What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Mar 17, 2020

Quantifying Risk: Making the Case for Greater Endpoint Protection

7 min read

As the coronavirus (COVID-19) continues to spread, the virulent disease has impacted our lives with restricted global travel, cancelled public and sporting events, and it compels employees to work remotely from home. We’ve seen a rise of fake coronavirus resources and websites as criminal elements take advantage of this situation. They know remote workers are not always as well-protected as ones behind the defenses of the mothership. In times like these, it becomes even more important to protect the laptops, tablets and other mobile devices used by your distributed workforce.

Quantifying Risk: Making the Case for Greater Endpoint Protection

In late 2018, the Ponemon Institute’s State of Endpoint Security Risk report stated that 34 percent of survey respondents indicated their endpoints had no protection. Unfortunately, this figure represents an increase compared to the 2017 report’s 28 percent. Perhaps unsurprisingly, the majority—64 percent—of survey respondents indicated that their organizations were compromised by one or more successful endpoint attacks in 2018. Again, this number reflects an increase over the previous year (54 percent).

From Cyber Risk to Financial Risk

While the cyber risk associated with endpoints is well-established, the financial risk—the minimum incurred yearly financial risk—is often considered in broad terms without sufficiently considering an organization’s characteristics.

To accurately determine the minimum incurred yearly risk of endpoints requires knowing multiple variables:

Probability of an Incident

Studies often site widely inaccurate claims around breach probabilities and their consequences. Lumping small and medium businesses (SMBs), enterprises and a broad range of industries into calculations results in inaccurate estimations that lack real-world context.

At eSentire, we created a risk propensity model based upon real-world observations (as opposed to survey results) of what we see bypass our clients’ existing security controls. The figure below shows, for a 12-month period and based upon an organizations’ number of sites, the probability of at least one incident that involves a bypass of existing endpoint security controls.

For illustrative purposes, we’ve shown three industries: finance, legal and healthcare.

The more sites an organization has, the higher the risk. This conclusion follows logically: the more sites, the larger the threat surface (endpoints in this case) and the more opportunities for attackers. To keep our model conservative, we assumed that each location is both independent and segregated from the others. That is, a breach at one site doesn’t make a breach at another any more likely, and a breach at one site does not spread laterally to another.

Conversion to Data Disclosure

While probability of an incident is important, conversion to data disclosure is critical for calculating risk. To continue with our illustrative purposes, finance, legal and healthcare organizations have observed incident conversion to data disclosure at rates of 22 percent, 23 percent and 65 percent. Notice the disparity between healthcare and the finance and legal industries. This is due in part to the nature of the data protected and the level of cybersecurity investment, especially around detection, response and recovery.

Calculating the probability of an incident and it resulting in data disclosure requires multiplying our two variables (probability of an incident X conversion to data disclosure rate). For our finance, legal and healthcare illustrations we will use the values for organizations with three locations. The resultant probability of an incident converting to data disclosure is:

Impact and Incurred Yearly Risk

Determining incurred yearly risk requires subjectivity from the organization at risk. To illustrate, the latest Ponemon Cost of a Data Breach Study reported that every record lost in a data breach results in the following cost:

No study can accurately project how many records an organization will lose if a data breach occurs. Leadership must determine, based on risk tolerance models, the projected number of records expected to lose in the case that a data breach occurs. For example, the below represents sample financial impact based on number of records lost:

Records Lost

Finance

Legal

Healthcare

1,000

$210,000

$178,000

$429,000

5,000

$1,050,000

$890,000

$2,145,000

10,000

$2,100,000

$1,780,000

$4,290,000

25,000

$5,250,000

$4,450,000

$10,725,000

50,000

$10,500,000

$8,900,000

$21,450,000

While these values are representative of when data disclosure does occur, it lacks application of risk of an incident and conversion to data disclosure over a 12-month period. To ultimately arrive at minimum incurred yearly risk (with at least one incident occurring), we must combine impact with probability of incident to data disclosure. The resultant minimum incurred yearly risk is:

Records Lost

Finance

Legal

Healthcare

1,000

$23,100

$30,260

$197,340

5,000

$115,500

$151,300

$986,700

10,000

$231,000

$302,600

$1,973,400

25,000

$577,500

$756,500

$4,933,500

50,000

$1,155,000

$1,513,000

$9,867,000

These values represent the minimum financial outlay organizations should expect over a 12-month period based on contextual risk.

Mismanagement of Risk

Despite an abundance of evidence that it’s just good business to invest in security solutions, many organizations wait until it’s too late. Rather than prudently managing financial risk by protecting endpoints, they respond only after incurring costs due to successful attacks.

This “wait and hope” approach manifests in inadequate security budgets. Gartner reports that the average organization spends $1,178 per employee on security, with only $124 of that figure dedicated to endpoint protection.

And, again despite ample evidence suggesting a different approach is needed, traditional antivirus remains the primary protection for endpoints—even though the Ponemon study shows that 57 percent of organizations recognize that traditional antivirus “does not provide adequate protection against today’s attacks.”

In fact, only 19 percent of respondents in the Ponemon report believe their compromise came from an “existing or known” attack, which might be caught by the traditional antivirus solutions receiving the bulk of endpoint security investments.

In contrast, 76 percent of respondents attribute their compromise to a “new or unknown zero-day attack”—exactly the type of attack that can be detected and mitigated by advanced endpoint protection capabilities.

Endpoint Protection: Beyond Traditional Antivirus

While endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solution adoption continues to increase, effectively operationalizing, monitoring and hunting threats has proven problematic across resource-constrained organizations. As a result, endpoint breaches have been on the rise and will continue their trajectory due to increases in remote workers, mobile endpoints and cloud adoption.

As security leaders and practitioners have come to realize, making the case for additional security investment proactively is a challenge. Broad endpoint studies that lump enterprises and SMBs together cite overinflated costs and lose credibility.

As security personnel attempt to make the case for additional investment, and leaders are weighing decisions, we encourage careful consideration of:

If you find your organization is at substantial risk of an endpoint attack, or if you’d simply like assistance understanding and quantifying the risk, then we would be happy to help. Our esENDPOINT service, powered by CrowdStrike® and VMware Carbon Black delivers next-generation prevention with EDR capabilities powered by an elite team of cyberthreat hunters.

If you want to better understand incurred yearly endpoint risk that your organization uniquely faces, download our Making the Case for Advanced Endpoint Protection white paper.

Wes Hutcherson
Wes Hutcherson Director of Product Marketing

As eSentire's Director of Product Marketing, Wes oversees market intelligence, competitive research and go-to-market strategies. His mult-faceted, technology experience spans over a decade with market leaders such as Hewlett-Packard and Dell SecureWorks.