Do you need “Advanced Malware Protection” from 0days and the APT? Key Economic Considerations

Events over the past few years have heightened attention on attackers with more serious intentions than script kiddies or casual hackers. The “advanced persistent threat” has been outed, first generally by Google and RSA, then much more explicitly by Mandiant. The use of 0days in malware has been identified as a key element of the “kill chain” for attackers. Right or wrong, cybersecurity concerns are at an all-time high.

On the protection side of the equation, although antimalware solutions provide a basic (and compliant) level of protection, security professionals are well aware of the limitations of signature-based approaches. Solutions that have been around for a while, such as host intrusion prevention and whitelisting, have gained renewed interest. Other approaches like network or endpoint sandboxes for isolation and/or analysis or active forensics for near-real-time analytics are coming on strong.

The challenge is determining whether the additional cost is worth it, deciding whether a new solution will significantly reduce the problem, and identifying which type of solution(s) are best.

While it is easy for security professionals to claim they will spend “whatever it takes” to address technology-related risk, that assertion is easily deflated through extreme examples (millions? billions? trillions?). While the intentions are valiant (and I get the point), no organization has an unlimited supply of money to spend on security. Therefore, it is crucial to make good decisions about how and where to spend money.

Any business decision is accompanied by some sort of justification, and cybersecurity is no different. In security, we typically evaluate total cost of ownership of the solution and compare it to our notion of how much risk is reduced. At the very least, every purchasing decision is supported by a claim that the spending “is worth it.” At best, a more formal cost-benefit approach should be employed.

Evaluating the cost-benefit of an “advanced malware protection” solution can be extremely challenging. Dropping malware (in the form of viruses and worms) onto systems is one of the oldest methods of attacking and compromising computing environments. Because of this, all enterprises already have controls in place that attempt to protect against malware infection. In addition, there are a number of techniques that can be used to address the problem.

Regardless of the challenge, conducting an economic analysis of newer AMP solutions may lead to some surprising conclusions. Here are six key considerations for conducting your analysis.

1. Ignore the “Advanced” Part of Advanced Malware Protection

The first distinction you should make in reviewing your needs for “advanced” malware protection is that the “advanced” part is extremely nebulous – the bar keeps changing in defining exactly which techniques are advanced and which aren’t advanced. Accordingly, the first takeaway is “evaluate your AMP solutions in concert with all antimalware efforts in your organization.”

This should not be a radical thought.

2. Cover All the Antimalware Bases

Diving a bit deeper into costs, enterprises should consider the costs of all capabilities – the capital investments made on hardware and software, maintenance costs, and personnel costs. The vendor solution (capital investment) side of antimalware protection can include endpoint antimalware, email or gateway-based antimalware, intrusion detection (potentially), and secure web gateways. On the operational expense side, organizations should consider the personnel costs associated with identification, prevention, mitigation, response, and recovery activities associated with malware infections and incidents.

3. Allocate Partial Costs of Broader Solutions

Focusing on the costs associated with one type of threat – in this case, malware – can be challenging. Some solutions, like endpoint antimalware, focus directly on the problem while others provide varying levels of accompanying support. In my research, for example, secure web gateways were cited as a means for detecting malware infections that were undetected by endpoint antimalware solutions, but secure web gateways provide more capability than malware infection detection.

The key in the analysis is to allocate costs based on the proportional value provided by the broader solution. If 10% of the ongoing value of the solution comes from antimalware detection, then 10% of the future costs should be allocated to antimalware.

4. Ignore Sunk Costs

The maturity level of antimalware makes it likely that capital investments to address the problem have already occurred. Any spending that occurred in the past should be excluded from the analysis, though any current and future operational expenses should be included. In contrast, a decision involving a future capital investment should include that amount allocated (either amortized or depreciated) over its lifetime as well as the operational costs.

5. Factor in Employee Productivity

The second economic issue to consider is the productivity of employees. The productivity costs associated with the impacted worker should be considered along with the costs associated with the IT triage person. If it takes four hours to recover an infected system, then four hours of the worker’s lost productivity should be included (nothing fancy here – use a single average number based on salary for all workers).

6. Use a Breakeven Approach

Perhaps a bigger challenge in justifying antimalware spending is in determining the amount of potential losses. That “it is worth it” decision means that the security professional spending $100,000 on a security solution believes the solution will offset at least $100,000 in risk.

While some cringe a bit at the realization that spending reveals the minimum expectation of risk reduction, it also provides an opportunity to conduct a standard financial breakeven analysis. Rather than attempting to figure out the exact amount of financial loss at stake, you need only consider the total amount being spent and determine whether it is less than the potential losses. So as long as you’ve properly accounted for all costs, an appropriate decision can be made.

The AMP solution decision is not an easy one – with a handful of controls at different maturity levels in the organization already and a variety of newer solutions vying for attention. Some organizations may even come to the conclusion they don’t need to augment their existing capabilities. Others will find out they really do. Regardless, enterprises should be conducting the necessary analysis to make the best decision for its needs.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at