Justifying Security Spend

Given that  this often relates to proving a negative, justifying security spend can be extremely challenging.  Before we continue, I’ll freely admit I don’t have all the answers here, but wanted to share some of the things I’ve been thinking about and discussing recently about just how hard this is, and possible ways to help.

We weren’t hacked therefore we spent enough..  Did we spend too much?  Could we spend less and still ‘not be hacked’?

We suffered a data leak, did we not spend enough?  Did we spend on the wrong things?


One example I am using to demonstrate how hard it could be to justify seemingly obvious security spend is around DDoS.

Take the following scenario;

Your organisation has suffered some DDoS incidents, these were volumetric attacks and the board urgently wants protection from these types of attacks in place.  You duly implement a premium cloud service, and provide them with an overview of the service and how it protects against volumetric attacks.  Over the next few months the service proves it’s worth and protects the business from any further attacks.

The next year, gaining approval for spend on this service is easy, everyone knows what it does and that it is needed.

Over time volumetric attacks against your business cease to occur, and a couple of years later the board are challenging the need for a large spend on protection from these attacks.

However the question clearly is; did the attacks cease because you are no longer a target of this type of attack, or because it is common knowledge you have very effective protection so there is no point in launching these attacks against you?


From this example you can see that justifying spend on something as seemingly obvious as DDoS protection could be challenging as how do you go about proving why the malicious actors have not done something?


Taking another example I read in the most recent issue of the ISACA magazine;

Before the Best Buy breach, what were the chances that they would be a target and suffer a breach?  After the Best Buy breach, what are the odds they will be breached again?


We have models for things we think we can predict from sporting events to the weather that have varying degrees of accuracy.  However the various malicious actors that could be targeting your organisation do not act in ways we can easily predict and quantify.

So given this how do we clearly state to the wider business the actual likelihood of an event, and the impact?

I’ll leave the impact discussion for now, but while it many seem more obvious, consider the wide range of impacts and how hard they can be to accurately quantify.  It is relatively easy to state how much you loose for a given amount of downtime, but how long does reputational damage last? How many sales are lost over the next year with downtime or a breach being factors in the customers decision? etc.


Some key things to help this situation include;

  • Moving the security discussion from IT to the ‘business’, all security risks are actually business risks, or translate directly to business risks.
  • Running scenario based exercises with the board to understand their risk appetite and educate them around what can happen and the impacts it would cause.
  • Gathering industry information on the prevalence of attacks and breaches against what are considered ‘peer’ organisations to understand the threat landscape you are operating in.

What are your thoughts?

How are you ensuring the  executive board and the wider business understand the need for the security spend and how you are managing risk?





ISF congress post 9: Extending security intelligence with big data

Extending security intelligence with big data

Presentation by Martin Borrett from IBM.

  • Why cyber security as a big data problem
  • How the diverse and rapidly changing set of both structured and unstructured data can play a key role in identifying the increasingly sophisticated threats that organisations face.
    • Move from reactive to a more proactive stance by actively searching for indicators that something could be amiss.


As an example, the attacks earlier this year on the New York times when it ran a story about China’s prime minister;

  • Not detected for 4 months
  • 45 different pieces of malware were used, with only 1 being picked up by AV
  • All employee passwords stolen
  • Computers of 53 employees accessed
  • University computers were used as proxies to hide the traffic source.

We have a greater need for security intelligence;

  • User identities
  • Assest discovery
  • Network flow
  • Vulnerabilities / risks
  • Security and threat feeds
  • Baselines of behaviour (system and user)
  • Unstructured data such as free text user inputs, feeds from social media, general news sources etc.


Attackers continuously adapting to leave minimal trace and hide their behaviour in the noise of ‘normal’ activity.  Due to the potential huge volumes of data, these systems must be very scalable.

Traditionally SIEM type solutions have focussed on real time alerting that is Proactive, Formalised (standard queries / searches) and fast.  This is great, but can it be in depth enough, and is real time attesting always required when searching for long term PAT style attacks?

Move towards adding more Asymmetric / Forensic type capabilities that are more Predictive, Inquisitive, and in depth.  These require considerably more skill and in depth understanding to create, and the searches will be much more ‘custom’, but this is the best (only?) way to find the subtle and clever attackers, especially if doing so in a timely manner is required (it is!).

Current SIEM type security processes may look like;

Screen Shot 2013-11-05 at 09.39.43

This has a heavy focus on structured data and performing real time correlation to get to a potential incident to investigate.

Moving more into the ‘big data’ world we will enrich this with a lot more data sources, much of it unstructured;

Screen Shot 2013-11-05 at 09.41.59

This will potentially also take outputs from the traditional SIEM tool as one of the feeds and enrich them with other data. An example may be where something that may be an issue, but where there isn’t enough detail to act on in the SIEM, this could be added to the ‘big data’ solution and correlated with a much wider data set to find out if it could be a real issue.

The top part of the above diagram (Real-time Processing and Security Operations) is relatively similar to existing SIEM solutions, focusing on real time analysis and processing, just with a potentially larger data set.

The bottom right (Big Data Warehouse, Big Data Analytics and Forensics) focuses on the much more advanced, not real time analysis and forensic type investigations.

Context is key.

  • You must be able to derive security relevant semantics from elements of the raw data.
  • There must be the capability to distil the huge volumes of data down to useful and real insights.
  • Human knowledge must ba able to be added to the solution to improve processing and automate more tasks.

Some key security questions a big data analysis solution will help your organisation answer include;

Screen Shot 2013-11-05 at 09.55.12

Another key area these tools can help with is in creating visualisations of attacks and suspicious behaviour.  As they will have data from all the systems in the enterprise, along with various external feeds, they can provide visual representations of the behaviour as it moves into that through the organisation.

For me the key consideration is to have one ‘Big Data’ solution that collects all the relevant data for your organisation from traditional log files, through corporate emails to social media and threat feeds.

This also needs to move out of the security realm as people are talking ‘Big Data’ but in reality still have the traditional SIEM mindset.  Running a tool like this for security, while the ops guys are also running logging and monitoring tools is massively wasteful in terms of cost, storage, management overhead, and also likely results in situations where some useful information only ends up in one tool, not both.

We need to move forwards to the mindset of an Enterprise ‘Big Data’ solution for sorting and correlating All the business data – logs, emails, external sources, user and system behaviours etc.etc.  This solution then has different dashboards, reporting solutions, search headers or whatever for the different use cases such as ops, business users (system performance, investigating transaction issues etc.) and ops.  Obviously areas like separation of duties and access controls must be considered here, but I believe this type of solution is the only way for this to really succeed and provide the best value for the business.


RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!