White Paper October 2004

McAfee Protection-in-Depth Strategy

Network Intrusion Prevention Systems

Justification and ROI

www.mcafee.com
 White Paper Network Intrusion Prevention Systems 2
Justification and ROI

Table of Contents

Are My Critical Data Safe? 3

The Effects and Results of an Intrusion 3

Why the Demand for IPS? 3

What Will IPS Technology Provide? 4

The Role of IT—Protecting the Revenue Stream 4

What Is the Return on Investment? 4

Real-Life Case Study—A Leading Computer Security Vendor 4

Actual Return on Investment 5

McAfee PrimeSupport 5

Conclusion 5

www.mcafee.com
 White Paper Network Intrusion Prevention Systems 3
Justification and ROI

Are My Critical Data Safe? implications, for example, of having a critical application that
An organization’s critical data have never been more at risk. controls the supply chain go out of service for an hour just
Today’s IT professionals face unending challenges in the before the Christmas holiday?
area of proactive risk management: Successful attacks inflicting network downtime may affect
• Today’s attacks are more frequent, more lethal, and organizations in several areas, including:
spread faster than ever • Negative impact to end users due to productivity losses
• Patching has become impossible to keep current, leaving resulting from the loss of access and availability to the
critical systems and infrastructure dangerously exposed external network
during vulnerability windows • Negative impact to IT as a result of the exorbitant time
• Regulatory requirements for protecting data privacy, required to restore availability and uncover the extent of
integrity, and confidentiality are now in force damage from an attack
• Despite heavy investments, security gaps still exist • Negative public impact to the organization by failing to
protect client-sensitive data, failing to meet regulatory
Adopting a layered, Protection-in-Depth approach is a prag-
™

compliance and protection requirements, and by creating

matic philosophy that combats enterprise security threats.
a potentially damaging customer and market perception
Simply stated, the McAfee® Protection-in-Depth Strategy is
that internal networks and data may not be secure
one built upon the notion that leveraging multiple, compli-
mentary technologies will provide the maximum protection • Negative impact on profitability due to the loss of busi-
against targeted attacks and vulnerabilities. ness availability

The Protection-in-Depth architecture is proactive security in a An intrusion or compromise consists of multiple stages:
very dynamic environment. This means realtime risk manage- reconnaissance, scanning, gaining access, maintaining
ment and remediation—the ability to stop, block, and clean access, and clearing tracks. Host and network intrusion
attacks—as well as Intrusion Prevention Systems (IPS) that prevention systems are both targeted at the same goal—
can be implemented to manage all trusted systems. protecting critical assets from very sophisticated threats.
Integrating the best of each architecture provides a solution
By combining best-of-breed technologies, organizations will whose sum is greater than its parts.
achieve a more comprehensive and robust security posture,
meaning fewer successful attacks, more efficient use of In the recent report titled Intrusion Prevention by the
scarce security resources, and lower operating costs than Department of Trade and Industry (DTI), it was concluded that
simply deploying one limited technology and hoping it will the time and resources spent on investigation and remedia-
protect the organization. tion are remarkably high for such attacks and intrusions. Such
costs will be significantly reduced with an IPS, since an IPS
If targeted attacks and malicious code writing remained solution will provide a proactive measure of protection.
static, it might be harder to rationalize redundant security
technology. However, this is a dynamic, thriving, and furtive Why the Demand for IPS?
threat whose momentum and technology continue to grow.
The evolution of hybrid attacks utilizing multiple vectors to
No security professional can ever predict all future vulnera-
breech security infrastructure has highlighted the need for
bilities or the exploits that invariably will follow.
enterprises to defend themselves against a constantly
shifting threat.
The Effects and Results of an Intrusion
Intrusions and targeted attacks may result in: Organizations have suffered catastrophic damage to their
business confidentiality, integrity, and availability as intru-
• Loss of data sions have become more virulent. In a matter of minutes,
• Loss of reputation companies can suffer significant lost revenue as production
lines go dark and order taking and fulfillment processes
• Loss of time
come to a halt due to attacks like Sasser, SQL Slammer,
• Loss of business availability and Nimda.
Any or all of the above will result in financial implications for Traditional firewall and anti-virus solutions are necessary to
your business (for example, see the case study on page 4). prevent the transfer of malicious code, but are not sufficient
A more detailed analysis of the financial implications of an to address the new generation of threats and targeted
intrusion exposes the reliance of modern businesses on attacks. Security solutions that proactively protect vital infor-
data. Companies depend on information to maintain daily mation assets in real time, without waiting for new
operations and to control their supply chain. What are the signature creation and distribution, are needed.

www.mcafee.com
 White Paper Network Intrusion Prevention Systems 4
Justification and ROI

What Will IPS Technology Provide? What is the cost if the critical server controlling the online
An Intrusion Prevention System is a system that protects ordering and e-commerce systems is hacked, compromised,
the following: and taken offline?

Confidentiality—Protecting the confidentiality of informa- Network security systems that protect infrastructure,
tion stored in electronic format on a computer system and processes, and data are critical to the success of any
preventing any form of unauthorized viewing or copying. company. Any interruption to a process can bring down a
Threats involve the introduction of backdoor programs, critical service or application, resulting in loss of business
keyboard-logging programs, and other programs designed availability and revenue.
to allow unauthorized personnel access to information.
What Is the Return on Investment?
Integrity—Protecting the integrity of the information stored
The following questions can be used to determine the costs
in electronic format on a computer system and preventing
involved in managing a malicious attack or virus outbreak:
any form of unauthorized alteration or modification. Threats
involve backdoor programs, network worms, and other • What is the cost to an organization if its Internet
programs that are designed to alter or erase information. presence is abused or unavailable?
Availability—Protecting the availability of a computing • What is the estimated cost to an organization if it
resource, network, system, or information stored in elec- experiences a security breach?
tronic format on such a system or network and preventing • What is the estimated cost to the reputation of an organ-
any use or access by unauthorized personnel. Threats ization if it experiences a security breach?
include Denial of Service (DoS) attacks and backdoor
• What is the estimated monetary cost to your organiza-
programs that allow the use of resources by unauthorized
tion for implementing a business continuity plan or
personnel for unauthorized purposes.
parts thereof?
Due to the dynamic nature of network intrusions and For most any organization, the cost of the above will far
threats, deploying a combination of both network and host outweigh the cost of purchasing, implementing, and
IPS technologies provides the greatest level of protection managing the IPS. This argument has been proved in the
for critical data and critical applications. Network IPS solu- case study that follows.
tions are deployed inline at the network perimeter, core, or
remote office. They are designed to protect your critical
Real-Life Case Study—A Leading Computer
infrastructure by blocking internal and external attacks on
the wire and are considered the first line of defense. Host Security Vendor
IPS solutions are deployed on servers, desktops, and This global computer security powerhouse withstood more
laptops. They are designed to protect critical systems and than 50 million attacks in 2003. For Ted Barlow, chief secu-
applications by blocking attacks at the host and are consid- rity officer, a top priority is to keep the attackers at bay
ered the last line of defense. while protecting not only the company’s reputation as a
computer security leader, but also its corporate applications
The Role of IT—Protecting the Revenue Stream and content. This includes things like customer relation-
ships, supply chains, financials, and intellectual
The subsequent points highlight some of the key concerns
property—such as source code.
and challenges that IT teams are confronted with on a daily
basis. The following are based on a typical company operat- This security leader embarked on a Protection-in-Depth
ing in 2004: Strategy to block or prevent attacks before they reach the
network, rather than passively detecting network attacks as
• $300 million click revenue
they speed past the perimeter. This means realtime risk
• 24/7 DAT delivery—failure means close of business management and remediation; the ability to stop, block, and
• 24/7 technical support clean attacks; and scalable IPS that can be implemented to
• Product delivery dates manage all trusted systems.

• Reducing the cost of patching and avoiding cost of clean-up

(IT cost only) “IntruShield was much more accurate over
What is the cost if a mission-critical electronic point-of-sale many more different types of attacks than
(EPOS) system goes down in a store for even an hour? The competing technologies.”
revenue stream of the affected business will be at risk and —Ted Barlow, Chief Security Officer
the company will be reliant on the IT department to identify
the threat and fix the problem.

www.mcafee.com
 White Paper Network Intrusion Prevention Systems 5
Justification and ROI

Actual Return on Investment for Network Annual Return on Investment

Intrusion Protection Cost of Investment $200,000
The figures below are based on the above company’s case Savings $3,876,084
study and highlight the calculations used to determine the ROI 19.38:1
actual ROI:
• IT Cost Avoidance—The average cost of the Slammer McAfee PrimeSupport
virus in IT time alone amounted to $240,000. In 2003 McAfee has pursued a strategy of providing best-of-breed
there were four similar outbreaks technology for each type of security and performance
Annual cost = $1 million management application—but the Protection-in-Depth
Strategy is more than just deploying and implementing best-
• Protected Revenue Stream—E-Commerce is relatively
of-breed solutions today. Prevention is certainly our first
small with an average of 16,000 orders per hour. The
priority, but inevitably, you will have to react to a problem.
downtime amounted to $60,000 an hour. Some compa-
nies were down for up to sixty hours, with an average of The McAfee PrimeSupport® program is essential for making
ten hours per major outbreak in 2003, where there were the most of your investment in McAfee System and
four similar outbreaks Network Protection Solutions. McAfee’s PrimeSupport team
Annual cost = $2.4 million has all the right resources and is ready to deliver your
needed service solution. PrimeSupport resources include:
• Cost of Ownership—Prior to using McAfee IntruShield,® delivering authorization to access all available maintenance
there were six dedicated IDS analysts. By installing releases and product upgrades, access to a comprehensive
IntruShield Appliances this resource was reduced to two suite of additional online self-support capabilities, live tele-
and four were redeployed to proactive roles phone support accessible 24/7/365, available assigned
Annual cost = $400,000 support account managers, and a range of software and
• Leveraging Existing IT Investments—The customer’s hardware support solutions that can be tailored to meet
current investment in firewall technology amounts to your needs.
$500,000. Without using IntruShield Appliances in front
of these firewalls, the SoBig virus, generating 3 million Conclusion
inbound e-mails per hour over a five-day period, would Combining best-of-breed network and host IPS technology
have caused a loss of productivity amounting to $19,021 results in the most comprehensive and robust defensive
in firewall downtime. In 2003, there were four similar posture. Implementing and deploying proactive IPS tech-
outbreaks nologies will result in fewer successful attacks, more
Annual cost = $76,084 efficient use of scarce security resources, and lower operat-
ing costs than simply deploying a single, limited technology
This being a very large deployment, a total of forty-three
and praying you avoid an attack.
network IPS appliances (all in failover) were deployed with
capital expenditures spread over a total of three years. Integrating the strengths of each of the architectures
provides a solution whose sum is greater than its parts. By
Total IPS Investment of $600,000
deploying the complementary and integrated Protection-in-
Annual Cost of $200,000 Depth technologies of McAfee Network and Host IPS
Solutions, organizations can achieve superior protection and
a proven ROI, all at a reasonable cost.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com

McAfee® products denote years of experience and commitment to customer satisfaction. The McAfee PrimeSupport® team of responsive, highly skilled support
technicians provides tailored solutions, delivering detailed technical assistance in managing the success of mission-critical projects—all with service levels to
meet the needs of every customer organization. McAfee Research, a world leader in information systems and security research, continues to spearhead innova-
tion in the development and refinement of all our technologies.
McAfee, Protection-in-Depth, IntruShield, and PrimeSupport are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. The color red in connection with security is distinctive of McAfee® brand products. All other registered and unregistered trademarks herein are the
sole property of their respective owners. © 2004 Networks Associates Technology, Inc. All Rights Reserved. 6-nps-ins-roi-001-1004