IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only?

Transcription

1 IT Security Conference Romandie - Barracuda Securely Publishing Web Application a field dedicated to expert only? Antoine Donzé Sales Engineer Switzerland & North Africa

2 Mid-market organizations are increasingly vulnerable to cyber threats

3 Security: Midmarket Feels the Squeeze Threats MIDMARKET ORGANIZATIONS Limitations

4 Trends: The Widening Security Gap Gap between midmarket organizations Self Defenses vs. Threats Threat Regulations Complexity IT Security Budget Skills Source: IDC

5 IT Security-Related Challenges in Midmarket Budget concerns Increasing sophistications of attacks Increasing complexity of security solutions Increasing volume of network traffic Mobile clients and unmanaged devices Patchwork solutions Lack of IT security expertise Compliance with government and industry Security policies are lacking or not enforced Misuse of data by employees Managing security outsourcing Other Source: IDC 5% 8% 40% 37% 37% 33% 31% 31% 29% 26% 48% 59%

6 Economic Reality 5% of revenue on IT 5% of IT budget on security People versus equipment 45% hardware / software The rest is personnel, outsourcing and consulting Budget Dollars $50 Million IT $2.5 Million Security $125k HW/SW $60k

7

8 All network threat vectors must be secured

9 Traditional Security Does Not Cover All Boundaries Internet Threat Vectors Web applications Remote access Web browsing Mobile Internet Network Perimeter

10 Traditional Approaches Are Too Complex Or Too Constrained

11 Too Complex: Bag of Parts Strategy High-price Points Not geared for mid markets Complicated Interfaces High learning curve Management Overhead Requires large IT staff

12 Too Constrained: All-In-One Strategy Feature Gaps Security risks Performance Degradation Network bottlenecks Unplanned upgrades Unused security features High TCO Accelerated refresh cycles

13 Securing All Internet Threat Vectors Security Threat Vectors Firewall is a linchpin

14 Federated Security Architecture Cloud-based Central Management Threat Vectors Web Security Security Next Generation Firewall Application Security SSL VPN Attack Surfaces: Appliance Cloud Virtual

15 Web Apps are the Least Secured Vector Source: Verizon Data Breach Report, 2013

16 Learning The Hard Way

17 All experts talk about it

18 Everyone is a Target Web exploitation kits available Easy to procure No expertise required They operate like companies Can attack thousands of servers in seconds

19 Implication securely publishing Web Apps - Knowledges & Technologies Standards: FIPs PCI DSS Networking Load Balancing Coding languages: Java Script, SQL,.Net, Visual Basic,HTML 5, PHP, Perl, Ajax, Protocols - HTTP / SSL, XML Authentication: Tokens, Kerberos/NTLM, LDAP; SAML 2.0 Certificats

20 Implication securely publishing Web Apps - Threats OWASP top 10 Threats & Ressources A1 Injection, A2 Broken Authentication and Session Management, A3 Cross-Site Scripting (XSS), A8 Cross-Site Request Forgery (CSRF), A5 Security Misconfiguration, A9 Using Components with Known Vulnerabilities A6 Sensitive Data Exposure Common Vulnerabilty & Exposure May 2015 (till 26th) 324 CVE published Since begining of XSS, 111 SQL Injection, 120 GoP, 253 GoI Resources Time Man Power Be up to date

21 Application Delivery The Barracuda Approach

22 Two offering Web Application Firewall Web App, Website publication Load Balancing L7 Enhanced Security: Application Learning, XMsecurity, JSON security, Multi-tenant FIPS standard Active-Active HA Load Balancer ADC Web App, Website publication Load Balancing L4/7, GSLB LB natively MS Exchange or Citrix Policy based Security High performance Multiple ports

23 Flexible Deployment Options Physical Virtual Cloud

24 Plug & Play Deployment & Management Level of Customization High Medium Low Custom & Positive Security Template-Based Security Default Security

25 On Premise Easy Deplyoment One Armed Two Armed

26 Backed by Barracuda Central Intelligence Cloud Services Appliances Servers & Desktops Websites Intelligence Services

27 Central Management Barracuda Cloud Control Barracuda Control Management Center

28 Ramp up how much time invested Imperva F5 - Big IP - SecureSphere Product training Web Administering Application BIG-IP Security v Days Days File Configuring Security BIG-IP & Compliancy ASM v11: - 2 Application Days Security Manager - 4 Days Database Configuring Security BIG-IP & APM Compliance v11: Access - 3 Days Policy Manager - 3 Days Administration Configuring BIG-IP - 2 Days AFM v11: Advanced Firewall Manager - 2 Days Configuring BIG-IP LTM v11: Local Traffic Manager - 3 Days Configuring BIG-IP GTM v11: Global Traffic Manager - 2 Days Developing irules for BIG-IPv11 3 Days Source: F5 website Source: Mai Imperva 2015 Website Mai 2015

29 Ramp up how much time invested Barracuda Sales Representative - online about 1 hour Certified Specialist - online about 1 hour Certified Engineer ADC - webinar 2x2 hours Certified Engineer WAF - onsite training 3 Days

30 The questions to ask yourselves Which kind, which level of security do I need to attain? With which budget? In which time frame? With which resources?

31 Give it a try

32 Thank You