Cloud-Client Enterprise Security Impact Report

Increased Protection at a Lower Cost

by

An Osterman Research White Paper

Published January 2009

SPONSORED BY

ponsored by Phone: +1 877-21-TREND

www.trendmicro.com/go/smartprotection

sponsored by
Osterman Research, Inc. • P.O. Box 1058 • Black Diamond, Washington 98010-1058
Phone: +1 253 630 5839 • Fax: +1 866 842 3274 • info@ostermanresearch.com • www.ostermanresearch.com
 Cloud-Client Enterprise Security Impact Report

Improved Security Saves 40% in Security Management Costs

Malware, spam, and other Web threats are a clear and present danger to organizations of
every size and in every industry. The consequences of malware infecting an organization
are numerous and include a wide variety of problems, ranging from minor annoyances to
the destruction of data. Worse, data-stealing malware, such as keystroke loggers, can enter
a network, intercept sensitive or confidential content, and send it to unauthorized parties.
Further, this information can be stolen by merely opening a Web page on malicious,
fraudulent, or hijacked sites. The Web has become the primary means of distributing
malware, infecting users that follow dangerous links in spam, follow poisoned search
results, or visit hijacked legitimate sites. Defending against malware can make it difficult
to conduct business safely.

Compounding the problem is the fact that malware is becoming more virulent, more
stealthy and more difficult to detect.
Worse, the lifecycle for many
malware variants can now be
Each year in an enterprise
measured in minutes, not hours or
days – many variants appear, do their
of
5,000 employees:
damage and then disappear long
before new pattern files or signatures 2/3 of endpoints
can be deployed and propagated to
servers and clients on the network. get infected
However, if an organization could
dramatically reduce the length of $197,300 is lost
time required to access threat cleaning endpoints
intelligence using in-the-cloud
reputation databases to block new
malware and spam variants before is lost
$160,300
they even reach the network, it could
reduce the rate of endpoint infection,
in employee productivity
lower its security management and
lost productivity costs, and reduce
the likelihood of security breaches.
is lost
>$100,000
Further, if an organization opted to by >10% of companies for
combine these activities with the each security breach suffered
consolidation of its content security
infrastructure to just a single vendor,
the advantages and cost savings But they can
would be even greater. save almost $60 per employee
This white paper discusses the many each year if using a
benefits of faster access to threat comprehensive content
intelligence, using a cloud-client
architecture for immediate security solution with a
protection, as well as the benefits to cloud-client architecture instead
enterprises of consolidating to a
of their conventional approach
©2009 Osterman Research, Inc. 1
 Cloud-Client Enterprise Security Impact Report

single vendor for content security infrastructure. Together these benefits can save over
40% of an enterprise’s total security management costs, not to mention savings on reduced
productivity loss, a reduced number of security breaches and other, less tangible costs.
The paper discusses the cost model developed by Osterman Research specifically for this
white paper, as well as the solutions offered by Trend Micro that can significantly improve
an organization’s content security infrastructure.

METHODOLOGY AND BACKGROUND

As part of this white paper development effort, Osterman Research completed a survey
with more than 100 respondents during December 2008 on the number of endpoints
(clients and servers) in each organization, the amount of time spent on IT labor, the
frequency with which malware pattern files/signatures are updated and a variety of other
issues to better understand the impacts of a cloud-client architecture and vendor
consolidation for content security. The organizations surveyed, which are based in North
America and Europe, have a median of 4,500 employees. For the purposes of this paper,
we will use examples based on 5,000 employees.

The Status Quo Doesn’t Work So Well

A GROWING NUMBER OF ENDPOINTS
There are a growing number of endpoints through which malware can enter an
organization’s network, including servers, traditional email clients on desktop and laptop
computers, corporate and personal Webmail, Web browsers, collaborative environments,
corporate and personal mobile devices, instant messaging clients, home computers, USB
storage devices, and more.

Every endpoint represents a potential entry point for a virus, worm, Trojan horse or some
other form of malware to gain a foothold in the corporate network. Today, malware is part
of a cybercrime economy and cyber criminals are using multiple endpoints and delivery
mechanisms to steal data and resources. The more popular the use of the business tool,
the more often it is targeted by the cyber criminals.

MALWARE IS GETTING WORSE BY THE MINUTE

Gone are the days when single variants of spam, viruses, and worms were created and
propagated slowly over the Internet, spreading over the course of several weeks. Instead,
today’s malware can morph into hundreds or thousands of variants and can propagate in
minutes, infecting large numbers of endpoints in a very short period of time.

NEARLY 2/3 OF ENDPOINTS ARE INFECTED EACH YEAR

The result of the growing number of endpoints, coupled with more virulent and more
capable malware, is that endpoint infections are numerous. The research we conducted
for this study found that during an average month, a mean of 5.4% (median of 2.0%) of
the endpoints in the organizations we surveyed became infected. This means that in an
organization of 5,000 employees, a mean of 270 endpoints are infected each month, or
just fewer than 3,250 are infected each year. Statistically, then, if your organization is

©2009 Osterman Research, Inc. 2

 Cloud-Client Enterprise Security Impact Report

typical you can expect that in any given year nearly two-thirds of your organization’s
endpoints will become infected.

IT STAFF TIME IS WASTED, PRODUCTIVITY IS LOST

Aside from the most serious consequences of data loss or the interception of sensitive
content that can be experienced when an endpoint is infected, IT must spend time
cleaning endpoints while employees whose machines are disabled are rendered less
productive. For example, our research found that it takes a mean elapsed time of 95
minutes (median of 60 minutes) for IT to clean one endpoint. That means that a large
percentage of an IT department’s valuable time is spent cleaning infections, during which
time employees are less productive while waiting for their machines to be cleaned.

During a typical month, IT will spend a mean of 428 person-hours simply cleaning
infected endpoints. If we assume that the fully burdened salary for an IT staff member is
$80,000, IT will spend $16,442 per 5,000 employees on IT labor each month just to
clean endpoints from malware.

However, because employees are often idle while their systems are being cleaned,
employee productivity suffers as a result of infections. If we assume that the fully burdened
salary for the typical employee infected with malware is $ 65,000, then productivity loss
from infected endpoints equals $ 13,359 per 5,000 employees per month.

The bottom line is that organizations spend significant amounts just on cleaning endpoints
from various types of malware infections: the combination of IT and non-IT costs totals
over $357,620 per 5,000 employees each year.

SECURITY BREACHES ARE ANOTHER THREAT

Our research found that slightly more than one-half of organizations have suffered a
security breach during the previous 12 months, such as spyware infections, botnet
infections, etc. The result of these breaches were varied, including:

• Lost employee productivity (cited by 78% of respondents)

• Network was down (24%)
• Customer records were compromised ( 10%)
• Customer records were unavailable ( 10%)
• Customers were alienated (8%)
• The network was damaged (6%)
• Data security regulations were violated (6%)
• Company reputation was damaged (6%)
• Customers had to be informed of the data breach ( 6%)
• Minor financial losses (6%)

Only 4% of organizations that have suffered a security breach during the previous 12
months have not experienced any negative consequences. Further, respondents told us
that when a security breach occurred, their network was down for a mean of 74 minutes
(median of 18 minutes).

©2009 Osterman Research, Inc. 3

 Cloud-Client Enterprise Security Impact Report

DATA BREACHES CAN BE EXPENSIVE

We also asked organizations about the potential cost of a security breach. As shown in the
following figure, nearly one-half of respondents indicated that a typical, single security
breach would cost up to $25,000, while 10% believe that a security breach would cost
more than $100,000.

Based on an average of the data shown in the figure below, Osterman Research estimates
that the average cost of a security breach is $ 48,698. This was calculated by taking the
midpoint of each cost range shown below (and estimating an $800,000 cost for the “more
than $500,000 range”) and multiplying by the likelihood of each cost.

Estimated Total Cost of

a Single Security Breach

We also asked organizations about the likelihood of a security breach occurring during the
next 12 months. While no respondents told us that there is almost no chance that a
security breach will occur and 5% told us that a security breach is a virtual certainty, the
average was just under 45%. In other words, organizations believe there is a 45% chance
that a security breach will occur in their networks during the next 12 months.

Using traditional quantitative business analysis methods, if we multiply the average cost of
a security breach by the likelihood of its occurrence, then the average cost of a security
breach that organizations will experience during the next 12 months is $21,839 ($48,698
* 44.8%). However, this represents the low end of the cost of potential security breaches.
For example, a breach of personally identifiable information can result in a requirement to
send each victim a letter explaining the breach, the cost of credit reports and the like. A
single breach can actually reach millions of dollars, not to mention the tremendously
negative impact on an organization’s reputation.

©2009 Osterman Research, Inc. 4

 Cloud-Client Enterprise Security Impact Report

CONTENT SECURITY MANAGEMENT IS ALSO EXPENSIVE

The research program we conducted for this white paper found that IT labor costs are high;
for example IT accrues the following costs for content security related issues:

• There is a mean of 216 employees supported for every IT staff member. This varies
widely, from much lower numbers in small organizations to much higher numbers in
large ones. If we assume that the fully burdened salary for an IT staff member is
$80,000 annually, the cost of IT labor per employee is $ 370 per year, or just under
$31 per employee per month.

• During a typical week, IT staff spend the following lengths of time on various tasks in a
5,000-employee organization:

o 62 person-hours managing pattern files, signatures and other critical endpoint

issues.
o 51 person-hours on managing false positives and related issues caused by the
security infrastructure.

• Additionally, IT staff in an organization of 5,000 employees spends 1,674 person-

hours per year on upgrading resource capacity to add bandwidth, storage, new servers
or appliances, etc., or the equivalent of just over 0.8 full-time equivalent (FTE) staff
members.

Using the $80,000 figure as above, the cost of these three activities totals almost $290,500
per year, or the equivalent of 3.6 FTE IT staff members. Add this to the cost of cleaning
infections and organizations of 5000 employees are spending at least $ 487,700 on
content security management.

COST SUMMARY
Based on the analysis above, the annual costs experienced by organizations of 5,000
employees are the following:

• IT labor to address endpoint infections: ~$197,300 per 5,000 employees per year

• Employee productivity loss: ~$ 160,300 per 5,000 employees per year

• Security breaches: ~$48,700 per security breach

• The IT labor cost per year for managing pattern files, signatures and other critical
endpoint issues is $124,000

• The IT labor cost per year for managing false positives and related issues caused by the
security infrastructure is $102,000

• The annual IT labor cost for upgrading resource capacity for security is $64,423

©2009 Osterman Research, Inc. 5

 Cloud-Client Enterprise Security Impact Report

Content security management is expensive and much of this cost is related to antimalware-
focused tasks and resources. Organizations spend a considerable amount trying to defend
against malware, including labor costs to manage pattern files, deal with false positives as
well as additional bandwidth, storage, new servers or appliances, and other network
upgrades needed to support the increasing size of pattern files and signatures downloaded
to the endpoints to protect against the numerous spam and malware variants. Even with
these efforts, organizations using conventional content security methods have 2/3 of their
endpoints infected each year—adding the cost of cleaning these endpoints. These costs
also do not consider the additional benefits the enterprise would receive if the IT staff
could be used on higher priority initiatives that increase productivity and generate more
revenue.

What If You Could Get Immediate Protection?

SECURITY UPDATES DO NOT OCCUR FREQUENTLY
One of the fundamental problems with the status quo is that many organizations have
employed security systems that are updated only infrequently. For example, our research
found that 24% of organizations
update their pattern files/signatures
less than once per day, while 37% of Malware lifetimes are often
these update pattern files/signatures measured in minutes, but our
once per day. We found that only
25% of organizations update files research found that
more than twice each day. organizations tend to update
This creates a serious problem in a
pattern files only once or
world in which malware lifetimes can twice a day:
be measured in minutes but
businesses only update their security
once or twice a day. With few of organizations
24%
updates there is a security gap update less than once per day
between when malware is released
and when the protection is deployed
across clients and servers. The result of organizations
37%
is that a new malware variant can
appear, do its damage, and then be update only once per day
replaced by a new variant before the
first pattern file or signature can be
deployed to combat it. As 25% of organizations
cybercriminals become even more update more than
adept at creating their wares, the
problem will get worse.
twice per day

©2009 Osterman Research, Inc. 6

 Cloud-Client Enterprise Security Impact Report

FASTER ACCESS EQUALS BETTER PROTECTION

The obvious method for combating the problems caused by slow pattern file/signature
updates is to provide faster access to threat intelligence, ideally as close to real time as
possible. As threat volumes increase, so do the size of pattern files. An approach that
relies solely on traditional methods to distribute pattern files and signatures is
unsustainable because this deployment mode is simply too slow. Instead, threat
intelligence should be maintained in the cloud, using queries from a lightweight client.
This type of cloud-client architecture saves on resources and provides faster security with
enterprises no longer waiting for pattern file deployment to be protected. This approach
allows security systems to detect and remediate newly discovered threats more quickly,
thereby reducing the number of infected endpoints and security breaches. This will result
in lower costs and fewer negative consequences for users and organizations alike.

We asked survey respondents the following question: “Imagine that your server and
endpoints could be updated 10 times faster with new pattern files/signatures after a new
threat has been detected (for example, going from eight hours to update signatures to 15
minutes).” Note that the survey phrased the faster access to threat intelligence as a pattern
file / signature update instead of trying to explain a cloud-client architecture in the survey.
However, the key to the survey response is that the organization has access to threat
intelligence within 15 minutes.

One of the important advantages of faster protection would be to reduce the chances of a
security breach. For example, instead of an almost 45% chance of a data breach occurring
during the next 12 months as discussed above, respondents told us that with faster
protection there would be a 36% chance of such a breach.

FASTER ACCESS EQUALS LOWER COSTS

Not only can faster access to threat intelligence reduce the risk of data loss and the cost of
IT labor spent on remediating endpoint infections, it can also reduce the overall cost of
managing security.

Osterman Research developed a cost model specifically for this white paper that allows an
organization to estimate the cost advantages it might obtain from having faster access to
threat intelligence. For example, we have estimated the following for an organization of
5,000 employees:

• Endpoint infection rate would go from 5.4% to 2.0%.

• There would be a 25% reduction in IT staff investments in managing pattern files,

signatures and other critical endpoint issues.

• There would be a 10% reduction in IT staff investments for upgrading resource

capacity to add bandwidth, storage, servers or appliances, etc.

• There would be a 2% reduction in IT staff investments for managing false positives and
related issues.

©2009 Osterman Research, Inc. 7

 Cloud-Client Enterprise Security Impact Report

Based on these assumptions, Osterman Research estimates that the total security
management cost savings an organization would receive by getting faster protection
through a cloud-client content security solution would equal 34% of the total content
security management costs. Add this to the lost productivity costs saved and security
breaches avoided and, for an organization of 5,000 employees, this would equal roughly
$268,936, or annual savings of $53.79 per employee per year more than what an
organization saves with their current, conventional content security solutions.

WHAT IF YOU HAD JUST ONE CONTENT SECURITY VENDOR?

Many organizations use multiple vendors for their content security infrastructure – our
research found that there is a mean of four vendors used to provide content security
(median of three). However, many organizations are attempting to reduce the number of
vendors to lower costs by obtaining
volume discounts, reducing IT labor Consolidating security
investments in managing multiple
vendors’ products, simplifying patch can cut costs
management, and so forth.

We asked organizations that are using An average of 4 vendors

multiple content security vendors, “If is used for content security
you could use just one best-of-breed
vendor for all of your server and
endpoint security requirements, what A 5000-employee enterprise
percentage of IT staff time devoted to
content security management do you
can save 9.5% in content
think you might save during a typical security management
week?” While 14% of respondents told costs by using one
us there would be no savings from the
consolidation of vendors, 22% told us best-of-breed vendor
there would be savings of up to 5% in
IT labor costs, another 41% told us labor savings would be between 6% and 10%, and
23% told us savings would be greater than 10%. The average savings was 9.5%. This can
result in major cost reductions, particularly for large organizations.

THE BOTTOM LINE

Faster access to threat intelligence, coupled with the use of a single content security
vendor, can result in significant savings. In the 5,000-employee organization discussed
above, the total content security management costs are estimated at $ 487,731. The total
savings for faster security would equal approximately 34%, or would be $163,713. After
applying these saving, organizations would receive a benefit of another 9.5%, or $30,780,
reduction in their security management costs when using one vendor. Add this to the
savings from a reduction in productivity loss and fewer security breaches, and a 5,000-
employee organization would save almost $ 300,000 when using a cloud-client solution
from a single vendor. The breakdown of these savings is shown in the following figure,
although it should be noted that the enormous potential cost savings of avoiding a single
security breach could outweigh all of the other costs shown.

©2009 Osterman Research, Inc. 8

 Cloud-Client Enterprise Security Impact Report

Estimated Annual Savings

About Trend Micro

TREND MICRO SMART PROTECTION NETWORK
Trend Micro Enterprise Security offers content security that provides immediate
protection in a tightly integrated offering of products, services, and solutions. At the
core of these products and services is the Trend Micro Smart Protection Network, a
newly introduced cloud-client architecture designed to provide fast protection with
minimal network resources. This approach combines in-the-cloud reputation
databases and lightweight client infrastructure to quickly and automatically protect
information wherever and however an enterprise’s employees connect.

Threat information is analyzed using the global knowledge of over 1,000 dedicated
content security experts at TrendLabs, Trend Micro’s global network of research,
service, and support centers. This data is correlated across three types of reputation
databases – Web, email and file. If one element shows a bad reputation, it is
automatically blocked across all threat delivery methods – providing immediate
protection at every point of attack – spam sources, embedded links, dangerous files,
and web sites with malicious content. These reputation databases are constantly
updated, and mutually reinforcing to provide significantly better protection than
would be possible using any of these technologies by itself.

THE BENEFITS OF A CLOUD-CLIENT ARCHITECHTURE

With a cloud-client architecture, Trend Micro can update the in-the-cloud reputation
databases in real time and the light-weight client can quickly access this information
as needed – no longer waiting for periodic downloads of static pattern files to be

©2009 Osterman Research, Inc. 9

 Cloud-Client Enterprise Security Impact Report

protected. And this protection can also be accessed by roaming users when both on
and off the network. This immediate access to threat intelligence lowers exposure to
dangerous spam and malware, reducing malware infections and security breaches.
The reputation databases also stop threats at their source, limiting the amount of
spam and malware on the network and saving on costly resources.

A UNIFIED DEFENSE: ONE VENDOR FOR CONTENT SECURITY

The Smart Protection Network powers Trend Micro Web, messaging and endpoint security,
creating a unified defense throughout the network between the reputation databases.
Whether an enterprise chooses one Trend Micro product or a complete security solution,
businesses can access the correlated threat information between these reputation databases
to get network protection faster. Trend Micro’s comprehensive content security enables
customers to use one vendor for immediate, effective protection built into flexible content
security that is easy to acquire, deploy, and manage.

TREND MICRO ENTERPRISE SECURITY SAVES COSTS

Trend Micro’s cloud-client architecture provides faster protection than conventional
approaches that rely solely on pattern file updates. Trend Micro also provides a
comprehensive solution that enables enterprises to use one vendor for content
security. This combination supports the benefits discussed earlier in this paper,
providing enterprises with a solution that can save them over 40% of their total
security management costs in additional to providing increased employee
productivity and fewer security breaches.

Here is a summary of the additional amount enterprises can save using Trend Micro
Enterprise Security versus more conventional content security across multiple
vendors:

Estimated
Content Per
Security Employee
Mgmt. % of Overall Additional Annual
Savings Savings by Content Content Savings
Number of with Faster Using One Security Security with Trend
Employees Protection Vendor Mgmt. Costs Savings Micro
1,000 $32,743 $6,156 40% $24,473 $63.37
5,000 $163,713 $30,782 40% $105,223 $59.94
10,000 $327,426 $61,563 40% $206,160 $59.51

Trend Micro Enterprise Security powered by the Smart Protection Network provides
immediate protection with less complexity, offering lower business risks and costs to
enterprises.

©2009 Osterman Research, Inc. 10

 Cloud-Client Enterprise Security Impact Report

Summary
Malware is bad and getting worse. Malware variants are becoming more numerous, more
virulent, more difficult to detect and their lifecycle is becoming dramatically shorter.
Organizations that employ a more traditional content security infrastructure whose pattern
files and signatures are updated only once or twice each day are at a serious disadvantage,
since malware variants can enter a network, do their damage and then disappear before
the enterprise deploys the latest pattern files or signatures to address them.

Instead, organizations should employ an integrated content security infrastructure that

accesses the latest threat intelligence through a cloud-client architecture, providing
immediate protection against the latest spam and malware threats. This will reduce the
chance of security breaches, reduce the number of endpoints that become infected and
reduce IT labor costs focused on security management. Coupled with the use of a single
content security vendor, the savings from doing so can be significant.

Trend Micro provides just such a solution with Trend Micro Enterprise Security powered by
the Smart Protection Network. This approach provides immediate protection in an
integrated solution that combines web, messaging, and endpoint security. This
comprehensive content security saves cost today while also providing a sustainable
architecture as threats evolve in the future.

© 2009 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of
Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior
written authorization of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this
document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with
any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc.
(collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel
regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the
completeness or accuracy of the information contained in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED
REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE
DETERMINED TO BE ILLEGAL.

©2009 Osterman Research, Inc. 11