The Evolving Security Landscape
Andreas M AntonopoulosSenior Vice President & Founding Partner
www.nemertes.com
© Copyright 2010 Nemertes Research
About NemertesSecurity and Compliance TrendsTechnology Overview and Business DriversConclusion and Recommendations
Agenda
© Copyright 2010 Nemertes Research
Quantifies the business impact of emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:
Unified CommunicationsSocial ComputingData Centers & Cloud ComputingSecurityNext-generation WANs
Cost models, RFPs, Architectures, Strategies
Nemertes: Bridging the Gap Between Business & IT
© Copyright 2010 Nemertes Research
Security and Compliance Trends
© Copyright 2010 Nemertes Research
Security and Compliance Outlook
Amended FRCP
Breach Notification National Breach Disclosure
HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley
2001-2009 20010-2011+1990-2000
Organized CybercrimeHacking for Fun and Fame Cyber Warfare
RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS
Worms/Trojans Polymorphic Attacks/ MalwareViruses
XSS and SQL InjectionWebsite Defacement Website defacement
Phishing/Identity Theft
© Copyright 2010 Nemertes Research
De-Perimeterization
Is that a word?No, but it’s happening anyway!You used to have “The Internet Connection” and “The Firewall”We are rapidly moving to ubiquitous connectivity and mobilityThe Internet is everywhere! There is no INSIDE and OUTSIDE in your network
© Copyright 2010 Nemertes Research
The Changing End-User Landscape
Employee personal use of technology influences IT decisions for 46% of organizationsAbout 67% of organizations have a formal telework policyiPhone already target of attacks against known vulnerabilitiesMobile devices are a significant data loss riskThe line between personal and work computing is blurring
© Copyright 2010 Nemertes Research
Security by Location
Most security today is LOCATION-CENTRICServers and desktops are becoming virtualFirewalls, VLANs, ACLs, IP Addresses – LocationsLocation should not be the foundation of your security policy!
© Copyright 2010 Nemertes Research
Compliance on the Rise
If Enron gave us Sarbanes-Oxley, what will 100xEnron give us?Legislation to pass a national breach disclosure lawHITECH Act adds more teeth to HIPAAPCI-DSS is driving security behaviorCompliance drives security spending for 37% of organizationsCompliance requirements will get more prescriptive with sharper teeth
© Copyright 2010 Nemertes Research
Data-Centric Security
Data-centric means INSPECTING and PROTECTING the dataRegardless of where it is Anti-malware inwards, data leakage outwardsContent inspectionEncryptionFingerprintingDigital certificatesSecurity meta-data
ALL DATASUBJECT
TO SEARCH
© Copyright 2010 Nemertes Research
Technology Overview and Business Drivers
© Copyright 2010 Nemertes Research
Application and Endpoint
Technology Architecture & Evolution
Network Security
Virtualized Security
Management
PKI
Application Policy
Identity Mgt
Incident and Event Mgt
Network Mgt
Identity Layer
Data Encryption and Inspection
Application Security
© Copyright 2010 Nemertes Research
Cyber Crime
A coordinated approach to cyber crime:PeoplehEducation about phishing, malware and detection of
social engineering
ProcesshPassword management, user account
deprovisioning, privileged user management, alert notification process and incident response
TechnologyhWeb application firewall, endpoint protection (AV, anti-malware), email
scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multi-factor authentication and physical security
© Copyright 2010 Nemertes Research
Anti-Malware
Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybrid
White/Black listing is becoming obsolete. A “good” web page can turn “bad” and then back to “good” before the next scan
Anti-malware – Worms, viruses and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pageshBotnets, buffer overflow, cross-site
scripting, SQL injections, invisble iFrames
© Copyright 2010 Nemertes Research
Identity Management
© Nemertes Research 2009 www.nemertes.com 1-888-241-2685 DN045715
Identity is the foundation of trustThree key identity management areashUser management, Authentication
management, Authorization management
Most organizations have a scattered collection of directories and controls.Evolving standards
SAML – Secure Assertion Markup Language Single Sign-on (SSO)XACML – eXtensible Access Control Markup Language least privilegeOAuth – Open Authentication sharing data between clouds
© Copyright 2010 Nemertes Research
Regulatory Compliance
Compliance is typically a component of governance, risk management and compliance (GRC)The most onerous compliance requirement is privacy protection:hHIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA
(1999) and breach disclosure laws such as CA SB1386 (2002)
Compliance requires adoption, implementation, verification and auditing of security best practiceLook for security products that include compliance templates to ease the selection of controls and procedures
© Copyright 2010 Nemertes Research
Data Loss Prevention
Multiple approaches to Data Loss Prevention (DLP):
Advantage DisadvantageEndpoint Local knowledge and
offline protectionRequires install on every machine and susceptible to malware
Appliance Global knowledge, dedicated performance and hardened device
No protection for offline machines and no local USB support
Cloud No hardware/software investment and support for mobile and teleworkers
No local protection and leaks are caught in the cloud rather than inside the firewall
© Copyright 2010 Nemertes Research
e-Discovery
The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP), amended in 2006.h “produce and permit the party making the request, to inspect, copy, test, or
sample any designated documents or electronically stored information-(including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated , if necessary, by the respondent into reasonably usable form.”
Warning! Voicemail is discoverable – ramifications for unified messagingThe scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retentionSafe Harbor provision protects inadvertent deletion
© Copyright 2010 Nemertes Research
Virtualization Security
Virtualization reduces defense in depth requiring virtualization security such as virtual FW, virtual IDS and virtual anti-malwareAdoption of virtualization security is low with less than 10% of organizations deploying todayCompliance will drive virtualization security adoptionhRequires prescriptive guidance
All major security vendors will have VirtSec products in 2010
Physical Network Infrastructure
Strong perimeter Defense
Virtualization SecurityNew Defense in Depth
Virtualized Network
Physical Legacy Systems
Virtualized Storage
IaaSPaaSSaaS
© Copyright 2010 Nemertes Research
Cloud Security
Cloud computing adoption is < 1% of organizationshSecurity and compliance issues
Top concerns of cloud computing:hService provider lock-in hCompliance risksh Isolation failure hUndetected breaches hData location
Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data location
© Copyright 2010 Nemertes Research
Enabling TechnologiesRisks Addressed Business Drivers
TechnologyInsider Threat Malware
Data Leakage Compliance Agility Mobility
Network Security ● ● ● ● ● ●Content Inspection ● ● ● ● ● ●Encryption ● ● ● ● ● ●Security Information And Event Management ● ● ● ● ● ●
OS Security ● ● ● ● ● ●Identity And Authentication ● ● ● ● ● ●Application Security ● ● ● ● ● ●Virtualized Security ● ● ● ● ● ●Security As A Service ● ● ● ● ● ●
© Copyright 2010 Nemertes Research
Conclusion and Recommendations
© Copyright 2010 Nemertes Research
What Should You Be Doing?
Urgent: Act Now
Short-Term Plans
Long-Term Plans
Specific Needs
Technology has become mainstream. R&D for predecessor technology has dried up. Competitors will gain advantage.
Technology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year.
Technology can provide some benefits. Some may be too new for business adoption. Implement in 1-3 years
Technology is relevant for certain companies. Implementation is case-by-case, depending on industry or size.
© Copyright 2010 Nemertes Research
Security Roadmap
Move Security Up the StackImplement Identity InfrastructureImplement DLPImplement EncryptionReview employee security training
Urgent: Act Now
© Copyright 2010 Nemertes Research
Security Roadmap
Assess compliance issuesEvaluate e-discovery preparednessCentralize and protect logsImplement SIM/SEMOutsource Specialized Functions
Short-Term Plans
© Copyright 2010 Nemertes Research
Security Roadmap
Evaluate OS choicesHarden OS Implement Application Security Implement Virtualized SecurityPrepare for de-perimeterizationPrepare for continuous mobility
Long-Term Plans
© Copyright 2010 Nemertes Research
Conclusions and Recommendations
Perimeters are melting awayUbiquitous data and people need ubiquitous securityThreats from organized crime and giant botnets
Identity-centric and data-centric security is the futureDefense-in-depthh Network securityh Endpoint securityh OS securityh Application securityh Security information and event management
Thank You
Andreas M AntonopoulosSVP & Founding [email protected]