The Evolving Security Landscape. Andreas M Antonopoulos Senior Vice President & Founding Partner

Transcription

1 The Evolving Security Landscape Andreas M Antonopoulos Senior Vice President & Founding Partner

2 Agenda About Nemertes Security and Compliance Trends Technology Overview and Business Drivers Conclusion and Recommendations

3 Nemertes: Bridging the Gap Between Business & IT Quantifies the business impact of emerging technologies Conducts in-depth interviews with IT professionals Advises businesses on critical issues such as: Unified Communications Social Computing Data Centers & Cloud Computing Security Next-generation WANs Cost models, RFPs, Architectures, Strategies

4 Security and Compliance Trends

5 Security and Compliance Outlook Phishing/Identity Theft Website Defacement Website defacement Viruses XSS and SQL Injection Worms/Trojans DOS Polymorphic Attacks/ Malware RISE OF THE BOTNETS/ DDOS Hacking for Fun and Fame Silent BOTNETS Organized Cybercrime Cyber Warfare HIPAA, GLBA, Sarbanes Oxley PCI-DSS Breach Notification HITECH National Breach Disclosure Amended FRCP

6 De-Perimeterization Is that a word? No, but it s happening anyway! You used to have The Internet Connection and The Firewall We are rapidly moving to ubiquitous connectivity and mobility The Internet is everywhere! There is no INSIDE and OUTSIDE in your network

7 The Changing End-User Landscape Employee personal use of technology influences IT decisions for 46% of organizations About 67% of organizations have a formal telework policy iphone already target of attacks against known vulnerabilities Mobile devices are a significant data loss risk The line between personal and work computing is blurring

8 Security by Location Most security today is LOCATION-CENTRIC O C C Servers and desktops are becoming virtual Firewalls, VLANs, ACLs, IP Addresses Locations Location should not be the foundation of your security policy!

9 Compliance on the Rise If Enron gave us Sarbanes- Oxley, what will 100xEnron give us? Legislation to pass a national breach disclosure law HITECH Act adds more teeth to HIPAA PCI-DSS is driving security behavior Compliance drives security spending for 37% of organizations Compliance requirements will get more prescriptive with sharper teeth

10 Data-Centric Security Data-centric means INSPECTING and PROTECTING the data Regardless of where it is Anti-malware inwards, data leakage outwards Content inspection Encryption Fingerprinting Digital certificates Security meta-data ALL DATA SUBJECT TO SEARCH

11 Technology Overview and Business Drivers

12 Technology Architecture & Evolution Management Application and Endpoint Identity Layer Data Encryption and Inspection Network Security Virrtualized d Securiity Application pp Securityy Application Policy Identity Mgt PKI Incident and Event Mgt Network Mgt

13 Cyber Crime A coordinated approach to cyber crime: People h Education about phishing, malware and detection of social engineering Process h Password management, user account deprovisioning, privileged user management, alert notification process and incident response Technology h Web application firewall, endpoint protection (AV, anti-malware), scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multifactor authentication and physical security

14 Anti-Malware Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybrid Anti-malware Worms, viruses and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pages h Botnets, buffer overflow, cross-site scripting, SQL injections, invisble iframes White/Black listing is becoming obsolete. A good web page can turn bad and then back to good before the next scan

15 Identity Management Identity is the foundation of trust Three key identity management areas h User management, Authentication management, Authorization management Most organizations have a scattered collection of directories and controls. Evolving standards SAML Secure Assertion Markup Language Single Sign-on (SSO) XACML extensible Access Control Markup Language least privilege OAuth Open Authentication sharing data between clouds

16 Regulatory Compliance Compliance is typically a component of governance, risk management and compliance (GRC) The most onerous compliance requirement is privacy protection: h HIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA (1999) and breach disclosure laws such as CA SB1386 (2002) Compliance requires adoption, implementation, verification and auditing of security best practice Look for security products that include compliance templates to ease the selection of controls and procedures

17 Data Loss Prevention Multiple approaches to Data Loss Prevention (DLP): Advantage Disadvantage Endpoint Local knowledge and Requires install on every offline protection machine and susceptible to malware Appliance Global knowledge, No protection for offline dedicated performance and hardened device machines and no local USB support Cloud No hardware/software investment and support for mobile and teleworkers No local protection and leaks are caught in the cloud rather than inside the firewall

18 e-discovery The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP), amended in h produce and permit the party making the request, to inspect, copy, test, or sample any designated documents or electronically stored information- (including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated, if necessary, by the respondent into reasonably usable form. Warning! Voic is discoverable ramifications for unified messaging g The scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retention Safe Harbor provision protects inadvertent deletion

19 Virtualization Security Virtualization reduces defense in depth requiring virtualization security such as virtual FW, virtual IDS and virtual anti-malware Adoption of virtualization security is low with less than 10% of organizations deploying today New Virtualization Security Compliance will drive Defense in Depth virtualization security adoption h Requires prescriptive guidance All major security vendors will have VirtSec products in 2010 Physical Legacy Systems SaaSS PaaS IaaS Virtualized Storage Virtualized Network Physical Network Infrastructure Strong perimeter Defense

20 Cloud Security Cloud computing adoption is < 1% of organizations h Security and compliance issues Top concerns of cloud computing: h Service provider lock-in h Compliance risks h Isolation failure h Undetected breaches h Data location Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data location

21 Enabling Technologies Technology Insider Threat Risks Addressed d Business Drivers Malware Data Leakage Compliance Agility Mobility Network Security Content Inspection Encryption Security Information And Event Management OS Security Identity And Authentication Application Security Virtualized Security Security As A Service

22 Conclusion and Recommendations

23 What Should You Be Doing? Urgent: Act Now Technology has become mainstream. R&D for predecessor technology has dried up. Competitors will gain advantage. Short-Term Plans Technology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year. Long-Term Plans Technology can provide some benefits. Some may be too new for business adoption. Implement in 1-3 years Specific Needs Technology is relevant for certain companies. Implementation is case-bycase, depending on industry or size.

24 Security Roadmap Move Security Up the Stack Implement Identity Infrastructure Implement DLP Implement Encryption Review employee security training Urgent: Act Now

25 Security Roadmap Assess compliance issues Evaluate e-discovery preparedness Centralize and protect logs Implement SIM/SEM Outsource Specialized Functions Short-Term Plans

26 Security Roadmap Evaluate OS choices Harden OS Implement Application Security Implement Virtualized Security Prepare for de-perimeterization Prepare for continuous mobility Long-Term Plans

27 Conclusions and Recommendations Perimeters are melting away Ubiquitous data and people need ubiquitous security Threats from organized crime and giant botnets Identity-centric and data-centric security is the future Defense-in-depth h Network security h Endpoint security h OS security h Application security h Security information and event management

28 Thank You Andreas M Antonopoulos SVP & Founding Partner andreas@nemertes.com