1. The Ugly Cost of
Cybercrime
Vasant Kumar
Manager – India & AEC
HPE Security
11th March 2016
2. We can quantify the cost of cyber crime
2015 Cost of Cyber Crime Study from HP
– Global study
• 252 companies
• In 7 countries
• 2,128 interviews
• 1,928 attacks measured for impact
• 7 enabling technologies evaluated
3. Average cost of cybercrime $7.7M (Globally)
– Every company in the study successfully breached
More costly Time is keyMore common Bus. impacts
$7.7M
Avg. Annual
Cost
• 46 days avg. time to
resolve attack
• $21K avg. cost / day
• 1.9 successful
attacks per company
per week
• Up 71% from 2012
• 39% cost of
business disruption
or lost productivity
• 35% cost of info loss
• $310K – $65M
range
• Up 100% from 2010
4. Know the adversary - they operate like a marketplace
– Specializing and selling assets across the attack eco-system
Research &
Infiltration
Discovery &
Capture
Exfiltration
5. Where they strike
– Applications are a key target
Longest time to resolve attacks
• Malicious insiders – 54 days
• Malicious code – 47 days
• Web attacks – 27 days
Most common attacks
• Virus, worms, and trojans – 99%
• Malware – 98%
• Web-based attacks– 64%
Most costly attacks
• Malicious insiders - $145K
• Denial of service - $127K
• Web-based attacks - $96K
6. Key Themes for the year 2015
– Theme #1 – The year of collateral damage
– Theme #2 – Overreaching regulations push underground research
– Theme #3 – Moving from Point Fixes to broad impact solutions
– Theme #4 – Political pressures attempt to decouple privacy and security efforts
– Theme #5 – The industry did not learn anything about patching in 2015
– Theme #6 – Attackers have shifted their efforts to directly attack applications
– Theme #7 – Monetization of Malware
7. Theme#1 – The Year of Collateral Damage
“If 2014 was the year of the breach, 2015 is the year for collateral damage”
– January Anthem breach
– 80 million records stolen
– Banking Breach
– Effected 100 million account holders
– Vtech Breach
– Customer database hacked including picture of customers and their children
– Smart Barbie
– hijacked smart “Barbie” that connects over Wi-Fi to a cloud
– Ashley Madison
– Hacked the customer database and leaked 32 million account details
7
8. Theme #2 – Overreaching Regulations push underground research
Wassenaar Arrangement
“The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and
Technologies) is a multilateral export control regime (MECR) with 41 participating states including
many former COMECON (Warsaw Pact) ”
– Researcher's and Customers operate in a common market place driven by country and laws that they live
in
– Recent inclusion of “intrusive software” under the above agreement is a backlash to offensive security
– This would effect the security research community today and its effects will increase in the coming years
8
9. Theme #3 – Moving from point fixes to broad impact solutions
– Microsoft and adobe released more patched than ever in 2015
– But still unclear is level of patching is sustainable
– Strain on both vendor and customer
– Microsoft has now offered unique methods of resolution
– Launched for IE 11 and EDGE browsers
– Introduced isolated heap and memory protection
– MemGC introduced in Microsoft EDGE
– Adobe also offering innovative methods
– Built security boundary around their API
– Built on a concept of privileged and non-privileged context
– In privileged context document editor is allowed access to security API’s
9
10. Theme #4 – Political pressures attempt to decouple privacy and
security efforts
- Paris, Kenya and Beirut attacks changed the way privacy is being looked at
- IAPP Data Protection congress 2105 held in Brussels
- Safe harbor agreement between the US-EU
- Edward Snowden revelations
- Metadata
- Data localization
- Islamic state terrorists
- Microsoft, Google and Facebook all had various incidents in privacy
- Google spent much of time in 2015 clearing off over one million URL’s
- Microsoft stared the year in a litigation with customer emails stored in Ireland
- Facebook into controversy over “Real Name” policy of users required to provide their legally registered names
By the end of 2015 privacy was close to decoupling from security issues in midst of legislators , industry and
public
10
11. Theme #5 – Industry did not learn anything from Patching
– The year 2015 shows the high prevalence of exploits for Windows privilege escalation vulnerability CVE-
2015 – 1701 which accounts to over 45% of exploit samples
11
12. Theme #6 - Attackers have shifted their efforts to directly attack
applications
– Top Vulnerabilities in the applications
12
13. Theme #7 - Monetization of Malware
– In today’s market Malware needs to produce revenue not just cause harm
– This has resulted in increase in ATM based malware attacks
13
15. We know how to strike back
– Information key to quick resolution
Budget focused on the network
• Network layer – 30%
• Data layer – 19%
• Application layer – 19%
Detection & recovery most costly activities
• Detection – 30%
• Recover – 23%
• Containment – 16%
Biggest cost savings from
• Security intelligence systems - $1.9M
• Advanced perimeter controls & firewalls - $1.6M
• Encryption technologies - $883K
16. Security intelligence – HP ArcSight
Problem
• Results for companies using security intelligence technologies like HP
ArcSight
• Most costly attacks come from malicious insiders ($144,542)
• Detection is the most costly internal activity with avg. time to resolve 46 days at an avg cost of $21K/day
• Malicious insider attacks take the longest to resolve (and thus cost the most) at 54.4 days
• Saved $1.9 million annually1 Achieved 23 percent ROI1
• HP ArcSight—
making business more secure
23%
Security
intelligence
systems
21%
Extensive
deployment of
encryption
technologies
20%
Advanced
perimeter controls
and firewall
technologies
Top 3 savings tools
25%12.5%0%
Top 3 ROI tools
$1.6M
Enterprise
deployment of
GRC tools
$1.8M
Access
governance
tools
$1.9M
Security
intelligence
systems
17. $0M $3M $6M $9M $12M $15M
Application protection – HP Fortify
Problem
• HP Fortify enables total economic benefits potential up to $49million
• Most costly attacks come from malicious insiders ($144,542)
• Web-based attacks are the 3rd most costly attacks ($96,424)
• Detection is the most costly internal activity with avg. time to resolve 46 days at an avg cost of $21K per day (App
Defender can show you in real-time if your apps are under attack and remediate almost instantly?)
• Web based attacks take an average 27.7 days to resolve
• HP Fortify—driving down cyber
crime losses for businesses
worldwide
Reduced development
and testing costs
Time to market
revenue gains
Time to market
revenue gains
Compliance penalty and
cost avoidance
M&A valuation benefits
Software asset acquisition
effort savings
$9.7M
$15M
$8.3M
$0.6M
$10M
$5M
18. Atalla
Problem
• Results for companies deploying encryption extensively:
Business disruption
and data loss are the
most costly consequences
• Saved $883,000annually1 Achieved 23 percent ROI1 • HP Data Security—trusted by
businesses the world over
23%
21%
20%
13%
$1.91MSecurity intelligence
systems
$1.79MAccess governance tools
$1.60MEnterprise deployment
of GRC tools
$1.57M
Advanced perimeter
controls and firewall
technologies
Security
intelligence
systems
Access
governance
tools
Extensive deployment
of encryption
technologies
Advanced perimeter
controls and firewall
technologies
$2M$1M$0M 25%12.5%0%
$883,000Extensive deployment of
encryption technologies
0% 10% 20% 30% 40%
Business disruption
Information loss
Revenue loss
Equipment damages
Other costs
39%
35%
21%
4%
2%