RE: [logs] hack attempts && price

From: Lubomir.Nistor@star-21.de
Date: Tue Feb 19 2002 - 06:30:45 PST

  • Next message: Russell Fulton: "RE: [logs] hack attempts && price"

    well as a consultant I do this aproach:
    
    identify risk (fx. e-commerce site that brings $10M yearly=>1 day downtime=$300K=>1 hour downtime=$10K)
    cover risk by realtime log auditing.. (costs fx $7K daily)
    
    profit=> risk value*risk probability - countermeasure=$40K monthly
    
    
    
    
    
    
    
    -----Original Message-----
    From: Sweth Chandramouli [mailto:loganalysisat_private]
    Sent: Samstag, 16. Februar 2002 00:02
    To: 'loganalysisat_private'
    Subject: Re: [logs] hack attempts && price
    
    
    On Fri, Feb 15, 2002 at 10:52:13AM -0300, Gonzalo Garcia wrote:
    > I donīt known if this is off topic, if it is let me know.
    >  
    > Due to the result of log analisis ( DCs, IDS, syslog, etc, etc, etc ) I'm
    > able to identify many "hack attemps" using exploits, virus, trojans, ports
    > scannings, and many other stuffs that are in the wild.
    >  
    > Because this tasks requires capital goods, manpower, bla bla ... this costs
    > are charged to my department, so I trying to find a theory ( economic or not
    > ), way to assign a price to every "hack attempt" identified with the help of
    > the log analisis.
    	As a rough sketch, try calculating the total cost of 
    employing the staff necessary to respond to the incidents, and the
    corresponding hardware/software costs, and then prorate based on the
    amount of time the average indicent takes to deal with.  Say that you
    have a 3-person IRT, with each analyst being paid $50k annually.  Normal
    HR calculations say that overhead for a given employee is between 15%
    and 30% of salary, so you can ballpark the total effective cost of
    employing those folks at around $180k/yr.  Add to that a prorated cost
    of equipment--maybe $5000 worth of hardware and software per analyst,
    prorated over 5 years (probably too long, but I believe that's the
    current rate that that the US IRS uses for depreciation), which works
    out to around $3000 per year of extra overhead.  Then add in an
    appropriate portion of general network overhead costs and any specific
    servers used for archiving forensic data, etc.; assuming 6000
    person/hours per year of available analyst time, and an average of a
    half-hour to deal with a given incident, you are looking at around
    $16 per incident.  There are all sorts of other factors that could be
    folded in, but that's the basic methodology I would use.
    
    	-- Sweth.
    
    -- 
    Sweth Chandramouli ; <svcat_private>
    President, Idiopathic Systems Consulting
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 07:09:05 PST