The Hidden Cost of Security: How Security Measures Impact Performance

Introduction

This topic has been one that I have been pondering for a long time

As a Managed Service Provider (MSP), this has evolved into a balancing act around providing the most effective security software solutions to protect client endpoints, networks and data while not making managed computers so slow that users become frustrated.

The Necessity of Layered Security Software

Layered security is a strategic approach to protect IT infrastructure, using multiple security measures to defend against various threats. Our approach includes:

• Antivirus Software: Acts as the first line of defence, with solutions like Microsoft Defender which is the base of our security stack.
• Application Whitelisting: Ensures only approved applications can run on the system.
• Endpoint Detection and Response (EDR): Provides advanced threat detection and response capabilities.
• Security Information and Event Management (SIEM): Offers real-time analysis of security alerts generated by applications and network hardware.
• Vulnerability Scanning: Identifies and assesses vulnerabilities in systems, applications, and networks.
• Managed Extended Detection and Response (MXDR): Delivers advanced threat detection, response, and remediation services.

Of course, there are numerous other measures in place, but the list above represents a toolset that operates onboard managed endpoints like computers and servers. Because they run on an endpoint, they also take up some of that endpoint’s computing resources. While each layer adds a significant level of protection, they also contribute to the overall consumption of system resources, potentially impacting performance.

Performance Impact of Layered Security Software

Antivirus Software

Role: Antivirus software provides essential protection against viruses, malware, and other threats. It operates with real-time scanning and periodic full-system scans.

Impact: The real-time scanning feature monitors files and processes continuously, ensuring immediate threat detection. While this provides robust security, it can also consume CPU and memory resources, leading to slower system performance, especially during full system scans.

Endpoint Detection and Response (EDR)

Role: EDR solutions offer advanced threat detection, investigation, and response capabilities. It collects and analyses data from endpoints (workstations, laptops and servers) to identify suspicious activities.

Impact: EDR systems perform deep analysis and require substantial processing power to detect and respond to threats in real time. This can lead to increased CPU usage and potential slowdowns, particularly during extensive data analysis and threat-hunting activities.

Security Information and Event Management (SIEM)

Role: SIEM systems collect and analyse security data from various sources to provide real-time event monitoring, threat detection, and incident response.

Impact: SIEM solutions process large volumes of data and generate alerts based on correlated events. This continuous data ingestion and analysis can significantly impact performance, particularly on systems with limited resources.

Application Whitelisting

Role: Application whitelisting ensures that only approved applications can run on the system, blocking unauthorized or potentially harmful software.

Impact: Implementing application whitelisting requires constant monitoring and validation of running applications. While this enhances security, it can also result in increased CPU and memory usage as the system continuously checks application integrity.

Vulnerability Scanning

Role: Vulnerability scanning identifies and assesses vulnerabilities in systems, applications, and networks to prevent exploitation.

Impact: Scanning can be resource-intensive, especially when scanning large networks or systems. Regular scans can cause temporary slowdowns as they thoroughly inspect system configurations and software for vulnerabilities. We generally offload this work to servers or a dedicated appliance within the customer’s premises to do this task.

Managed Extended Detection and Response (MXDR)

Role: MXDR provides advanced threat detection, response, and remediation services, leveraging human expertise and automated tools to manage and respond to threats.

Impact: While MXDR enhances overall security posture, continuous monitoring and response activities can place additional load on system resources. This layer, integrated with EDR and SIEM, can further impact performance due to the high level of data processing and analysis required.

Comparative Analysis with Firewalls

A good comparison is with firewalls. These devices have been in our businesses for years. Over this period, more, advanced functions have been added.

Firewall Basics

Firewalls are critical components of network security, designed to control the flow of traffic between trusted and untrusted networks. They are rated for certain performance levels, such as a throughput of 10 Gbps, which indicates the maximum amount of data they can handle under optimal conditions.

Throughput Ratings

However, this rated throughput often represents a best-case scenario. In real-world applications, the performance of a firewall can significantly decrease when additional security features are activated, just like a workstation, laptop or server.

Feature Impact

For instance, enabling Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) on a firewall can drastically reduce its throughput. A firewall rated at 10 Gbps may only achieve 1 Gbps when these features are turned on. This is because IDS/IPS require deep packet inspection, which is resource-intensive and slows down data processing.

(As a side note, this is why it’s expensive to provide a Firewall for Hyperfibre connections. Because New Zealand is more advanced in our connectivity, providing higher speeds, bigger, more expensive enterprise Firewalls are needed to provide the security and throughput for these faster connections).

Analogous Impact

Similarly, as we add more layers of security software to our endpoints, the cumulative effect can lead to noticeable slowdowns. Just as with firewalls, the more security features enabled, the greater the performance impact.

The combined use of antivirus, EDR, SIEM, application whitelisting, vulnerability scanning, and MXDR provides comprehensive security but also requires more system resources to be dedicated to security software.

Mitigating Performance Issues

Balancing security and performance is crucial. Before Layer3 implements any security solution for you, we ensure these best practices are followed:

• Pre-Engagement Audits: Before engagement, we conduct thorough audits to ensure that existing hardware can meet the demands of our security software. This ensures compatibility and optimal performance.
• Optimise Configurations: Tailor security software settings to balance protection and performance. For example, schedule full system scans during off-peak hours.
• Quarterly Business Reviews (QBRs): As part of our broader strategy, we review hardware during QBRs and make suggestions on where old hardware can be replaced to improve performance.
• Regular Audits: Conduct regular performance audits and adjust settings to ensure optimal configurations.
• Dedicated Security Systems: Where appropriate, we will install some of this functionality on dedicated hardware within your offices, or via the cloud. This reduces the performance load on end-user systems.

Conclusion

While security measures are essential for protecting IT environments, they often come with a performance cost. By understanding the impact of each layer of security software and making informed decisions about configurations and resource allocation, it is possible to maintain a balance between security and performance. As cyber threats continue to evolve, so too must our strategies for protecting against them, ensuring that our systems remain both secure and efficient.