Re: [logs] hack attempts && price

From: Sweth Chandramouli (loganalysisat_private)
Date: Fri Feb 15 2002 - 15:01:37 PST

Next message: Tina Bird: "[logs] More Solaris snmpdx syslog data"

Previous message: H C: "Re: [logs] hack attempts && price"
In reply to: Gonzalo Garcia: "[logs] hack attempts && price"
Next in thread: Lubomir.Nistor@star-21.de: "RE: [logs] hack attempts && price"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 15, 2002 at 10:52:13AM -0300, Gonzalo Garcia wrote:
> I don´t known if this is off topic, if it is let me know.
>  
> Due to the result of log analisis ( DCs, IDS, syslog, etc, etc, etc ) I'm
> able to identify many "hack attemps" using exploits, virus, trojans, ports
> scannings, and many other stuffs that are in the wild.
>  
> Because this tasks requires capital goods, manpower, bla bla ... this costs
> are charged to my department, so I trying to find a theory ( economic or not
> ), way to assign a price to every "hack attempt" identified with the help of
> the log analisis.
	As a rough sketch, try calculating the total cost of 
employing the staff necessary to respond to the incidents, and the
corresponding hardware/software costs, and then prorate based on the
amount of time the average indicent takes to deal with.  Say that you
have a 3-person IRT, with each analyst being paid $50k annually.  Normal
HR calculations say that overhead for a given employee is between 15%
and 30% of salary, so you can ballpark the total effective cost of
employing those folks at around $180k/yr.  Add to that a prorated cost
of equipment--maybe $5000 worth of hardware and software per analyst,
prorated over 5 years (probably too long, but I believe that's the
current rate that that the US IRS uses for depreciation), which works
out to around $3000 per year of extra overhead.  Then add in an
appropriate portion of general network overhead costs and any specific
servers used for archiving forensic data, etc.; assuming 6000
person/hours per year of available analyst time, and an average of a
half-hour to deal with a given incident, you are looking at around
$16 per incident.  There are all sorts of other factors that could be
folded in, but that's the basic methodology I would use.

	-- Sweth.

-- 
Sweth Chandramouli ; <svcat_private>
President, Idiopathic Systems Consulting

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Tina Bird: "[logs] More Solaris snmpdx syslog data"
Previous message: H C: "Re: [logs] hack attempts && price"
In reply to: Gonzalo Garcia: "[logs] hack attempts && price"
Next in thread: Lubomir.Nistor@star-21.de: "RE: [logs] hack attempts && price"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 15:06:10 PST