the evolving security landscape - etouches · the evolving security landscape ... the changing...

The Evolving Security Landscape

Andreas M AntonopoulosSenior Vice President & Founding Partner

www.nemertes.com

Agenda

About NemertesSecurity and Compliance TrendsTechnology Overview and Business DriversTechnology Overview and Business DriversConclusion and Recommendations

© Copyright 2010 Nemertes Research

Nemertes: Bridging the Gap Between Business & IT

Quantifies the business impact of emerging technologies emerging technologies Conducts in-depth interviews withIT professionalsAdvises businesses on critical issues such as:

U ifi d C i tiUnified CommunicationsSocial ComputingData Centers & Cloud ComputingData Centers & Cloud ComputingSecurityNext-generation WANsg

Cost models, RFPs, Architectures, Strategies


Security and Compliance Security and Compliance Trends


Security and Compliance Outlook

Phishing/Identity Theft

XSS and SQL InjectionWebsite Defacement Website defacement

Phishing/Identity Theft

RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS

Worms/Trojans Polymorphic Attacks/ MalwareViruses

2001-2009 20010-2011+1990-2000

Organized CybercrimeHacking for Fun and Fame Cyber Warfare

HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley

2001-2009 20010-2011+1990-2000

Amended FRCP

Breach Notification National Breach Disclosure


De-Perimeterization

Is that a word?No, but it’s happening anyway!You used to have “The Internet You used to have The Internet Connection” and “The Firewall”We are rapidly moving to ubiquitous We are rapidly moving to ubiquitous connectivity and mobilityThe Internet is everywhere! There is no The Internet is everywhere! There is no INSIDE and OUTSIDE in your network


The Changing End-User Landscape

Employee personal use of technology influences IT decisions for 46% of influences IT decisions for 46% of organizationsAbout 67% of organizations have a formal About 67% of organizations have a formal telework policyiPhone already target of attacks against y g gknown vulnerabilitiesMobile devices are a significant data loss i krisk

The line between personal and work computing is blurringcomputing is blurring


Security by Location

Most security today is OC O C CLOCATION-CENTRIC

Servers and desktops are b i i t lbecoming virtualFirewalls, VLANs, ACLs, IP Add L tiAddresses – LocationsLocation should not be the f d ti f it foundation of your security policy!


Compliance on the Rise

If Enron gave us Sarbanes-Oxley what will 100xEnron give Oxley, what will 100xEnron give us?Legislation to pass a national Legislation to pass a national breach disclosure lawHITECH Act adds more teeth to HIPAAPCI-DSS is driving security b h ibehaviorCompliance drives security spending for 37% of organizationsCompliance requirements will get more prescriptive with sharper teeth


Data-Centric Security

Data-centric means INSPECTING and PROTECTING the dataRegardless of where it is Anti-malware inwards data leakage outwardsAnti malware inwards, data leakage outwardsContent inspectionEncryptionFingerprinting ALL DATA

SUBJECTDigital certificatesSecurity meta-data

SUBJECT TO SEARCHSecurity meta data


Technology Overview and Technology Overview and Business Drivers


Technology Architecture & Evolution

Application and EndpointManagement

Application and EndpointVir

Application PolicyApplication Security rtualized

Identity MgtIdentity Layer

pp yd Securi

PKI

Data Encryption and Inspection ity Incident and Event Mgt

Data Encryption and Inspection

Network Security Network Mgt


Cyber Crime

A coordinated approach to cyber crime:PeoplehEducation about phishing, malware and detection of Education about phishing, malware and detection of

social engineering

ProcesshPassword management, user account

deprovisioning, privileged user management, alert notification process and incident responsenotification process and incident response

TechnologyhWeb application firewall endpoint protection (AV anti malware) email hWeb application firewall, endpoint protection (AV, anti-malware), email

scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multi-factor authentication and physical security


Anti-Malware

Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybridAnti-malware – Worms, viruses and trojans are stealthier than and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pageshBotnets, buffer overflow, cross-site

scripting, SQL injections, invisble iFrames

White/Black listing is becoming obsolete. A “good” web page can turn “bad” and then back to “good” before the

iFrames

p g gnext scan


Identity Management

Identity is the foundation of trustThree key identity management areashUser management, Authentication User management, Authentication

management, Authorization management

Most organizations have a scattered collection of directories and controls.Evolving standards

SAML – Secure Assertion Markup Language Single Sign-on (SSO)XACML – eXtensible Access Control Markup Language least privilegeXACML eXtensible Access Control Markup Language least privilegeOAuth – Open Authentication sharing data between clouds


Regulatory Compliance

Compliance is typically a component of governance, risk (G C)management and compliance (GRC)

The most onerous compliance requirement is privacy protection:hHIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA

(1999) and breach disclosure laws such as CA SB1386 (2002)

Compliance requires adoption, implementation, verification and auditing of security best practiceL k f i d h i l d li l Look for security products that include compliance templates to ease the selection of controls and procedures


Data Loss Prevention

Multiple approaches to Data Loss Prevention (DLP):

Advantage DisadvantageEndpoint Local knowledge and Requires install on every Endpoint Local knowledge and

offline protectionRequires install on every machine and susceptible to malware

Appliance Global knowledge No protection for offline Appliance Global knowledge, dedicated performance and hardened device

No protection for offline machines and no local USB support

Cloud No hardware/software investment and support for mobile and teleworkers

No local protection and leaks are caught in the cloud rather than inside the firewallmobile and teleworkers inside the firewall


e-Discovery

The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP) amended in 2006Procedure (FRCP), amended in 2006.h “produce and permit the party making the request, to inspect, copy, test, or

sample any designated documents or electronically stored information-p y g y(including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated , if necessary, by the respondent into reasonably usable form ” reasonably usable form.

Warning! Voicemail is discoverable – ramifications for unified messagingg gThe scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retentionSafe Harbor provision protects inadvertent deletion


Virtualization Security

Virtualization reduces defense in depth requiring virtualization Ssecurity such as virtual FW, virtual IDS and virtual anti-malware

Adoption of virtualization security is low with less than 10% of i ti d l i t dorganizations deploying today

Compliance will drive virtualization security adoption

Virtualization SecurityNew Defense in Depth

S Sy p

hRequires prescriptive guidance

All major security vendors will Physical IaaSPaaSSaaS

All major security vendors will have VirtSec products in 2010

Virtualized Network

yLegacy Systems

Virtualized Storage

Physical Network Infrastructure

Strong perimeter Defense


Strong perimeter Defense

Cloud Security

Cloud computing adoption is < 1% of organizationshSecurity and compliance issues

Top concerns of cloud computing:hService provider lock-in hCompliance risksh Isolation failure hUndetected breaches

D t l ti hData location Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data locationleak prevention and control over data location


Enabling TechnologiesRi k Add d B i D iRisks Addressed Business Drivers

TechnologyInsider Threat Malware

Data Leakage Compliance Agility Mobility

Network Security ● ● ● ● ● ●Content Inspection ● ● ● ● ● ●p ● ●Encryption ● ● ● ● ● ●S fSecurity Information And Event Management ● ● ● ● ● ●

OS Security ● ● ● ● ● ●OS Security ● ● ● ● ● ●Identity And Authentication ● ● ● ● ● ●Application Security ● ● ● ● ● ●Virtualized Security ● ● ● ● ● ●


Virtualized Security ● ● ● ● ● ●Security As A Service ● ● ● ● ● ●

Conclusion and Conclusion and Recommendations


What Should You Be Doing?

Urgent: Act NowTechnology has become mainstream. R&D for predecessor technology has dried up. Urgent: Act Now Competitors will gain advantage.

Short-Term PlansTechnology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year.

Long-Term PlansTechnology can provide some benefits. Some may be too new for business

d ti I l t i 1 3 adoption. Implement in 1-3 years

Technology is relevant for certain Specific Needs companies. Implementation is case-by-

case, depending on industry or size.


Security Roadmap

Move Security Up the StackU t A t NImplement Identity Infrastructure

Implement DLP

Urgent: Act Now

Implement DLPImplement EncryptionReview employee security training


Security Roadmap

Assess compliance issuesSh t T PlEvaluate e-discovery preparedness

Centralize and protect logs

Short-Term Plans

Centralize and protect logsImplement SIM/SEMOutsource Specialized Functions


Security Roadmap

Evaluate OS choicesL T PlHarden OS

Implement Application Security

Long-Term Plans

Implement Application Security Implement Virtualized SecurityPrepare for de-perimeterizationPrepare for continuous mobility


Conclusions and Recommendations

Perimeters are melting awayUbiquitous data and people need ubiquitous securityThreats from organized crime and giant botnets

Identity-centric and data-centric security is the futureDefense-in-depthh Network securityh Endpoint securityh OS securityh Application securityh Application securityh Security information and event management


Thank You

Andreas M AntonopoulosSVP & Founding [email protected]

the evolving security landscape - etouches · the evolving security landscape ... the changing...

Documents