"please cite useful numbers" For what? IDS? SIEM? Log aggregation in general? For companies that have none of that, spinning up the best practice systems can easily cost half a mil a year (QRadar is 200k for our sized environment; a good netflow system is like 50 [100k+ for something like Lancope], one FTE to support and manage this as and additional workload on server and network guys in dealing with issues these tools find). And that's just the tip of the iceberg. An additional 500k a year is tough to justify (and costs way, way more than simply locking the doors or hiring a team of security guards at 10 an hour). Simplistic, of course, but one example of the cost difference. "Sure it's a new expense (not really, since ... you've always had security costs) but it's not 'massive'." Depends on the organization. For those who don't have a security-specific team, it is new spend. "ideally you need 2-3 people (for a larger operation, less for small shops) with a bunch of automation to help things run along." Absolutely agree. So we're looking at 200-300k just in pure salary cost, plus what, 40% extra for various benefits? That automation piece too is incredibly pricey (either in time and labor of software). "though the parts aren't quite in place today :( which is sad." One hundred percent in agreement. This is much, much harder for the smaller organizations to take. I wish there were services that made this way easier. I think this is where small system integrators could partner with security services that provide tier one security response (something like arctic wolf) and provide that needed coverage...but that's not inexpensive either (though way cheaper than hiring your own security dudes). "the return is not having to fend off the WSJ reporters of the world, and consequent lawsuits from your customers, subscribers, partners, etc..." True. But how do you put that in money terms? Obviously, I think the spend is absolutely important, and it's something that is vitally important to the business. But I've found it very challenging in making that case in a way that works, precisely because of that increased amount of spending. "but that is changing as more and more get pwned and the public and legal costs become greater and more apparent. patience." It is. Sony and Target were really useful in that regard. On Sun, Dec 27, 2015 at 12:51 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale <eyeronic.design@gmail.com> wrote:
"done right the cost shouldn't be super much more." I disagree. Done wrong, it's not super much more.
Done right, it's massively more.
please cite useful numbers... It's not (I think) really all that much more. Sure it's a new expense (not really, since ... you've always had security costs) but it's not 'massive'.
Like Randy said, compare salaries alone. A good security employee will run you, what, 100k or more in the major job markets? And how many do you need, full time, to provide acceptable coverage for your environment?
ideally you need 2-3 people (for a larger operation, less for small shops) with a bunch of automation to help things run along. Ideally your 2-3 experts aren't responding to the pager, almost all of that is offloaded to your noc/etc staff in a manner that they can actually deal with problems NOT as pager-spam which gets turned off. 'high quality alerts' with actionable playbooks.
it'd be great if more of this was COTS-able for the smaller shops... I bet a bunch of it IS, though the parts aren't quite in place today :( which is sad.
The costs add up really fast without a corresponding return.
the return is not having to fend off the WSJ reporters of the world, and consequent lawsuits from your customers, subscribers, partners, etc...
-chris
On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale <eyeronic.design@gmail.com> wrote:
"really isn't a whole lot different from 'lock your damned doors and windows' brick/mortar security."
Except it's *massively* more expensive.
is it? how much does a datacenter pay for people + locks + card-key + pin-pad + ...
vs
the requisite bits for security their customer portal/backoffice/etc ?
done right the cost shouldn't be super much more.
-chris
On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Sun, Dec 27, 2015 at 1:59 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
> SSH password + key file is accepted as two factor by PCI DSS auditors, so > yes it is in fact two factor.
They also accept NAT as "security". If anything, PCI DSS is yet another example of a money grab masquerading as security theater (not even real security).
is it that? or is it that once you click the checkboxes on /pci audit/ 'no one' ever does the daily due-diligence required to keep their security processes updated/running/current/etc ?
I'm not a fan of the compliance regimes, but their goal (in a utopian world where corporations are not people and such) is the equivalent of the little posterboard person 42" tall before the roller-coaster rides, right?
"You really, REALLY should have at least these protections/systems/etc in place before you attempt to process credit-card transactions..."
In the utopian world this list would be sane, useful and would include daily/etc processes to monitor the security controls for issues... I don't think there's a process bit in PCI about: "And joey the firewall admin looks at his logs daily/hourly/everly for evidence of compromise" (and yes, ideally there's some adaptive/learning/AI-like system that does the 'joey the firewall admin' step... but let's walk before running, eh?)
so, it's not really a mystery why failures like this happen.
I remember seeing a story a while ago that stated that of companies hit by a data breach on a system that was inside their PCI scope, something insane like 98% or 99% were in 100% full PCI compliance at the time of the breach. The only conclusion to be drawn is that the PCI set of checkboxes are missing a lot of really crucial things for real security. (And let's not forget the competence level of the average PCI auditor, as the ones I've encountered have all been very nice people, but more suited to checking boxes based on buzzwords than actual in-deopth security analysis).
people toss pci/sox/etc auditors under the bus 'all the time', and i'm guilty of this i'm sure as well, but really ... if you put systems on the tubes and you don't take the same care you would for your brick/mortar places ... you're gonna have a bad day. 'cyber security' really isn't a whole lot different from 'lock your damned doors and windows' brick/mortar security.
So excuse me for not taking "is accepted by PCI auditors" as grounds for a claim of strong actual security.
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0