Thank God for the Welchia worm—for at least one company, it helped clarify the value of security.
In retrospect, says Bruce Larson, security director at American Water, it was that particular piece of malware that helped to legitimize his information security program.
Just before Welchia hit in 2003, Larson had gained responsibility for security operations at a partner water company in England, RWE Thames. (Both American Water and RWE Thames were part of the water division of RWE AG, a German multiutility company; that water division is now being divested.) Larson wanted to export to RWE Thames processes and products he used at American Water (including standards for a consistent architectural reference model, intrusion and anomaly detection systems from Arbor Networks, vulnerability assessments and identity management tools, among others). But he'd have to prove the benefit of making the investments required to bring Thames's security up to American Water's level, since Thames was not consistent in using these tools and practices.
Also see The Metrics Collection
Enter Welchia. It was an odd, antihero kind of worm that attempted to infect a computer in order to remove an older worm, Blaster, and then update the system's defenses. Whatever nobility it aspired to, Welchia nevertheless was a virus that could break computers and, like all worms, disable networks by jamming them up with its own traffic as it attempted to propagate itself.
"Welchia affected both of our enterprises on the same day near the same hour," Larson says. "We were able to measure the differential in impact between the two." The gap was stark: At American Water, 19 computers were initially infected, and response started in minute one. After two weeks, just 100 computers had been infected and all were fixed. Welchia resulted in zero days of downtime and required 40 man-hours of response and recovery time.
At RWE Thames on the other hand, "Every computer that could be infected was," Larson says. "Every business subnet was offline. The routers clogged, and the networks went dark, and we had to manually rehabilitate the operation." RWE Thames endured eight days of total or partial downtime and, compared with American Water's 40 man-hours of recovery, RWE Thames needed thousands of man-hours.
Not surprisingly, executives across the pond bought in to American Water's infosecurity program. What's more, Larson also found that American Water's effective defenses gave him a baseline, a normal cost of operations, to measure against. "Before that, we were trying to use ROI to justify funding. After Welchia, we realized we really could measure how much value we protected. This is hard evidence of the differential between good security and OK security," he says. "It's perhaps unique to have hard data like this, but we do. We have the metrics. So, in a twisted sort of way, thank God for Welchia."
The event served as a catalyst in the ongoing development of a key metric that Larson uses to justify his existence to the business. He calls it the Value Protection metric.
Value Protection is Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business. "Look, business units do one of two things: increase revenue or increase efficiency," Larson says. "We don't bring in revenue. So then you say, 'OK, then you're making the business more efficient, right?' Well, no, we don't do that either. So, if those are the two possible goals of a business unit and we don't fulfill either, then I'm confused.
"So we came up with Value Protection," Larson says. "You spend time and capital on security so that you don't allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That's there. What we need to do now is quantify the value to the business of deploying those technologies."
Also see The Value Protection Cheat Sheet
"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric. For a while, people were just trying to create reasonable security, Schmitt says, "but now you need something moresomething that proves the value, and that's what Bruce developed. Plus, as a secondary benefit, it's getting us better visibility from business owners and partners on risks and better ways to mitigate the risks."
Here, Larson shows how he uses the Value Protection metric to that end.