hp software performance tour 2014 - guarding against the data breach
DESCRIPTION
At the HP Software Performance Tour 2014 Pierpaolo Ali’, South Europe Sales Director - HP Enterprise Security Products, illustrated the 2014 vulnerability landscape in IT security.TRANSCRIPT
![Page 1: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/1.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Guarding against the Breach The 2014 Vulnerability Landscape
Pierpaolo Ali’South Europe Sales Director HP Enterprise Security Products
June 17, 2014
![Page 2: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/2.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Discovery
The attack lifecycle
Research
Our enterprise
Their ecosystem
Infiltration
Capture
Exfiltration
![Page 3: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/3.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Discovery
How we can disrupt the market
Research
Our enterprise
Their ecosystem
Infiltration
Capture
Exfiltration
Planning damage mitigation
Educating usersCounter intel
![Page 4: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/4.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Agenda
2013 Cyber Risk Report key findings
Understanding Exactly how the Attacker Ecosystem Works
HP Security Research
Building Security in Maturity Model
![Page 5: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/5.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2013 Cyber Risk Report
![Page 6: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/6.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Key Findings
Research gains attention, but vulnerability disclosures stabilize and decrease in severity
80% of applications contain vulnerabilities exposed by incorrect configuration
Differing definitions of “malware” make measuring mobile malware risk extremely difficult
![Page 7: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/7.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Key Findings
The attack surface allows for multiple avenues for
compromise
46% of mobile iOS and Android applications use encryption
improperly
Internet Explorer was the software most targeted by Zero Day Initiative
(ZDI) researchers
![Page 8: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/8.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Key Findings
SCADA systems are increasingly targeted
Sandbox bypass vulnerabilities are the #1 issue for Java
![Page 9: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/9.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Conclusions
Mitigate
Risk
Respond
Appropriately
Reduce
Attack Surface
![Page 10: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/10.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Going beyond the basics of best practices
Remember that people are part of your organization’s perimeter too
Don’t rely solely on traditional defensive perimeter security
Expect to be compromised
![Page 11: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/11.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Going beyond the basics of best practices
Make security and response a continuous process
Understand that not all information and network assets are equal
Seek out credible and reliable security intelligence
![Page 12: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/12.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Understanding exactly how the Attacker Ecosystem Works
![Page 13: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/13.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
A recent event
![Page 14: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/14.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Repeat attacks
Company A NEW EVENT
Zero Day
Company B
Company CMalicious IP
Address
Malware
Variant
NEW EVENT
NEW EVENT
![Page 15: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/15.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Recruiting
![Page 16: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/16.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Job offers
![Page 17: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/17.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Escrow services
![Page 18: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/18.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Training
![Page 19: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/19.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Security Research
![Page 20: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/20.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
HP Enterprise Security Products
![Page 21: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/21.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
HP Security ResearchSANS, CERT, NIST, ReversingLabs, software, and reputation vendors
• ~3000 researchers
• 2000+ customers sharing data
• 7000+ managed networks globally
Ecosystem
partner
ESS
HP Security Research
Innovative research
Thought leadership
• Automatically integrated into HP products
• HP finds more vulnerabilities than the rest of the market combined
• Top security vulnerability research organization for the past three years —Frost & Sullivan
Actionable security intelligence
![Page 22: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/22.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
The Value HP TippingPoint DVLabs Provides
Vulnerability Research
Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI)
Original vulnerability research on widely-used software
Targeted research on emerging threat technologies and trends
Malware Research
Reputation feed of malicious hosts and IP addresses
In-depth threat research
Weekly updates for to stay ahead of the threats
![Page 23: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/23.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Heartbleed…
![Page 24: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/24.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, …)
Building Security In: HP SSR
Original Research Malware analysis, access control validation, …Secure Coding Rulepacks (SCA) 563 unique categories of vulnerabilities across
21 languages and over 720,000 individual APIsRuntime Rulepack Kits HP Fortify SecurityScope HP Fortify Runtime Application Logging HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect) Next-generation security testing capabilities
HP
![Page 25: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/25.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Building Security in Maturity Model(BSIMM)
![Page 26: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/26.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Building BSIMM (2009)
Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives
Created a software security framework Interviewed nine firms in-person Discovered 110 activities through observation Organized the activities in 3 levels Built a scorecard
The model has been validated with data from 67 firms
There are no special snowflakes
![Page 27: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/27.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
Prescriptive versus Descriptive Models
Prescriptive models describe what you should do (circa 2006)
SAFECode SAMM MS SDL Touchpoints
Every firm has a methodology they follow (often a hybrid)
You need an SSDL!
Descriptive models describe what is actually happening
BSIMM is a descriptive model used to measure multiple prescriptive SSDLs
![Page 28: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/28.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
Plus 22 firms that remain anonymous
67 Firms in the BSIMM-V Community
![Page 29: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/29.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
Compare yourself with…
•Your peers•Other business units
Track your performance over time…
![Page 30: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/30.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
BSIMM by the Numbers
![Page 31: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/31.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
Conclusion
Don’t rely solely on traditional defensive perimeter security.
Know thy enemy. Expect to be compromised.
Security Research can provide proactive insight into global, vertical-specific, and geographic threats.
BSIMM: Measure how well you’re doing
![Page 32: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/32.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions?
![Page 33: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/33.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Join Our Conversation
We are on your side. Visit our blogs.
HP Security Research: hp.com/go/HPSRblog
HP Security Products: hp.com/go/SecurityProductsBlog
HP Threat Briefings: hp.com/go/ThreatBriefings
BSIMM Information: bsimm.com [email protected]
![Page 34: HP Software Performance Tour 2014 - Guarding against the Data Breach](https://reader036.vdocuments.net/reader036/viewer/2022062702/554a0eb9b4c90507558b4abf/html5/thumbnails/34.jpg)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You