Saturday, February 16, 2013

The costs of cleanup, and two new analysis reports

I’ve been sick as heck after coming back from Colorado last week. I’m guessing the altitude really messed with me. And this bug, I’m assuming a bit more than a cold, but less than a flu is in full bloom right now (and the last few days). Regardless, I drafted this blog earlier in the week. It’s a bit rough, but I’m going to use it anyway. I hope you enjoy it...


840,000 users
1.9 million devices
$40 million dollars per year in security clean-up costs

This is what General Shelton (Air Force Space Command) quoted during the AFCEA conference last week.

While these numbers aren’t as big as I thought they might be, the amount of money spent per user -- $47.60, for cleanup alone, bothers me a little, especially given the tight networks run by the military -disk images are standardized, every point of presence is protected; monitored by a computer network defense security provider (CND-SP), manned by scores of highly trained, highly skilled active duty, civilian, and contract technical, intelligence and law enforcement personnel.

This is the AIR FORCE we’re talking about. One of the most technologically sophisticated fighting forces in the world.  These guys manage thousands of satellites in global orbit, can drop a needle sized bomb on a desired impact site the size of a gnat’s ass from 200 million miles away (I’m guessing), while
dog fighting at Mach 2. Whats more, the AF is probably close to (or is) the earliest DoD leader in the field of information security.  These guys are good.

So why is the Air Force still spending $47.60 per user on cleanup?

Because these aren’t your father’s hackers. And the technology we’ve got today doesn’t stop them. For example, last month, another VERY mature
security team blogged that they'd discovered that their systems had been hit in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops (this is called a watering hole attack). The laptops were fully-patched and running up-to-date anti-virus software.

Back to the AF.. One of the other comments I thought was incredibly telling: “Not all actors are caught at the gateways. Many are caught internally by professional airman. 60% of all DoD security rules are created by AF airman at 24th AF.” I
understood this to say, not technology, but airman... human.

I’m an old Navy guy (and Coastie), and prefer going to sea over flying in airplanes any day, but what this tells me is that even one of the most technologically sophisticated forces in the world still needs to apply massive amounts of human brainpower to defending their networks. What’s more, the AF is targeted for operations, not long term R&D, and they certainly aren’t considered supply chain, so think about this...

Like the Air Force, you too need a steady stream of information security professionals. The problem is, there aren’t enough to go around, and many in the field today are burning out. The Air Force has a lot of people (840,000!), has dedicated training pipelines and the best technology, yet they still spend $47.60 per users cleaning up after security incidents. Even this savvy, highly educated group spends $40 million per year on incident response, and remember, this doesn’t include the ongoing operating expenses of actually managing information security, running the 24x7 SOC, etc. It’s cleanup.

I have more stats for you.. from a commercial company, given to me by an enterprise level Director of Incident Response. These guys keep pretty good numbers:

  • This company owns roughly 135,000 computers
  • They experience hundreds of thousands of attempted targeted attacks every week, with 3-5 successful every day
  • They collect, and analyze (as best they can) over 1 Pb of log data per year
  • They spend roughly $10,000 per desktop to cleanup, and $40,000 per server

The company suffers 3-5 attacks every day, penetrating ~2% of their network every week.

So in the Air Force, with all of those sophisticated controls, training, etc., $47.60 per user is pretty low, compared to this commercial company, where it costs $10,000 per user laptop and $40,000 per server to clean up. The AF is doing pretty well. but this company is very mature in dealing with APT and has a highly sophisticated information security team. Yet they pay nearly 210 times the cost of the AF in cleanup!

Even more shocking is that an adversary can build or buy a piece of malware for almost nothing compared to the cost of the data they acquire or destroy, and the damage they cause--and that attack cost is declining rapidly as more and more malware and new vulnerabilities are monetized.

What does it cost you? Where will you get the help you need to understand how hackers are changing, targeting, and stealing information and money from your company?


This week was crazy busy in the portal. We analyzed a recent 0-day and provided relevant indicators to our membership. Two reports also went out the door. The first, our second Intel (non technical) Analysis Report (IAR) for 2013 which provided high-level analysis on a new targeting TTP involving a prolific actor. The second report was our fourth fusion (technical) report for this year and included in-depth analysis on a frequently leveraged downloader program. The report provided detailed protocol analysis as well as a custom decoder and tailored signatures for detection.

Don’t be a wallflower. Ask someone in Red Sky Alliance or Beadwindow. Call today for an introduction to our community. With every Red Sky demo, we’ll give you our latest white paper “How Great Companies Fight Targeted Attacks and APT”.  This paper outlines a roadmap, at an executive level, in less than 10 pages, seven items companies who’ve dealt with, survived, and thrived in the face of Targeted attacks and APT have done effectively to defend themselves against targeted and advanced persistent threats.

Until next time,
Have a great week!