The old saying of "you get what you pay for" seems to be well directed when
it comes to this topic. If you're willing to allocate $100K more than you
currently spend to mitigating the effects from Worms and Viruses, I'm sure
you will have some increased success. If you allocate 1 mill more, your
success will increase substantially. The true cost really boils down to
what you are trying to protect, such as how many servers, users, network
segments, and other critical devices you are willing to encompass in your
protection plan. Also, you may be able to mitigate the cost by using the
functionality built into devices you may already own. A good protection
schema needs to address the use and benefits from the following: Firewalls,
VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a good network
security policy that grows with your network. You may already have most of
this in place and need only a little extra funding allocated to give you the
protection level you feel comfortable with.
If you're looking for pricing on each component, they will vary widely
depending on the brand and model you go with. You should shop around for
components that suit your budget. An example of this price variance can be
found by looking at a Net Forensics project priced at $500k compared to a
similar solution going will Network Intelligence at $40K. The Network
Intelligence solution may not have all the functionality offered by Net
Forensics, but it may be enough for your needs.
Best of luck in fighting this ever growing problem,
Actually that is not true. There is substantial evidence that spending
more does not change behavor when it comes to worms. Offering anti-virus
software, firewalls, consulting, email, telephone calls, letters, etc
have the exact same impact as doing nothing on the average ISP consumer.
As Jared points out, doing "more" substantially increases the support
costs for ISPs and doesn't reduce the number or severity of worms.
On the other hand, individuals can have a dramatic impact on the security
of his or her own computer.
Unfortunately, computer security is a bit like the light bulb joke. How
many psychologists does it take to change a light bulb? One, but the
light bulb has to want to change.
] The old saying of "you get what you pay for" seems to be well directed when
] it comes to this topic. If you're willing to allocate $100K more than you
] currently spend to mitigating the effects from Worms and Viruses, I'm sure
] you will have some increased success. If you allocate 1 mill more, your
] success will increase substantially. The true cost really boils down to
This sort of thinking, unsupported by any data, runs rampant in
the security industry. I have yet to see anyone document the
ROI on security tools and services. Do they help at all? Does
an increase in security spending result in a decrease in pain?
In some cases, as already documented here, an increase in
security measures can actually increases costs.
Let's not fall into the trap that more $$$ equates to greater
security or awareness. I've seen many sites that installed
numerous pods of the latest IDS at their borders, only to be
owned from within or owned by a method not yet in the
ever-behind signature database of the IDS devices. One can
waste money on security just as easily as one can waste money
on anything else.