Thursday, August 30, 2012

Impacting Adversary ROI

Recently i was looking talks on RSA 2012. One talk  which got my attention is   Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1 M.  Two points i liked most are

1. The Adversary Doesn’t Care About Your ROI/ROSI.

2. Whatever security measures you put should reduced the the  Adversary ROI  .

Lets see the formula of adversary ROI


Adversary ROI= ((( Attack value (Value of Assets Compromised + Adversary Value of Operational Impact) - Cost of the Attack) x Probability of Success )/Cost of the Attack)-Deterrence Measures (% Chance of Getting Caught x Cost of Getting Caught)


Most important factor of this ROI is the cost of the attack  if your security measures can increase the cost of attack ( which most of the measures do) it will reduce the adversary ROI by multi fold this the area where most of the security vendors focused there effort along with reducing the probability of the success. Advancement of attack tools and techniques reducing the attack cost and increasing the probability of success white hackers/Defenders caught themselves  in a rat race to build the countermeasures. As best practice multilayer security (IPS/IDS/Firewall/antimalware)has to be implement to affect these vectors of adversary ROI.

Let say after applying all the measures attacker still able to penetrate your system  but if you can be alarmed and act (here your various monitoring system play a great role for example File/Registry/Process Integrity monitoring system, Log Inspection system etc. ) before adversary able to steal/damage your assets this will reduce the  probability of success .

What if  your assets has been stolen/damaged before you able to act still there is hope in the form of  your risk management policy and forensics that can help in recovery and catching your adversary. These two factor increase the chance of catching the hacker.

Now there is one factor which you cannot control directly is the impact of getting caught it’s lot depend of the government/country rules and regulation how they treat your adversary.

while you can reduce the value of assets compromised  it’s not always possible and not advisable too  but you cannot control the Adversary Value of Operational Impact as it’s depends on type of adversary you are dealing with.

one this should be note here factor affecting adversary ROI should be considered  in totality not in isolation.



No comments:

Post a Comment