Building on our work in the blog Endpoint Security: Yes, Anti-Virus Really Does Reduce Risk, we now turn our attention to the perfectly legitimate question: is a “free” anti-virus / anti-malware solutions really worth it?
We can continue to use the CCM metrics published by Microsoft as our estimates for the infection rates for unprotected systems, but we now need to estimate the exploit block rate for specific anti-virus solutions. One public source of data comes from NSS Labs, who conducted testing of multiple endpoint protection solutions against a mix of 41 exploits, more than 200 attack scenarios, and multiple versions of four different web browsers. (Again, if your organization has better information, or estimates that are more specifically suited to your particular environment, you should by all means use them!)
For unprotected systems, the block rate is 0%. For systems running Microsoft Security Essentials, NSS Labs found a block rate of 65%. Because a single, static value for the block rate is not realistic, a small range centered around 65% was incorporated into the Monte Carlo model.
In addition, although there is no incremental license cost for the Microsoft anti-virus solution, there is still an administrative cost – so an amount that works out to be about 2 hours per week of a full-time equivalent administrator’s time (the analyst’s estimate) was also incorporated into the model. For the full details on the assumptions I made, and the source for making them, you can read the full report.
The result is presented in the following figure, which shows the (conservative, understated) risk of 1,000 endpoints protected with Microsoft versus that of 1,000 unprotected endpoints:
Probability of … Unprotected Microsoft
80% that the annual business impact will be greater than $47K $22K
50% that the annual business impact will be greater than $73K $31K
20% that the annual business impact will be greater than $100K $41K
This is an improvement of between 50%-60%. So yes, “free” A/V is clearly better than nothing!
This begs the next obvious question: is a “free” anti-virus solution good enough? What is the incremental benefit, if any, of investing in an enterprise-class endpoint protection solution? You guessed it – we will address this question in the next blog.