. Mitigation would be the ability to reconfigure the hallways so that someone who has taken the time to kick down your front door is presented with a trove of easily stealable goods that look valuable but are, in fact, worthless.

        Response comes into play when the fellow who has kicked in the door realizes that the hallways have changed, pulls out an exacto knife, and cuts through the drywall to get at the surprise on the other side. Here you could have anything from a 40lb rottweiler waiting to simply "having insurance" to deal with the theft.

        Of course, if you'd had good intelligence that a skilled attacker was going to attempt a breach, you could save yourself some trouble by hiring a cop to watch the place while you're out during the window where the attack is supposed to take place. You could undertake inconvenient security measures for the period of high vulnerability, like having legitimate staff use the back door and/or increasing the number of honey pots you have to work through to get to the good stuff.

        And of course, don't forget cavalry raids of your own: get a digital attacker to drop their payload on a honeypot system, then crawl back through the link and nuke the CNC servers. Preferably by figuring out where they physically live and having large men with automatic weapons bust down the doors with a warrant and cart the servers away for analysis.

        Never simply rely on a large, sturdy-looking lock. By the same token, never assume that a fixed installation can't be adequately defended.

        As the man in the original article said, the secret is to raise the cost to the point that the attacker won't want to play any more. If your guns can outshoot theirs, then they lose so many men getting into firing range that attempting to attack your castle is an exercise in insanity.

  2. ecofeco Silver badge

    Threat intelligence 'mostly snake oil and marketing'

    TA DA! POTD. About time somebody said this.

    SEO is exactly the same.

  3. Anonymous Coward
    Anonymous Coward

    Thank God, some people making sense

    No doubt they will be shunned by a "community" that seems to exclusively focus on getting certifications sold to people barely competent to reboot an Etch-a-sketch (if that sounds disdainful, part of my job is to dig these idiots and their bosses out of the holes they tend to dig for themselves, and it's the part I loathe).

    Defence comes in layers, is an ever improving process and is greatly improved by having some creativity in your team. Ah, sorry, for HR that is a synonym for "unemployable", I forgot.

  4. btrower

    Do not know how yet, but...

    That fact that attack is cheaper than defense is hardly news.

    To have reasonable security against attackers you need advice from people you can trust, trustee services from different people you can trust, secure algorithms, secure key sizes, secure hardware, secure storage and internal communication, secure operating systems, secure devices, secure device drivers, secure software, secure external communication and storage, trustworthy users and secure premises.

    We don't really have any of the above and all of them are necessary (but still not sufficient) to have a system reasonably resistant to attack.

    I am not going to pretend putting the right things in place is easy, but they are doable. The fact that they are not being openly addressed shows me that people who understand don't care and people who care don't understand. Anyone with much understanding knows that all traffic and storage should be encrypted. It is not.

    In many security discussions you see something along these lines:

    We can verify this with the appropriate keys.

    Unfortunately, that is costly.

    Solution: Don't verify.

    As the Treacherous Computing Asshats have discovered, it is very difficult to secure anything that must be decrypted and then used outside of a controlled environment, especially if part of your agenda is to cripple security otherwise.

    As a collective of some 500 million plus people with a vested interest in making things genuinely secure, we can overcome the attack/defense disparity even if it is many orders of magnitude. Step one in getting there is to stop paying the attackers to secure our system.

  5. elip

    Where are these "defenders" I keep hearing about? I look around my teams and all I've seen are "responders".

  6. djack

    "The fact that they are not being openly addressed shows me that people who understand don't care and people who care don't understand."

    Not quite. Often the people with authority don't understand / care. I can't think of a more fruitlessly stressful job than ISO. So many are given the responsibility but not the necessary authority.

    1. Anonymous Coward
      Anonymous Coward

      So many are given the responsibility but not the necessary authority.

      I agree, but if you're in that situation you have the wrong job title. It is in reality "scapegoat".

  7. P. Lee Silver badge


    We need pie charts and bar graphs to keep us safe!

    We don't need to analyse possible attack vectors, know what our apps are doing or keep functions separated on different DMZs, we'll just "detect and respond" with real-time twitter updates from our trusted security vendor.

    What could go wrong?

  8. Sir Runcible Spoon


    In my experience it is one thing for a company to pay for, and deploy, a set of complex security products that combine to give a good view of what is happening on the network, where the gaps are and first line response tools etc.

    It is quite another to make those tools work. By which, I don't mean just keeping the boxes up and running, but actually using the intelligence the tools provide in a constructive manner to secure the borders etc., especially in a large and complex organisation with many different trust zones.

    Most of these large companies are buying this stuff to defend their crown jewels, but forget that their support models are all based on volume & 24/7 response time type SLA's etc. when what these types of products need is a Rolls Royce support solution that hasn't been fashionable in IT for nearly 20 years.

    It requires a combination of product expertise and knowledge of the environment. Add to this a focus on the task at hand (rather than being a part time 'focus' group or whatever) and enough bodies that if someone leaves it doesn't leave a massive knowledge gap in your defences.

    The business procedures also need to be aligned to allow the (hopefully properly tuned) alerts to get to the right people in the right kind of time-frame to make a difference to the response and how effective it will be.

    None of this is cookie-cutter stuff, and the quality of people required to do all this properly for a set of 6 or 7 interwoven security tools means it is hard to achieve without some form of internal training from the people who know.

    At the end of the day, to do the job properly it costs an awful lot of money (not just the equipment, licenses and support) to keep the engine tuned and working efficiently, money which is hard to come by on an on-going basis (as opposed to the upfront costs of setting it all up).

    Unless you are a critical infrastructure provider, or a defense department skunk unit, it is probably more money than can readily be justified.

    In the end most of this stuff ends up as shelf-ware, sitting in the network with no-one looking after it (or even looking at it) - which means all that up-front money was wasted.

    A lot of companies buy the stuff without realising the support commitment involved. Just one of these products can be a bitch to maintain, bundle a whole load together and you are asking for trouble unless you know what you are about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021