DDoS protection - what budget share should it get?
In an environment rife with rapidly evolving malware, targeted attacks on enterprise and the escalating mobile security problem, defending against Distributed Denial of Service (DDoS) attacks might not take top priority on the information security manager's checklist.
However, the incidence of DDoS attacks is rising globally, with enterprises, hosting providers and cloud service providers experiencing DDoS attacks on their data centres more frequently and with more severe business consequences than ever before, and, to complicate matters, attackers are using a range of new tools and techniques.
Whether through volumetric attacks, TCP State-Exhaustion attacks or Application Layer attacks, DDoS attacks can do a great deal more damage than just bringing a site down, because many mission-critical business applications are now web-based, a DDoS attack can impact on daily business operations and supply chain interactions, among other areas. In addition, sophisticated attackers are increasingly using DDoS attacks as a diversionary tactic for targeted persistent attacks, with the goal of stealing IP and/or customer and financial information.
Your potential exposure
When allocating budget share to DDoS protection and mitigation, it is important to determine your organisation's potential exposure and the cost to the business of its most critical applications going down.
DDoS impact assessment starts with a simple question: What will be the total cost to the business if the most critical applications are down for four, eight, 12, or 24 hours, a week, or even two weeks?
The answer depends on the specifics of the business, but the cost elements typically break out as follows:
- Operations: How many IT personnel will be tied up addressing the attack, and what are they paid per hour?
- Help desk: How many more help desk calls will be received, and at what cost per call?
- Recovery: How much manual work will need to be done to re-enter transactions?
- Lost worker output: How much employee output will be lost?
- Lost business: How much business will we lose during the outage?
- Lost customers: How many existing customers will defect to competitors? What is the lifetime value of these customers?
- Penalties: How much will have to be paid in service level agreement (SLA) credits or other penalties?
- Lost future business: How much will the ability to attract new customers be affected? What is the full value of that lost business?
- Brand and reputation damage: What is the cost to the company brand and reputation?
The business impact of an attack is a function of the length of time that services are unavailable and the value of those services. The impact is akin to losses from power outages or other failures of critical infrastructure. In a Ponemon survey of 16 industry segments, 41 business managers reported that in unplanned data centre outages, the business costs (lost revenue, customer churn, brand/reputational damage and lost productivity) far exceeded the operational costs. Outage costs per hour are significant: an average data centre of 2,000 square feet incurs $92,000 in losses per hour of downtime.
However, this varied significantly by business type. In another survey, Ponemon found that DDoS costs enterprises more than any other form of cyber-crime.
When evaluating and prioritising security investments, managers should take into account not only the expected losses, but also the losses that will be sustained if the enterprise experiences attacks that cause more downtime than industry averages of around 12 hours. Therefore managers should take into account the risk and financial impact of annual outage time of 24 hours or more.
For most enterprises, replacing a highly uncertain and risky cost outcome with the predictable, lower cost of effective DDoS protection is sound practice from a security perspective as well as a financial perspective.