online security (daniel beazer)
TRANSCRIPT
Restricted & Confidential
Daniel Beazer
26th September 2016Chief Analyst
COMMON SENSE SECURITY ECOMMERCE FORUM
1Restricted & Confidential
2Restricted & Confidential
Who we are
BUSINESS PLATFORMSCloud
Solutions
Managed Services
Connectivity Solutions
Security Solutions
HostingSolutions
ColocationSolutions
3Restricted & Confidential
We need to talk about the security industry
Single threaded, deeply conflicted Too expensive and complex Doesn’t solve the problem
4Restricted & Confidential
How the Security industry sells pt1
Nation State
5Restricted & Confidential
How the security industry sells pt 2
6Restricted & Confidential
And here’s your expensive solution …try understanding this
7Restricted & Confidential
In fact… it’s not as bad as all that
OWASP list mostly unchanged in ten years
Ecommerce vastly more secure than offline
Attacks increase as does ecommerce Roadmap technologies like Blockchain
have massive security potential
8Restricted & Confidential
The result of traditional security sales tactics
The industry remains small at $76bn a year, with low growth, and in a growing threat landscape
Customers unconvinced deeply sceptical, will only spend money on security if forced to or if under attack
Compliance widely avoided with major retailers ignoring compliance regulations
Fines are so small as to be a cost of business (£250k for Sony after breach involving millions of UK gamers)
Most ICO punishments are for the public sector pointlessly robbing Peter to pay Paul
Meanwhile IT is being shaken up from top to bottom
9Restricted & Confidential
Customer data is now the most valuable prize for hackers Most security products defend the perimeter What is the target in 2016? Customer data has emerged as the hackers’ trophy CMS, databases are often poorly defended
– TalkTalk Social engineering using Facebook profiles … and the traditional IT model is being upended
‘Fixed fortifications are monuments to man’s stupidity’ General Paton
10Restricted & Confidential
What we want: common sense security
Don’t want to be patronized or scared We don’t to drown in data We want something easy to use, easy to
set up and easy to set up It needs to be affordable
11Restricted & Confidential
Common sense security
Passwords People Patches
12Restricted & Confidential
Security industry in summary
13Restricted & Confidential
A closer look at DDOS
14Restricted & Confidential
Data breaches come from attacks on Web Apps
Web app attacks are the most successful attack campaigns (in number of breaches)
Verizon DBIR 2016: Incidents
15Restricted & Confidential
Undetected cyber attacks
days taken to detect advanced cyberthreats in Financial Services
days taken to detect advanced cyber threats in Retail
98
197Source: Ponemon Institure 2015
16Restricted & Confidential
Criminals are the main culprits
Source: Ponemon Institure 2015
Source: Hackmageddon 2015
17Restricted & Confidential
18Restricted & Confidential
DDOS trends
Source: Hackmageddon 2015
Most attacks are diversions – Real prize is customer data– Often poorly protected in CMS
Application layer attacks increasing– Hard to detect and mitigate– Layer 7
Botnets as a service Regulatory burden is growing
– Financial institutions in the US– Proactive breach notification GDPR
19Restricted & Confidential
The solution: JS challenges
Source: Hackmageddon 2015
20Restricted & Confidential
Current solutions
APPLIANCES CLOUD HYBRID
21Restricted & Confidential
Appliance challenges
Large up-front capital investment, need 2 units for HA Months to acquire, install, test & tune before operational Difficult to learn, expensive skillsets to bring in-house Completely ineffective when network bandwidth is
saturated Incomplete without a Cloud-based mitigation component No sharing of threat intelligence
22Restricted & Confidential
Why do we need hardware at all?
23Restricted & Confidential
Cloud challenges
• Traversing public networks to and from cleansing POP drastically slows down
page loads
• Basic shared rule set, vulnerable to many types of attacks
• Better than basic is expensive
• The same bowl (IP space) with other customers
• The same low security posture and aggregated risk
24Restricted & Confidential
Normal traffic flow
25Restricted & Confidential
On net DDOS protection
26Restricted & Confidential
Common sense security
Passwords People Patches
THANK YOU
27Restricted & Confidential
COGECOPEER1.COM