attacking 2015 top security threats -...
TRANSCRIPT
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Attacking 2015 Top Security Threats
Marin Marinov,
17th of September, 2015
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
It’s no surprise we’re facing a data explosion
695,000 status updates
98,000+ tweets
PaperHost
SLI Systems
NetSuite
OpSource
Joyent
Hosting.com
Tata Communications
Datapipe
PPM
Alterian
Hyland
NetDocuments
NetReach
OpenText
Xerox
Microsoft
IntraLinks
Qvidian
Sage
SugarCRM
Volusion
Zoho
Adobe
Avid
Corel
Microsoft
Serif
Yahoo
CyberShift
Saba
Softscape
Sonar6
Ariba
Yahoo!
Quadrem
Elemica
Kinaxis
CCC
DCC
SCM ADP VirtualEdge
Cornerstone onDemand
CyberShift
Kenexa Saba
Softscape
Sonar6
Workscape
Exact Online
FinancialForce.com
Intacct NetSuite
Plex Systems
Quickbooks
eBay
The Internet Gigabytes
MRM
Claim Processing
Payroll
Sales tracking & Marketing
Commissions
Database
ERP
CRM
SCM
HCM
HCM
PLM
HP
EMC
Cost Management
Order Entry
Product Configurator
Bills of Material Engineering
Inventory
Manufacturing Projects
Quality Control
SAP
Cash Management
Accounts Receivable
Fixed Assets Costing
Billing
Time and Expense
Activity Management Training
Time & Attendance
Rostering
Service
Data Warehousing
Client/Server Megabytes
Every 60 seconds
IBM
Unisys
Burroughs
Hitachi
NEC Bull
Fijitsu
Mainframe Kilobytes
YouTube
Viber
Qzone
Amazon Web Services
GoGrid
Rackspace
LimeLight
Jive Software
salesforce.com
Xactly
Paint.NET
Business
Education
Entertainment
Games
Lifestyle
Music
Navigation
News
Photo & Video
Productivity
Reference
Social Networking
Sport
Travel
Utilities
Workbrain
SuccessFactors
Taleo
Workday
Finance
box.net
TripIt
Zynga
Zynga
Baidu
Yammer
Atlassian
Atlassian
MobilieIron SmugMug
SmugMug
Atlassian
Amazon
Amazon iHandy
PingMe
PingMe
Associatedcontent
Flickr
Snapfish
Answers.com
Tumblr.
Urban
Scribd. Pandora
MobileFrame.com
Mixi
CYworld
Renren
Yandex
Yandex
Heroku
RightScale
New Relic
AppFog
Bromium
Splunk
CloudSigma
cloudability
kaggle
nebula
Parse
ScaleXtreme
SolidFire
Zillabyte
dotCloud
BeyondCore
Mozy
Fring Toggl
MailChimp
Hootsuite
Foursquare
buzzd
Dragon Diction
SuperCam
UPS Mobile
Fed Ex Mobile
Scanner Pro
DocuSign
HP ePrint
iSchedule
Khan Academy
BrainPOP
myHomework
Cookie Doodle
Ah! Fasion Girl
Mobile, Social, Big Data & The Cloud
Zettabytes
Yottabytes
168 million+ emails sent
217 new mobile web users
11million instant messages
698,445 Google searches
1,820TB of data created
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
How we view the challenges
Nature and motivation of attacks (Fame to fortune, market adversary) 1
Transformation of enterprise IT (Delivery and consumption changes) 2
Compliance pressures (Increasing cost and complexity) 3
Research Infiltration Discovery Capture Exfiltration
A new market adversary
Cloud Big data Mobile
Big shifts
Policies and regulations
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Attack life cycle
Research
Research potential targets
Monetization
Data sold on black market
Infiltration
Phishing attack and malware
Discovery
Mapping breached environment
Capture
Obtain data
Exfiltration
Exfiltrate/destroy stolen data
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Current solutions protect the perimeter
Yet, 84% of breaches occur in the application software
1 2 3 4 5 6 7 8
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
people and process
hygiene
security fundamentals
#1 is misconfiguration
44% are 2-4 years old
87% below benchmark
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
IMPROVE SDLC
POLICIES
The right approach > systematic, proactive Software Security Assurance Embed security into SDLC development process 2
OPEN SOURCE
OUTSOURCED
COMMERCIAL
IN-HOUSE
Software Security Assessment Leverage Security Gate to validate resiliency of internal or external code before Production
1 Runtime Application Self-Protection Monitor and protect software running in Production
3
Performance Metric Improvement
Vulnerabilities per application From 100s to 10s
Average time to fix a vulnerability From 1 to 2 weeks to 1 to 2 hours
Percentage of repeat vulnerabilities From 80% to 0%
Compliance and penetration testing effort From ~$500k to ~$250k
Time-to-market delays due to vulnerabilities From 4+ incidents (30 days each) per year to none)
This is application security
Benefits of an SSA Program
Mainstay ROI Research 2013 – Does Application Security Pay?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Static Analysis – Fortify SCA
Most Comprehensive Most Accurate Easy to Use for
Developers Build Integration Scales to any Application
Static Analysis – Fortify
SCA
Source Code Mgt.
System
Static Analysis Via Build
Integration
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Accurately identify root cause and remediate underlying security flaw
Static Application Security Testing
Results
T-SQL
Java
XML
JSP
User Input
SQL Injection
SCA Analysis
SCA Frontend
Normalized Representation 21+ Languages
JSP XML
T-SQL
Java
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Dynamic Analysis - WebInspect
Dynamic Analysis – WebInspect
Dynamic Testing in QA or Production
Dynamic and Runtime Analysis
Technology Made Simple
Compliance Management
Integration
Centralized Program
Management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
OS Servers Networks Storage
Automate and orchestrate infrastructure services
Focus until now
Web server App server Databases
Automate platform and application services
Applications Moving forward
Security Compliance Help Desk Monitoring Discovery
Orc
hes
trati
on
private public traditional IT
Across the operations lifecycle
Across the full stack – end to end
infra
plat
apps
across heterogeneous physical and virtual environments
Orchestrate the full datacenter
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
1