HP Security Research Tour 2014 If you want better security, think like a bad guy.

Transcription

1 HP Security Research Tour 2014 If you want better security, think like a bad guy. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2 Welcome at the HP Security Research Tour 2014 Raymond Hüner Country Director, HP Software BeNeLux Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

3 Today s agenda - morning 08:15-09:00 Welcome & registration with coffee 09:00-09:15 Welcome remarks Raymond Hüner Country Director HP Software BeNeLux 09:15-10:45 Stop Looking for the silver bullet: start thinking like a bad guy Miguel Carrero Head of ArcSight Products & Solutions 11:00-11:15 Coffee break Guarding against a data breach: addressing the 2014 vulnerability landscape Matias Madou Research Lead, HP Security Research 11:15-13:00 Stop infiltration using robust architecture Henk Janssen Security Consultant Network Security, HP Enterprise Security Products North Find the intruders using correlation and context Ofer Shezaf Regional Product Management Director, EMEA, HP ArcSight Protect your weakest link - your software Tracy Varnum Strategic Sales Manager EMEA, HP Enterprise Security 13:00-14:00 Lunch and extended registration for NDA User Conference sessions 3 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

4 Today s agenda afternoon HP Security User Conference 14:00-15:30 HP Security User Conference (under NDA only) User conference ArcSight roadmap and use case updates Ofer Shezaf Regional Product Management Director, EMEA, HP ArcSight Matias Madou Research Lead, HP Security Research 15:30-16:25 Refreshment break Guided tour on the Forteiland 16:25-17:30 Closing networking drink User conference TippingPoint roadmap and use case updates Stuart Hatto EMEA Product Manager TippingPoint Tracy Varnum Strategic Sales Manager EMEA, HP Enterprise Security 4 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

6 Your opinion matters to us Please give us your feedback And we will make it worthwhile 6 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

8 Stop looking for the silver bullet, start thinking like a bad guy Miguel Carrero Head of ArcSight Products & Solutions Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

9 9 Copyright Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

29 86% of budget spent on blocking 31% greater ROI $4,000,000 saved 29 Copyright Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

30 30 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 93 assessments 69 discrete SOCs 13 countries

31 31 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

32 2/5 on maturity continuum 24% fail to meet security requirements 30% fail to meet compliance 32 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

38 Title (46 pt. HP Simplified bold) Subtitle (18 pt. HP Simplified) Speaker s name / Month day, Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

39 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

44 Guarding against a data breach: addressing the 2014 vulnerability landscape Guarding against the Breach Matias Madou, Ph.D. Research Lead, HP Security Research Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

45 The attack lifecycle Research Infiltration Their ecosystem Discovery Capture Our enterprise Exfiltration 45 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

46 How we can disrupt the market Educating users Counter Research intel Infiltration Discovery Their ecosystem Capture Our enterprise Planning damage Exfiltration mitigation 46 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

47 Agenda 2013 Cyber Risk Report key findings Understanding Exactly how the Attacker Ecosystem Works HP Security Research Building Security in Maturity Model 47 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

49 Vulnerability disclosure is on the decline While incidents are on the rise vulnerability disclosures stabilize and decrease in severity 49 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

50 Application are exposed by mis-configuration More than 80% of applications contain vulnerabilities exposed by incorrect configuration 50 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

51 Mobile brings a change in the vulnerability landscape 46% of mobile ios and Android applications use encryption improperly 51 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

52 Old suspects die hard Internet Explorer was the software most targeted by Zero Day Initiative (ZDI) researchers 52 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

53 The internet of things is on the radar SCADA systems are increasingly targeted 53 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

54 What should we do about this? Vulnerability disclosure is on the decline Don t rely solely on traditional defensive perimeter security Application are exposed by misconfiguration Remember that people are part of your organization s perimeter too Mobile brings a change in the vulnerability landscape Seek out credible and reliable security intelligence The internet of things is on the radar Understand that not all information and network assets are equal 54 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

57 Repeat attacks Zero Day Company A NEW EVENT Malware Variant Company B NEW EVENT Malicious IP Address Company C NEW EVENT 57 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

64 HP Security Research Innovative research Ecosystem partner SANS, CERT, NIST, ReversingLabs, software, and reputation vendors ~3000 researchers customers sharing data managed networks globally Actionable security intelligence HP Security Research ESS Automatically integrated into HP products HP finds more vulnerabilities than the rest of the market combined Top security vulnerability research organization for the past three years Frost & Sullivan Thought leadership 64 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

66 HP Fortify and Heartbleed Timely support added to HP WebInspect and Fortify on Demand April 11 th, 2014 Features: HP Security Research releases urgent security content update WebInspect Available directly from HP WebInspect through SmartUpdate Dedicated policy for quick detection Adaptable detection based on server configuration Safely verifies vulnerability without disclosing contents of memory Detailed remediation information 68 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

67 HP Fortify and Heartbleed Timely support added to HP WebInspect and Fortify on Demand Customer-focused response Updated test methodology within hours of release Tested hundreds of thousands of customer IPs within 48 hours Direct notification to affected customers with targeted remediation Ahead of the wave Always looking for the next security liability in order to protect customers 69 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

68 Building Security In: HP SSR Consistent delivery of quarterly content updates ( , , ) Original Research Malware analysis, access control validation, Secure Coding Rulepacks (SCA) 563 unique categories of vulnerabilities across 21 languages and over 720,000 individual APIs Runtime Rulepack Kits HP Fortify SecurityScope HP Fortify Runtime Application Logging HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect) Next-generation security testing capabilities Q1 05 Q3 06 Q1 06 Q3 07 Q1 07 Q3 08 Q1 08 Q3 09 Q1 09 Q3 10 Q1 10 Q3 11 Q1 11 Q3 12 Q1 HP 12 Q3 13 Q1 70 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

70 Building BSIMM (2009) Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives Created a software security framework Interviewed nine firms in-person Discovered 110 activities through observation Organized the activities in 3 levels Built a scorecard The model has been validated with data from 67 firms There are no special snowflakes 72 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

71 Prescriptive versus Descriptive Models Prescriptive models describe what Descriptive models describe you should do (circa 2006) what is actually happening SAFECode BSIMM is a descriptive model SAMM used to measure multiple MS SDL prescriptive SSDLs Touchpoints Every firm has a methodology they follow (often a hybrid) You need an SSDL! 73 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

72 67 Firms in the BSIMM-V Community 74 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Plus 22 firms that remain anonymous

73 Compare yourself with Your peers Other business units Track your performance over time 75 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

75 Conclusion Don t rely solely on traditional defensive perimeter security. Know thy enemy. Expect to be compromised. Security Research can provide proactive insight into global, vertical-specific, and geographic threats. BSIMM: Measure how well you re doing 77 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

77 Join Our Conversation We are on your side. Visit our blogs. HP Security Research: HP Security Products: HP Threat Briefings: hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings BSIMM Information: bsimm.com 79 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

78 If you want better security, think like a bad guy. Why attend? Collaborate with ~1,500 security professionals to jointly identify primary targets, predict vulnerabilities, trade threat secrets, and determine how to attack adversaries relentlessly. Nearly 150 breakout sessions and turbo talks Dozens of roundtables and birds-of-a-feather lunches Networking activities Demos, new product previews, mock SOC, onsite service/support 2013 attendee feedback High-quality participants I really enjoyed this conference. Very valuable I appreciate the depth of content. hp.com/go/protect 80

82 Stop infiltration with robust architecture Henk Janssen Security Consultant Network Security Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

83 The attack life cycle Research Infiltration Their ecosystem Discovery Capture Our enterprise Exfiltration 85 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

84 How we can disrupt the market Educating users Counter Research intel Blocking Infiltration access Finding Discovery them Their ecosystem Planning damage Exfiltration mitigation Protecting Capture the target access Our enterprise 86 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

85 Seeing is half the battle 1. Monitor 2. Detect 3. Report Detect the bad guys 87 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

87 HP TippingPoint Helps Customers Stay Out of the News with Proactive, Next-Generation Protection Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

88 Heartbleed Vulnerability Protection on Day 1 Every second matters! OpenSSL Vulnerability affecting 2/3 of the world s web servers HP TippingPoint customers are protected on Day 1 via Digital Vaccine Virtual patch stops attack and theft of critical customer information 90 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

89 Malware Threat from Anonymous Proxies Chewbacca malware example Bad guys targeting POS/financial systems Launched from TOR network Operates by installing TOR client on infected devices for exfiltration purposes Set policy on your network for unpublished, unknown anonymous proxy exit nodes 91 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

90 Customer Attack Leads to Unexpected Intel Neverquest trojan Targeted attack against large retailer Traffic capture analysis uncovers previously unknown exfiltration sites Take action before the bad guys know they are exposed! 92 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

91 HP Network Security TippingPoint Product Family Protects the data and applications that matter 93 Next-Generation IPS Inspects network traffic and blocks against known vulnerabilities % of network uptime track record Next-Generation Firewall Next Marries Gen FW NGIPS with enterprise firewall Granular application visibility and control Integrated Policy Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Digital Vaccine Labs Industry-leading security research Delivers zero-day coverage Security Management System Centralized management console across NGIPS and NGFW Single console to deploy devices and policies

92 Kuoni Travel Implementing HP TippingPoint was fast and painless. The solution was up and running in just a couple of hours, and attacks were already being blocked.. Lorenzo De Lucia, Head of Network Kuoni Travel 94 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Image Kuoni Travel Holding, Ltd

93 The Value HP TippingPoint Provides Simple Easy-to-use, configure and install with centralized management Effective Industry leading security intelligence with weekly DVLabs updates Reliable NGIPS with % network uptime track record 95 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

95 Data Driving Security Intelligence Leadership HP TippingPoint DVLabs Keeps Organizations Up-to-Date 8,700 filters right out of the box 30% of filters are turned on in recommended settings 20 filters release each week 1 in 12 is a Zero Day filter 10% are application filters 3,000 whitehat hackers behind HP Security Research Zero Day Initiative 245 Microsoft Vulnerability Acknowledgements (2006 thru Today) 70% of total vulnerabilities discovered by HP TippingPoint 116 Adobe Vulnerability Advisories (2007 thru Today) 51% of total vulnerabilities discovered by HP TippingPoint Industry Leading Security Intelligence 97 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

96 But, it s our Security Effectiveness that keeps you ahead of the bad guys Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

97 The Value HP TippingPoint DVLabs Provides Vulnerability Research Malware Research Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI) Original vulnerability research on widely-used software Targeted research on emerging threat technologies and trends Reputation feed of malicious hosts and IP addresses In-depth threat research 99 Weekly updates for to stay ahead of the threats Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

98 Digital Vaccine Filters A Virtual Software Patch Exploit A Fingerprint Exploit B Fingerprint (Missed by Coarse Exploit A signature) Virtual Software Patch Vulnerability Fingerprint Simple Exploit A Filter False Positive (coarse signature) Vulnerability > A security flaw in a software program Exploit > A program that takes advantage of a vulnerability to gain unauthorized access or block access to a network element, compute element, O/S, or application Exploit Filter > Written only to a specific exploit > Filter developers often forced to basic filter design due to engine performance limitations > Impact - Missed attacks, false positives and continued vulnerability risk Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

99 Huge Filter Numbers Don t Prove Anything Digital Vaccine Filters are Based on the Vulnerability, Not Exploits Digital Vaccine addresses the root cause of the vulnerability, in order to cover variations in exploit cases Variations are guaranteed Addressing just one exploit is like plugging one of the holes in a sieve Reduces the number of false positives to a minimum DVLabs Filters Improve Security Efficacy 101 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

101 Effectiveness is Only as Good as the Security Intelligence 4 years in a row! ~3,000+ independent researchers DVLabs Research & QA Leading security research and filter development with 30+ dedicated researchers 2,000+ customers participating Partners SANS, CERT, NIST, etc. Software & reputation vendors DVLabs Services: Digital Vaccine ReputationDV CustomDV ThreatLinQ Lighthouse Program Analysis of Vulnerabilities by Severity Note: All figures are rounded. The base year is CY Source: Frost & Sullivan analysis 103 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

102 Every Second Matters for Security Effectiveness Over 8,700 filters published to date Over 3,000 security researchers Focused on vulnerabilities rather than exploits Frost & Sullivan Market Share Leadership Award for Vulnerability Research Microsoft Vulnerability Acknowledgements x MSFT competitor over last 8 years At any time, 200 to 300 zero day vulnerabilities only HP knows about TP customers enjoy Zero Day peace of mind Compiled from public data available at and Adobe Advisories 104 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

103 Effective: World Class Security Research MICROSOFT PUBLIC VULNERABILITY ACKNOWLDGEMENTS Cisco/ Juniper Checkpoint SourceFire 0% 1% ~3,000+ 1% independent researchers Radware DVLabs Research & QA Palo McAfee 0% Alto Stonesoft Corero Networks 3% 0% 8% IBM 8% ADOBE PUBLIC VULNERABILITY ACKNOWLDGEMENTS Cisco/ Juniper Checkpoint SourceFire 0% 1% 1% Radware Palo McAfee 0% Alto Stonesoft Corero Networks 3% 0% 7% IBM 8% Fortinet 9% 2,000+ customers participating TippingP oint 70% TippingP oint 51% Fortinet 29% Compiled from public data available at Compiled from Adobe Advisories 105 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

104 Questions? Henk Janssen PreSales Technical Consultant HP Enterprise Security Products M: Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

106 Find the intruders using correlation and context Ofer Shezaf/ May 15, 2014 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

107 Agenda The changing threat landscape What can you do to find intruders? Best practices for timely detection and mitigation HP ArcSight 109 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

108 Find the intruder at each and every step of the process Research Infiltration Discovery Their ecosystem Capture Our enterprise Exfiltration 110 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

109 Threat landscape Riskier Enterprises + Advanced Attackers = More Attacks New Technologies Cloud SDN Mobile/BYOD Attacks 24 Million 40 Million 95 Million 101 Million 130 Million Hacktivists Anonymous State funded LulzSec 111 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

110 243days average time to detect breach 2013 January February March April May June July August September October November December 2014 January February March April 112 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

112 Current solutions are not enough Big data Silo d products Limited context No effective way hundreds of apps Apps and devices are in need a domain expert to Too many products, emitting large volumes of silos that don t learn or understand and make vendors, solutions raw machine data share information sense of raw logs 114 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

114 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 69% of breaches discovered by an external party 116 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

115 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 56% of malware evades sandboxing technologies 117 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

116 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 42% of breaches involved social engineering or malicious insiders 118 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

117 What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior 84% of breaches occur at the application layer Monitor your applications 119 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

119 Transform Big Data into actionable intelligence Collect/correlate up to 100,000 events/ second from 350+ connectors Search 2 million+ events per second Analyze a breach in 4 hours with quick forensic investigation 121 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

120 Transformation in Detail Capability Collect Enrich Search Store Correlate? Benefit Collect logs from any device, any source, and in any format at high speed Machine data is unified into a single format through normalization and categorization Simple text-based search tool for logs and events without the need of domain experts Archive years worth of unified machine data through high compression ratios Automate the analysis, reporting, and alerting of machine data for IT security, IT operations, and IT GRC 122 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

121 Adding context to security intelligence Event correlation Users & Roles User monitoring Fraud monitoring Data capture Controls monitoring App Context App monitoring Threat Intelligence Business Asset model Log management Applications 123 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

123 Shared threat intelligence Partners InQuest Open Source Threat Central Private Community Threat DB Privacy Enhanced TC Forum Feeds Sector Community HP Security Research TC Portal 125 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Global Community

124 Adding identity and role context The multiple login example Action: login Application: Windows User: johnd Login time: 1/1/14, 10:00pm Place: Sunnyvale, CA, USA Action: login Application: Sales Force User: Login time: 1/1/14, 10:05pm Place: London, UK 126 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

125 Application Layer Intelligence Example: add user context to database logging SQL User name User name Only by logging through the application database logs can include user information. Events 127 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

127 Security is complex, ArcSight helps you. Get Control Get Efficient Get Compliant Transform Big Data into actionable security intelligence Faster resolution with fewer resources Automate your compliance out-ofthe box 129 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

128 HP ArcSight delivers 4 hours to respond to a breach ArcSight enables forensic investigation and a quick response to a data breach that otherwise would take 24 days 10 minutes to fix an IT incident Full-text searching of any data enables incident resolution that otherwise would take 8 hours 5 minutes to generate IT GRC report ArcSight content generates IT GRC reports that otherwise would take 4 weeks 3 days to run an IT audit Search results yield audit-quality logs that otherwise would take 6 weeks 2 days to fix a threat vulnerability Seamless integration allows faster remediation, that otherwise would take 3 weeks 130 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

129 ArcSight takes the complexity out of Big Data Volume Cross-device, real-time correlation of data across IT Long term archival at 10:1 compression ratio with ArcSight Send it to Hadoop at over 100,000 EPS Velocity SmartConnectors collect logs, events, flows at over 100,000 EPS from almost any log generating source Search data at over 2,000,000 EPS Variety Collects machine generated data from 350+ distinct sources Autonomy collects human generated data from 400+ distinct sources Collect from Hybrid network such as physical, virtual, and cloud VELOCITY 131 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

130 HP ArcSight named leader in Gartner SIEM MQ 2013 HP ArcSight named A LEADER in the Gartner Magic Quadrant for Security Information and Event Management (SIEM), 10 YEARS IN A ROW. The MOST VISIONARY PRODUCT in the Gartner SIEM MQ 132 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

131 BMW HP ArcSight ESM has enabled our IT department to be an enabler of the business. We can act very fast on security incidents and can reduce the loss of contracts and financial services due to the improved integrity of our network. Marc Seiffert, Senior IT Specialist BMW Group 133 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

132 HP ArcSight Information Security Product Family A comprehensive solution for big data security and compliance Universal Log Management Collect, store, analyze machine data from anywhere Cost-effective compliance solution Security Information and Event Next Management Gen FW (SIEM) Leaders in Gartner MQ for 10 years in a row Real-time threat intelligence for big data Big Data Security SOC Appliance for mid-market One box solution for security use cases Delivers value out-of-thebox Security Intelligence and Operations Center Largest number of SOCs built through HP ArcSight Integrated solution with TippingPoint, Fortify, Hadoop, & Autonomy 134 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

134 Join Our Conversation We are on your side. Visit our blogs. HP Security Research HP Security Products HP Threat Briefings hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings 136 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

136 Protect your weakest link: your software Tracey Varnum Strategic Sales Manager EMEA, HP Enterprise Security Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

137 The weakest link software security challenges Does software security pay? How to Fortify your apps 139 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

138 Disrupting the adversary Research Stopping Infiltration access Their ecosystem Discovery Protecting Capture the target access Our enterprise Exfiltration 140 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

140 The business challenge Applications are being driven by the brands not by IT Commissioned by the brands Focus on wow factor and marketing-related functionality Frequently developed by small boutique consultancies Intense pressure on timescales with little thought given to non-functional requirements Capturing personal data is the norm Key to building the direct customer relationship (brand trust) Applications are proliferating Websites, Facebook applications, Mobile applications Marketing Campaigns run outside normal process, no governance Do you even know how many applications you have? 142 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

141 Business impact of successful attack Example 1 Hackers exploited security flaw in the website. Customer credit card numbers, addresses, mailing addresses, telephone numbers, full names accessed. Example 2 A customer using a mobile app to check a prescription noticed that he was able to access the names, addresses, and prescription records of other customers. Example 3 After an application security incident HP FOD was used to assist in detection, containment, and eradication. FOD discovered the root cause, a vulnerability that allowed access to 250k user s records by executing a SQL Injection attack against the website. The records included names, addresses, and passwords. Example 4 Website allowed attackers to bypass username/password requirements and impersonate an admin on the system. This allowed for disclosure of sensitive customer details and pricing. 143 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

142 Security Challenge Key Requirements Identify and fix application security issues before application goes into production Systematic Support all types of applications Support all development approaches No impact on time to market Implement solution rapidly No complex hardware/software to install No need to hire, train and retain a team of application security experts Scale rapidly to test all applications Cost Effective Cheaper than existing approach Predictable 144 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

143 Application security challenges Monitoring/protecting production software Existing software Securing legacy applications Demonstrating compliance Procuring secure software Certifying new releases In-house development Outsourced Commercial Open source 145 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

147 Software Taken Together security with does pay! 2010 Findings, the Total Economic Impact has Increased Significantly in 2013 Productivity & Remediation Savings $9.7 M Revenue Protection $23.5M Risk Avoidance $15.5 Total Impact $49M 149 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mainstay Study

149 Cost 30x more costly to secure in production 30X 10X 15X 5X 2X Requirements Coding Integration/component testing System testing Production After an application is released into production, it costs 30x more than during design. Source: NIST 151 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

150 Assess, assure, protect Enact an application security gate Embed security into SDLC Monitor and protect software running in production In-house Outsourced Commercial Open source Improve SDLC policies 152 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

151 HP Fortify is one of the first commercially available static analysis tools. is a leader in coverage of languages, platforms and frameworks. can be integrated into your SDLC to find vulnerabilities in your code. Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

152 Application Security Gate Secure ALL your applications before deployment Web, Facebook, Mobile In-house, out-sourced, third-party on Demand Security Testing Service Code Test Deploy Contract/Outsource Procure Security Gate 154 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

154 Fortify Solutions on premise and on demand Static Analysis Dynamic Analysis Runtime Analysis Actual attacks Source code mgt system Static analysis via build integration Dynamic testing in QA or production Real-time protection of running application Hackers Vulnerability management Remediation Normalization (Scoring, guidance) Application Lifecycle IDE Plug-ins (Eclipse, Visual Studio, etc.) Correlate target vulnerabilities with common guidance and scoring Vulnerability database Correlation (Static, Dynamic, Runtime) Defects, metrics and KPIs used to measure risk Developers (onshore or offshore) Threat intelligence Rules management Development, project and management stakeholders 156 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

155 HP Fortify on Demand Simple Launch your application security initiative in < 1 day No hardware or software investments or maintenance No experts to hire, train and retain Fast Scale to test all applications in your organization 1 day turn-around on application security results Support 1000s of applications Flexible Tests all types of applications Web, Facebook, Mobile, desktop In-house, open source and third party, commercial applications 157 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

156 Application security in three easy steps Upload Test Review Software author provides URL and/or uploads software to the HP Fortify on Demand cloud HP Fortify on Demand conducts appropriate application security test(s) based on the risk category of the application Customer reviews and analyzes the results of the application test and provides information to development to fix 158 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

157 Full Mobile Application Security Support Mobile support for: Objective-C (Apple ipad/ iphone) Client Network Server Android Windows Blackberry Test all three tiers Utilize Hybrid Analysis Source Code Running Application Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Etc. Cleartext credentials Cleartext data Backdoor data Data leakage Etc. SQLi XSS LFI Authentication Session Management Logic Flaws Etc. 159 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

158 Comprehensive and accurate testing Multiple levels of testing based on risk Static Analysis Powered by HP Fortify SCA Dynamic Analysis Powered by HP WebInspect Manual Review Enterprise proven technology 100% code coverage Support for 21 development languages Production safe Three testing levels QA or production environments Security expert review Reduce false positives 160 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

159 Vendor Work-flow Management FOD is the trusted third-party Vendor FOD account Procurer FOD account Automated Testing Expert Review Detailed results Static Analysis Dynamic Analysis Vendor publishes report to Procurer s account Vendor Uploads Application Remediate 161 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

160 Powerful remediation and guidance Insightful Dashboard Executive Summary Most prevalent vulnerabilities Top 5 applications Heat Map Detailed Test Reports Star Rating Remediation roadmap Detailed vulnerability data Recommendations Developer support Vulnerabilities in Line of code context - Web based IDE - IDE Plug-in Assign issues to developers 162 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

162 HP Fortify - Software Security Assurance HP Fortify Software Security Center 164 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

163 HP Fortify named leader in Gartner AST MQ HP Fortify has been named a leader in the Gartner 2013 Magic Quadrant for Application Security Testing (AST), a position it has held in every application security Magic Quadrant Gartner has ever issued. Gartner acknowledged Fortify s years of successful market execution and continued innovation by scoring it highest in completeness of vision and near the top in ability to execute. 165 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

164 SAP Enterprise Software Client Outcome Significantly enhanced the security of SAP software, with increased number of security patches since 2010 Met board requirements for product security Protected revenue-generating applications and customer reputation 166 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

165 Global Consumer Packaged Goods Business Need Secure over 1,500 external-facing web and mobile applications that comprise more than 120 Global Brands Verify PCI and other regulations are being met. Ensure that customer data is being protected Cost effective solution HP Solution Deploy Fortify on Demand for all applications entering UAT. Perform security testing and remediation before putting external-facing applications into production Perform Security testing on all applications in production every 6 months to verify nothing has missed the UAT stage gate. Client Outcome Consistent approach to application security Full coverage of all consumer facing Web and Mobile Applications Protects corporate brands from adverse publicity associated with a breach Cheaper solution than engaging external penetration testers 167 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

166 Summary: Find, Fix and Fortify Find & Fix security issues in development Fortify applications against attack Save money in development Reduce risk from applications 168 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

168 Join Our Conversation We are on your side. Visit our blogs. HP Security Research HP Security Products HP Threat Briefings hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings 170 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.