£12m pa - the hidden costs of maintaining endpoint security solutions

News by Jay Jay

Enterprises across the globe are now investing heavily in licensing and deployment of endpoint security solutions to protect their IT systems but fail to spot hidden costs of human skills and effort required.

Enterprises across the globe are now investing heavily in licensing and deployment of endpoint security solutions to protect their IT systems but fail to spot hidden costs of human skills and effort required to maintain and manage such solutions.

Over 75 percent of alerts issued by endpoint security solutions like anti-virus software and firewalls are false positives, yet enterprises end up spending a lot of money on human skills and effort to assess each alert and to take actions based on individual analysis, according to security firm Bromium.

The firm commissioned a survey of 500 CISOs from the UK, the United States and Germany to assess how much enterprises spend on endpoint security solutions and if such enterprises are aware of actual long-term costs of running and maintaining such solutions over long periods. 

According to the CISOs, enterprises are, on an average, spending £114,256 on Advanced Threat Detection, £31,718 on next-generation and traditional anti-virus solutions, £21,197 on whitelisting and blacklisting solutions, and £80,615 on detonation environments annually. Put together, a large enterprise spends £247,786 per year on such endpoint security solutions.

However, this figure is only the tip of an iceberg. The CISOs also revealed that IT teams spend a total of 413,920 hours annually on examining each alert, 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching. As a result, they end up spending a combined total of 417,148 hours per year on running and maintaining endpoint security solutions.

According to Bromium, the annual labour cost incurred by an enterprise to fund 417,148 hours on cyber-security is £11,746,312.

"Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive," said  Gregory Webb, CEO of Bromium.

"It's no surprise that 63 percent of the CISOs we surveyed said they're worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them.

"Meanwhile, advanced malware is still getting through because cyber-criminals are focusing on the weak spots like email attachments, phishing links and downloads. This is why organisations must consider the total cost of ownership when making security investments, rather than just following the detect-to-fail crowd," he added.

According to Bromium, despite spending so much time, money and effort on running and maintaining endpoint security solutions, enterprises still find themselves exposed to sophisticated malware attacks and other disruptions because endpoint security as a concept is fundamentally flawed since it only focuses on stopping known threats.

The firm adds that enterprise should, instead, go for application isolation solutions as the latter not only isolate malware and stop them from spreading to other devices but also help enterprises save a lot of money on high labour costs.

"Application isolation allows malware to fully execute because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned.

"It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyse the full kill chain," Webb added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop