Business Risk Assessment - A Primer

Transcription

1 The Evolving Security Landscape: Technology Overview and Business Drivers Andreas M Antonopoulos Senior Vice President & Founding Partner

2 Agenda About Nemertes Technology Overview and Business Drivers Conclusion and Recommendations

3 Nemertes: Bridging the Gap Between Business & IT Quantifies the business impact of emerging technologies Conducts in-depth interviews with IT professionals Advises businesses on critical issues such as: Unified Communications Social Computing Data Centers & Cloud Computing Security Next-generation WANs Cost models, RFPs, Architectures, Strategies

4 Technology Overview and Business Drivers

5 Technology Architecture & Evolution Management Application and Endpoint Identity Layer Data Encryption and Inspection Network Security Virrtualized d Securiity Application pp Securityy Application Policy Identity Mgt PKI Incident and Event Mgt Network Mgt

6 Cyber Crime A coordinated approach to cyber crime: People h Education about phishing, malware and detection of social engineering Process h Password management, user account deprovisioning, privileged user management, alert notification process and incident response Technology h Web application firewall, endpoint protection (AV, anti-malware), scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multifactor authentication and physical security

7 Anti-Malware Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybrid Anti-malware Worms, viruses and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pages h Botnets, buffer overflow, cross-site scripting, SQL injections, invisble iframes White/Black listing is becoming obsolete. A good web page pg can turn bad and then back to good before the next scan

8 Identity Management Identity is the foundation of trust Three key identity management areas h User management, Authentication management, Authorization management Most organizations have a scattered collection of directories and controls. Evolving standards SAML Secure Assertion Markup Language Single Sign-on (SSO) XACML extensible Access Control Markup Language least privilege OAuth Open Authentication sharing data between clouds Nemertes Research DN0457

9 Regulatory Compliance Compliance is typically a component of governance, risk management and compliance (GRC) The most onerous compliance requirement is privacy protection: h HIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA (1999) and breach disclosure laws such as CA SB1386 (2002) Compliance requires adoption, implementation, verification and auditing of security best practice Look for security products that include compliance templates to ease the selection of controls and procedures

10 Data Loss Prevention Multiple approaches to Data Loss Prevention (DLP): Advantage Disadvantage Endpoint Local knowledge and Requires install on every offline protection machine and susceptible to malware Appliance Global knowledge, No protection for offline dedicated performance and hardened device machines and no local USB support Cloud No hardware/software investment and support for mobile and teleworkers No local protection and leaks are caught in the cloud rather than inside the firewall

11 e-discovery The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP), amended in h produce and permit the party making the request, to inspect, copy, test, or sample any designated documents or electronically stored information- (including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated, if necessary, by the respondent into reasonably usable form. Warning! Voic is discoverable ramifications for unified messaging g The scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retention Safe Harbor provision protects inadvertent deletion

12 Virtualization Security Virtualization reduces defense in depth requiring virtualization security such as virtual FW, virtual IDS and virtual anti-malware Adoption of virtualization security is low with less than 10% of organizations deploying today New Virtualization Security Compliance will drive Defense in Depth virtualization security adoption h Requires prescriptive guidance All major security vendors will have VirtSec products in 2010 Physical Legacy Systems SaaSS PaaS IaaS Virtualized Storage Virtualized Network Physical Network Infrastructure Strong perimeter Defense

13 Cloud Security Cloud computing adoption is < 1% of organizations h Security and compliance issues Top concerns of cloud computing: h Service provider lock-in h Compliance risks h Isolation failure h Undetected breaches h Dt Data location Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data location

14 Enabling Technologies Technology Insider Threat Risks Addressed d Business Drivers Malware Data Leakage Compliance Agility Mobility Network Security Content Inspection Encryption Security Information And Event Management OS Security Identity And Authentication Application Security Virtualized Security Security As A Service

15 Conclusion and Recommendations

16 What Should You Be Doing? Urgent: Act Now Technology has become mainstream. R&D for predecessor technology has dried up. Competitors will gain advantage. Short-Term Plans Technology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year. Long-Term Plans Technology can provide some benefits. Some may be too new for business adoption. Implement in 1-3 years Specific Needs Technology is relevant for certain companies. Implementation is case-bycase, depending on industry or size.

17 Security Roadmap Move Security Up the Stack Implement Identity Infrastructure Implement DLP Implement Encryption Review employee security training Urgent: Act Now

18 Security Roadmap Assess compliance issues Evaluate e-discovery preparedness Centralize and protect logs Implement SIM/SEM Outsource Specialized Functions Short-Term Plans

19 Security Roadmap Evaluate OS choices Harden OS Implement Application Security Implement Virtualized Security Prepare for de-perimeterization Prepare for continuous mobility Long-Term Plans

20 Conclusions and Recommendations Perimeters are melting away Ubiquitous data and people need ubiquitous security Threats from organized crime and giant botnets Identity-centric and data-centric security is the future Defense-in-depth h Network security h Endpoint security h OS security h Application security h Security information and event management

21 Thank You Andreas M Antonopoulos SVP & Founding Partner andreas@nemertes.com