As managed service providers seek to embed better security value to customers within their services, they'd do well to be wary of the dreaded security product half-life.
A new study from researchers with RAND Corp., shows certain detection-based security technologies can lose 65 percent of their effectiveness over the course of a decade. Without careful consideration, it could completely throw off the economics of security portfolio investments if it isn't included within MSPs' financial considerations of TCO and ROI.
According to RAND, this decrease in efficacy over time is a function of the countermeasures that attackers engage in to fly under the radar of security tools meant to detect their activity.
"Attackers prefer to hide by making their attack invisible. For example, they reduce the likelihood that evidence of their malware or exploit will be observed by hiding their needle in a haystack of network traffic," the researchers wrote. "Once the defender perfects a technique for finding a particular type of needle, the attacker devises new needles based on detailed knowledge of how the existing defenses operate. The attacker can also put more hay on the pile by introducing nuisance malware that is close to the defender’s alerting and decision thresholds, introducing additional false positives and noise into the system."
What's more, most attackers are able to draw upon detailed knowledge about the latest and greatest in defense because most defenders use widely commercially available software. This is largely why it has become security best practice over the years to engage in 'defense-in-depth,' using a fabric of many different kinds of security tools to not only fill in detective technology gaps that may occur over time, but to also institute security hygiene within the target environment—this includes things like access control, patching and configuration management that can often minimize attack surfaces when attackers first break into systems, reducing the likelihood they can pivot elsewhere in the network. But the hits still keep coming and it becomes an endless cat-and-mouse game for defenders and attackers.
The arms race
"The differentiation and accumulation of defensive functions in multiple products and services has now been going on for more than 20 years. Yet the level of sophistication and capability among attackers continues to increase, and the degree of vulnerability of an organization’s networks and information resources either increases or, at best, does not get worse," researchers write. "Rapid innovation takes place on both sides of the measure-countermeasure divide."
The ultimate lesson is that this security half-life plays a role among a number of other factors when considering the total cost of managing cybersecurity risks within an organization. These include the cost and probability of potential breaches, the size of an organization and security program decisions over time. In its report RAND developed what it calls a heuristic cybersecurity model for analyzing security investment choices and developing estimates on the holistic costs. It's a lengthy and scholarly read, but one which many managed service provider executives could benefit, not only for offering insight and education to clients about their security investments but also in guiding an MSP itself as it develops security infrastructure to support its service offerings.