[124083] in North American Network Operators' Group
Re: NSP-SEC
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Mar 23 02:55:03 2010
To: Guillaume FORTAINE <gfortaine@live.com>
In-Reply-To: Your message of "Mon, 22 Mar 2010 23:02:02 BST."
<BLU0-SMTP8779E253AE373C07D69CC0C8270@phx.gbl>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 23 Mar 2010 02:53:50 -0400
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1269327230_6847P
Content-Type: text/plain; charset=us-ascii
On Mon, 22 Mar 2010 23:02:02 BST, Guillaume FORTAINE said:
> How much money would you evaluate a security incident on your Cisco device ?
It would depend on which of the 3,000+ Cisco devices on our network had
the incident. And yes, we've got a pretty good estimate (to within $1.57 or
so) of what an incident on any given device would cost.
> Because, the fundamental questions are :
> a) How much value does your network bring to your business ?
> b) How much money are you ready to spend to ensure its security ?
We've got a pretty good idea what value our network brings us. We also know
how much we're *ready* to spend. However, that's not the critical number.
You missed the most important question of all: (c) How much money do you need
to spend to minimize the total cost of protection plus losses. If you're
currently spending $50K, but you're *willing* to spend $250K, it only makes
actual sense to do so if the additional spending prevents more than $200K
of additional losses.
And this calculation needs to include second-order effects - if Cisco starts
shipping monthly updates rather than every 6 months, it doesn't do any *actual*
good unless our internal test lab ramps up so it can vet a new release in a few
weeks rather than a few months. That's an additional cost. Meanwhile, there are
a *lot* of sites that find themselves stuck on a specific build of IOS because
it's the only one that fixes bug A but also doesn't suffer from bug B. If you
deploy a new release of IOS that contains a fix for a security hole, and the
fix eliminates an expectation value of $10K of losses, but contains a
non-security bug that starts your help desk phone ringing and racks up $20K of
support costs, it's a net loss.
Those second-order effect costs are a bitch. And a half.
I'm pretty sure that most of the other big Cisco shops have done exactly
the same risk calculus, and decided that the added expense of moving to a
monthly rather than bi-annual wasn't worth it. And since the sites aren't
clamoring to buy it, Cisco isn't offering it.
(For the record, for many large shops, Microsoft's "Patch Tuesday" has
similar cost-benefit issues - updating your "crown jewel" production servers
once a month is a truly scary amount of code churn. The only reason Microsoft
does it is for the millions of consumer-grade boxes that auto-update, a
use case that doesn't exist for most of Cisco's product line.)
> Conclusion : if you can't reply to these fundamental questions, hire a
> CISO and build a CSIRT.
<sigh> I *so* hate making an argument from authority (other than "I think smb
published a paper on that already"), but in your case I'll make an exception.
Go read http://www.sans.org/dosstep/roadmap.php
Read the date, read the signatories. Ask yourself if you *really* want to be
telling me that we need to build a CSIRT. (Answer - our CIRT was up and
running back in 1991, and was well-known in 2000. So no, we don't need advice
on how to start one. We've got literally man-centuries of experience in running
one already. By the way, where were you in 1991?)
--==_Exmh_1269327230_6847P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFLqGV+cC3lWbTT17ARAjoeAKD9MEpp/0fwM9pCL3+kzMpH6os5iACeJIab
vZ8JY85rpTfxHyHKJc/nwrE=
=RsxM
-----END PGP SIGNATURE-----
--==_Exmh_1269327230_6847P--
