The Evolving Security Landscape
Andreas M AntonopoulosSenior Vice President & Founding Partner
www.nemertes.com
Agenda
About NemertesSecurity and Compliance TrendsTechnology Overview and Business DriversTechnology Overview and Business DriversConclusion and Recommendations
© Copyright 2010 Nemertes Research
Nemertes: Bridging the Gap Between Business & IT
Quantifies the business impact of emerging technologies emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:
U ifi d C i tiUnified CommunicationsSocial ComputingData Centers & Cloud ComputingData Centers & Cloud ComputingSecurityNext-generation WANsg
Cost models, RFPs, Architectures, Strategies
© Copyright 2010 Nemertes Research
Security and Compliance Outlook
Phishing/Identity Theft
XSS and SQL InjectionWebsite Defacement Website defacement
Phishing/Identity Theft
RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS
Worms/Trojans Polymorphic Attacks/ MalwareViruses
2001-2009 20010-2011+1990-2000
Organized CybercrimeHacking for Fun and Fame Cyber Warfare
HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley
2001-2009 20010-2011+1990-2000
Amended FRCP
Breach Notification National Breach Disclosure
© Copyright 2010 Nemertes Research
De-Perimeterization
Is that a word?No, but it’s happening anyway!You used to have “The Internet You used to have The Internet Connection” and “The Firewall”We are rapidly moving to ubiquitous We are rapidly moving to ubiquitous connectivity and mobilityThe Internet is everywhere! There is no The Internet is everywhere! There is no INSIDE and OUTSIDE in your network
© Copyright 2010 Nemertes Research
The Changing End-User Landscape
Employee personal use of technology influences IT decisions for 46% of influences IT decisions for 46% of organizationsAbout 67% of organizations have a formal About 67% of organizations have a formal telework policyiPhone already target of attacks against y g gknown vulnerabilitiesMobile devices are a significant data loss i krisk
The line between personal and work computing is blurringcomputing is blurring
© Copyright 2010 Nemertes Research
Security by Location
Most security today is OC O C CLOCATION-CENTRIC
Servers and desktops are b i i t lbecoming virtualFirewalls, VLANs, ACLs, IP Add L tiAddresses – LocationsLocation should not be the f d ti f it foundation of your security policy!
© Copyright 2010 Nemertes Research
Compliance on the Rise
If Enron gave us Sarbanes-Oxley what will 100xEnron give Oxley, what will 100xEnron give us?Legislation to pass a national Legislation to pass a national breach disclosure lawHITECH Act adds more teeth to HIPAAPCI-DSS is driving security b h ibehaviorCompliance drives security spending for 37% of organizationsCompliance requirements will get more prescriptive with sharper teeth
© Copyright 2010 Nemertes Research
Data-Centric Security
Data-centric means INSPECTING and PROTECTING the dataRegardless of where it is Anti-malware inwards data leakage outwardsAnti malware inwards, data leakage outwardsContent inspectionEncryptionFingerprinting ALL DATA
SUBJECTDigital certificatesSecurity meta-data
SUBJECT TO SEARCHSecurity meta data
© Copyright 2010 Nemertes Research
Technology Architecture & Evolution
Application and EndpointManagement
Application and EndpointVir
Application PolicyApplication Security rtualized
Identity MgtIdentity Layer
pp yd Securi
PKI
Data Encryption and Inspection ity Incident and Event Mgt
Data Encryption and Inspection
Network Security Network Mgt
© Copyright 2010 Nemertes Research
Cyber Crime
A coordinated approach to cyber crime:PeoplehEducation about phishing, malware and detection of Education about phishing, malware and detection of
social engineering
ProcesshPassword management, user account
deprovisioning, privileged user management, alert notification process and incident responsenotification process and incident response
TechnologyhWeb application firewall endpoint protection (AV anti malware) email hWeb application firewall, endpoint protection (AV, anti-malware), email
scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multi-factor authentication and physical security
© Copyright 2010 Nemertes Research
Anti-Malware
Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybridAnti-malware – Worms, viruses and trojans are stealthier than and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pageshBotnets, buffer overflow, cross-site
scripting, SQL injections, invisble iFrames
White/Black listing is becoming obsolete. A “good” web page can turn “bad” and then back to “good” before the
iFrames
p g gnext scan
© Copyright 2010 Nemertes Research
Identity Management
Identity is the foundation of trustThree key identity management areashUser management, Authentication User management, Authentication
management, Authorization management
Most organizations have a scattered collection of directories and controls.Evolving standards
SAML – Secure Assertion Markup Language Single Sign-on (SSO)XACML – eXtensible Access Control Markup Language least privilegeXACML eXtensible Access Control Markup Language least privilegeOAuth – Open Authentication sharing data between clouds
© Copyright 2010 Nemertes Research
Regulatory Compliance
Compliance is typically a component of governance, risk (G C)management and compliance (GRC)
The most onerous compliance requirement is privacy protection:hHIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA
(1999) and breach disclosure laws such as CA SB1386 (2002)
Compliance requires adoption, implementation, verification and auditing of security best practiceL k f i d h i l d li l Look for security products that include compliance templates to ease the selection of controls and procedures
© Copyright 2010 Nemertes Research
Data Loss Prevention
Multiple approaches to Data Loss Prevention (DLP):
Advantage DisadvantageEndpoint Local knowledge and Requires install on every Endpoint Local knowledge and
offline protectionRequires install on every machine and susceptible to malware
Appliance Global knowledge No protection for offline Appliance Global knowledge, dedicated performance and hardened device
No protection for offline machines and no local USB support
Cloud No hardware/software investment and support for mobile and teleworkers
No local protection and leaks are caught in the cloud rather than inside the firewallmobile and teleworkers inside the firewall
© Copyright 2010 Nemertes Research
e-Discovery
The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP) amended in 2006Procedure (FRCP), amended in 2006.h “produce and permit the party making the request, to inspect, copy, test, or
sample any designated documents or electronically stored information-p y g y(including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated , if necessary, by the respondent into reasonably usable form ” reasonably usable form.
Warning! Voicemail is discoverable – ramifications for unified messagingg gThe scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retentionSafe Harbor provision protects inadvertent deletion
© Copyright 2010 Nemertes Research
Virtualization Security
Virtualization reduces defense in depth requiring virtualization Ssecurity such as virtual FW, virtual IDS and virtual anti-malware
Adoption of virtualization security is low with less than 10% of i ti d l i t dorganizations deploying today
Compliance will drive virtualization security adoption
Virtualization SecurityNew Defense in Depth
S Sy p
hRequires prescriptive guidance
All major security vendors will Physical IaaSPaaSSaaS
All major security vendors will have VirtSec products in 2010
Virtualized Network
yLegacy Systems
Virtualized Storage
Physical Network Infrastructure
Strong perimeter Defense
© Copyright 2010 Nemertes Research
Strong perimeter Defense
Cloud Security
Cloud computing adoption is < 1% of organizationshSecurity and compliance issues
Top concerns of cloud computing:hService provider lock-in hCompliance risksh Isolation failure hUndetected breaches
D t l ti hData location Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data locationleak prevention and control over data location
© Copyright 2010 Nemertes Research
Enabling TechnologiesRi k Add d B i D iRisks Addressed Business Drivers
TechnologyInsider Threat Malware
Data Leakage Compliance Agility Mobility
Network Security ● ● ● ● ● ●Content Inspection ● ● ● ● ● ●p ● ●Encryption ● ● ● ● ● ●S fSecurity Information And Event Management ● ● ● ● ● ●
OS Security ● ● ● ● ● ●OS Security ● ● ● ● ● ●Identity And Authentication ● ● ● ● ● ●Application Security ● ● ● ● ● ●Virtualized Security ● ● ● ● ● ●
© Copyright 2010 Nemertes Research
Virtualized Security ● ● ● ● ● ●Security As A Service ● ● ● ● ● ●
What Should You Be Doing?
Urgent: Act NowTechnology has become mainstream. R&D for predecessor technology has dried up. Urgent: Act Now Competitors will gain advantage.
Short-Term PlansTechnology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year.
Long-Term PlansTechnology can provide some benefits. Some may be too new for business
d ti I l t i 1 3 adoption. Implement in 1-3 years
Technology is relevant for certain Specific Needs companies. Implementation is case-by-
case, depending on industry or size.
© Copyright 2010 Nemertes Research
Security Roadmap
Move Security Up the StackU t A t NImplement Identity Infrastructure
Implement DLP
Urgent: Act Now
Implement DLPImplement EncryptionReview employee security training
© Copyright 2010 Nemertes Research
Security Roadmap
Assess compliance issuesSh t T PlEvaluate e-discovery preparedness
Centralize and protect logs
Short-Term Plans
Centralize and protect logsImplement SIM/SEMOutsource Specialized Functions
© Copyright 2010 Nemertes Research
Security Roadmap
Evaluate OS choicesL T PlHarden OS
Implement Application Security
Long-Term Plans
Implement Application Security Implement Virtualized SecurityPrepare for de-perimeterizationPrepare for continuous mobility
© Copyright 2010 Nemertes Research
Conclusions and Recommendations
Perimeters are melting awayUbiquitous data and people need ubiquitous securityThreats from organized crime and giant botnets
Identity-centric and data-centric security is the futureDefense-in-depthh Network securityh Endpoint securityh OS securityh Application securityh Application securityh Security information and event management
© Copyright 2010 Nemertes Research