On Mon, 22 Mar 2010 23:02:02 BST, Guillaume FORTAINE said:
How much money would you evaluate a security incident on your Cisco device ?
It would depend on which of the 3,000+ Cisco devices on our network had the incident. And yes, we've got a pretty good estimate (to within $1.57 or so) of what an incident on any given device would cost.
Because, the fundamental questions are : a) How much value does your network bring to your business ? b) How much money are you ready to spend to ensure its security ?
We've got a pretty good idea what value our network brings us. We also know how much we're *ready* to spend. However, that's not the critical number. You missed the most important question of all: (c) How much money do you need to spend to minimize the total cost of protection plus losses. If you're currently spending $50K, but you're *willing* to spend $250K, it only makes actual sense to do so if the additional spending prevents more than $200K of additional losses. And this calculation needs to include second-order effects - if Cisco starts shipping monthly updates rather than every 6 months, it doesn't do any *actual* good unless our internal test lab ramps up so it can vet a new release in a few weeks rather than a few months. That's an additional cost. Meanwhile, there are a *lot* of sites that find themselves stuck on a specific build of IOS because it's the only one that fixes bug A but also doesn't suffer from bug B. If you deploy a new release of IOS that contains a fix for a security hole, and the fix eliminates an expectation value of $10K of losses, but contains a non-security bug that starts your help desk phone ringing and racks up $20K of support costs, it's a net loss. Those second-order effect costs are a bitch. And a half. I'm pretty sure that most of the other big Cisco shops have done exactly the same risk calculus, and decided that the added expense of moving to a monthly rather than bi-annual wasn't worth it. And since the sites aren't clamoring to buy it, Cisco isn't offering it. (For the record, for many large shops, Microsoft's "Patch Tuesday" has similar cost-benefit issues - updating your "crown jewel" production servers once a month is a truly scary amount of code churn. The only reason Microsoft does it is for the millions of consumer-grade boxes that auto-update, a use case that doesn't exist for most of Cisco's product line.)
Conclusion : if you can't reply to these fundamental questions, hire a CISO and build a CSIRT.
<sigh> I *so* hate making an argument from authority (other than "I think smb published a paper on that already"), but in your case I'll make an exception. Go read http://www.sans.org/dosstep/roadmap.php Read the date, read the signatories. Ask yourself if you *really* want to be telling me that we need to build a CSIRT. (Answer - our CIRT was up and running back in 1991, and was well-known in 2000. So no, we don't need advice on how to start one. We've got literally man-centuries of experience in running one already. By the way, where were you in 1991?)