HP Security Research Tour 2014 If you want better security, think like a bad guy.

Similar documents

Find the intruders using correlation and context Ofer Shezaf

Решения HP по информационной безопасности

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Security Operation Centre 5th generation

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

HP Fortify application security

All about Threat Central

HP Fortify Software Security Center

Vulnerability Management

IBM Security Intelligence Strategy

HP Next-Generation Network Security Solutions Radoslav Georgiev Technical Consultant HP Networking

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

Modular Network Security. Tyler Carter, McAfee Network Security

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

The Evolution of Application Monitoring

The Hillstone and Trend Micro Joint Solution

Changing the Enterprise Security Landscape

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

SANS Top 20 Critical Controls for Effective Cyber Defense

From the Bottom to the Top: The Evolution of Application Monitoring

應用 SIEM 偵測與預防 APT 緩攻擊

The Cloud App Visibility Blindspot

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

The webinar will begin shortly

Securing your IT infrastructure with SOC/NOC collaboration

Know your security in mission critical environments Petr Hněvkovský, Senior Security Consultant, HP Enterprise Security Products

(S2.1) The importance of security intelligence in choosing a network protection system. Johannesburg

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

HP ESP 2013 Solution Roadmap

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

REVOLUTIONIZING ADVANCED THREAT PROTECTION

HP Application Security Center

Caretower s SIEM Managed Security Services

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

High End Information Security Services

Security Services. 30 years of experience in IT business

Is your software secure?

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Enterprise Security and Risk Management

Cisco Advanced Malware Protection

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Requirements When Considering a Next- Generation Firewall

Cyber Security Metrics Dashboards & Analytics

Sikkerhet Network Protector SDN app Geir Åge Leirvik HP Networking

Security strategies to stay off the Børsen front page

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

The SIEM Evaluator s Guide

HP TIPPINGPOINT ADAPTIVE REAL-WORLD SECURITY. Stefan Schmid Sales Manager Central & Eastern Europe & Middle East s.schmid@hp.com

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Testing the Security of your Applications

ALERT LOGIC FOR HIPAA COMPLIANCE

Application Security in the Software Development Lifecycle

Information & Asset Protection with SIEM and DLP

IBM Security Strategy

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IT Security & Compliance. On Time. On Budget. On Demand.

Splunk Company Overview

Content Security: Protect Your Network with Five Must-Haves

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

IBM Security IBM Corporation IBM Corporation

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

The Top Web Application Attacks: Are you vulnerable?

SourceFireNext-Generation IPS

The Benefits of an Integrated Approach to Security in the Cloud

Agenda , Palo Alto Networks. Confidential and Proprietary.

10 Things Every Web Application Firewall Should Provide Share this ebook

IBM QRadar Security Intelligence April 2013

Cenzic Product Guide. Cloud, Mobile and Web Application Security

How To Buy Nitro Security

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

QRadar SIEM and FireEye MPS Integration

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

End-to-End Application Security from the Cloud

Symantec Cyber Security Services: DeepSight Intelligence

Advanced Threat Protection with Dell SecureWorks Security Services

Next Generation IPS and Reputation Services

Trend Micro. Advanced Security Built for the Cloud

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Cybersecurity and internal audit. August 15, 2014

Continuous Network Monitoring

Defending Against Cyber Attacks with SessionLevel Network Security

DEMONSTRATING THE ROI FOR SIEM

WildFire. Preparing for Modern Network Attacks

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

Rational AppScan & Ounce Products

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Zak Khan Director, Advanced Cyber Defence

Transcription:

HP Security Research Tour 2014 If you want better security, think like a bad guy. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Welcome at the HP Security Research Tour 2014 Raymond Hüner Country Director, HP Software BeNeLux Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Today s agenda - morning 08:15-09:00 Welcome & registration with coffee 09:00-09:15 Welcome remarks Raymond Hüner Country Director HP Software BeNeLux 09:15-10:45 Stop Looking for the silver bullet: start thinking like a bad guy Miguel Carrero Head of ArcSight Products & Solutions 11:00-11:15 Coffee break Guarding against a data breach: addressing the 2014 vulnerability landscape Matias Madou Research Lead, HP Security Research 11:15-13:00 Stop infiltration using robust architecture Henk Janssen Security Consultant Network Security, HP Enterprise Security Products North Find the intruders using correlation and context Ofer Shezaf Regional Product Management Director, EMEA, HP ArcSight Protect your weakest link - your software Tracy Varnum Strategic Sales Manager EMEA, HP Enterprise Security 13:00-14:00 Lunch and extended registration for NDA User Conference sessions 3 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Today s agenda afternoon HP Security User Conference 14:00-15:30 HP Security User Conference (under NDA only) User conference ArcSight roadmap and use case updates Ofer Shezaf Regional Product Management Director, EMEA, HP ArcSight Matias Madou Research Lead, HP Security Research 15:30-16:25 Refreshment break Guided tour on the Forteiland 16:25-17:30 Closing networking drink User conference TippingPoint roadmap and use case updates Stuart Hatto EMEA Product Manager TippingPoint Tracy Varnum Strategic Sales Manager EMEA, HP Enterprise Security 4 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Today s Special Guided tour on the Forteiland 5 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Your opinion matters to us Please give us your feedback And we will make it worthwhile 6 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Security Research Tour 2014 Thank you Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Stop looking for the silver bullet, start thinking like a bad guy Miguel Carrero Head of ArcSight Products & Solutions Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

9 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

10 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

11 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

12 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

13 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

14 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

15 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

16 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

17 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

18 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

19 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

20 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

21 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

22 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

23 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

24 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

25 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

26 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

27 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

28 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

86% of budget spent on blocking 31% greater ROI $4,000,000 saved 29 Copyright 2013 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

30 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 93 assessments 69 discrete SOCs 13 countries

31 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2/5 on maturity continuum 24% fail to meet security requirements 30% fail to meet compliance 32 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

33 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

34 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

35 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

36 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

37 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Title (46 pt. HP Simplified bold) Subtitle (18 pt. HP Simplified) Speaker s name / Month day, 2013 38 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

40 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

41 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions? Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you. Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Guarding against a data breach: addressing the 2014 vulnerability landscape Guarding against the Breach Matias Madou, Ph.D. Research Lead, HP Security Research Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The attack lifecycle Research Infiltration Their ecosystem Discovery Capture Our enterprise Exfiltration 45 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

How we can disrupt the market Educating users Counter Research intel Infiltration Discovery Their ecosystem Capture Our enterprise Planning damage Exfiltration mitigation 46 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agenda 2013 Cyber Risk Report key findings Understanding Exactly how the Attacker Ecosystem Works HP Security Research Building Security in Maturity Model 47 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2013 Cyber Risk Report Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Vulnerability disclosure is on the decline While incidents are on the rise vulnerability disclosures stabilize and decrease in severity 49 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Application are exposed by mis-configuration More than 80% of applications contain vulnerabilities exposed by incorrect configuration 50 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Mobile brings a change in the vulnerability landscape 46% of mobile ios and Android applications use encryption improperly 51 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Old suspects die hard Internet Explorer was the software most targeted by Zero Day Initiative (ZDI) researchers 52 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The internet of things is on the radar SCADA systems are increasingly targeted 53 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What should we do about this? Vulnerability disclosure is on the decline Don t rely solely on traditional defensive perimeter security Application are exposed by misconfiguration Remember that people are part of your organization s perimeter too Mobile brings a change in the vulnerability landscape Seek out credible and reliable security intelligence The internet of things is on the radar Understand that not all information and network assets are equal 54 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Understanding exactly how the Attacker Ecosystem Works Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A recent event 56 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Repeat attacks Zero Day Company A NEW EVENT Malware Variant Company B NEW EVENT Malicious IP Address Company C NEW EVENT 57 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Recruiting 58 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Job offers 59 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Escrow services 60 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Training 61 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Security Research Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Enterprise Security Products 63 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Security Research Innovative research Ecosystem partner SANS, CERT, NIST, ReversingLabs, software, and reputation vendors ~3000 researchers 2000+ customers sharing data 7000+ managed networks globally Actionable security intelligence HP Security Research ESS Automatically integrated into HP products HP finds more vulnerabilities than the rest of the market combined Top security vulnerability research organization for the past three years Frost & Sullivan Thought leadership 64 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Heartbleed 67 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify and Heartbleed Timely support added to HP WebInspect and Fortify on Demand April 11 th, 2014 Features: HP Security Research releases urgent security content update WebInspect Available directly from HP WebInspect through SmartUpdate Dedicated policy for quick detection Adaptable detection based on server configuration Safely verifies vulnerability without disclosing contents of memory Detailed remediation information 68 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify and Heartbleed Timely support added to HP WebInspect and Fortify on Demand Customer-focused response Updated test methodology within hours of release Tested hundreds of thousands of customer IPs within 48 hours Direct notification to affected customers with targeted remediation Ahead of the wave Always looking for the next security liability in order to protect customers 69 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Building Security In: HP SSR Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, ) Original Research Malware analysis, access control validation, Secure Coding Rulepacks (SCA) 563 unique categories of vulnerabilities across 21 languages and over 720,000 individual APIs Runtime Rulepack Kits HP Fortify SecurityScope HP Fortify Runtime Application Logging HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect) Next-generation security testing capabilities 600 500 400 300 200 100 0 05 Q1 05 Q3 06 Q1 06 Q3 07 Q1 07 Q3 08 Q1 08 Q3 09 Q1 09 Q3 10 Q1 10 Q3 11 Q1 11 Q3 12 Q1 HP 12 Q3 13 Q1 70 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Building Security in Maturity Model (BSIMM) Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Building BSIMM (2009) Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives Created a software security framework Interviewed nine firms in-person Discovered 110 activities through observation Organized the activities in 3 levels Built a scorecard The model has been validated with data from 67 firms There are no special snowflakes 72 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Prescriptive versus Descriptive Models Prescriptive models describe what Descriptive models describe you should do (circa 2006) what is actually happening SAFECode BSIMM is a descriptive model SAMM used to measure multiple MS SDL prescriptive SSDLs Touchpoints Every firm has a methodology they follow (often a hybrid) You need an SSDL! 73 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

67 Firms in the BSIMM-V Community 74 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Plus 22 firms that remain anonymous

Compare yourself with Your peers Other business units Track your performance over time 75 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

BSIMM by the Numbers 76 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Conclusion Don t rely solely on traditional defensive perimeter security. Know thy enemy. Expect to be compromised. Security Research can provide proactive insight into global, vertical-specific, and geographic threats. BSIMM: Measure how well you re doing 77 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions? Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Join Our Conversation We are on your side. Visit our blogs. HP Security Research: HP Security Products: HP Threat Briefings: hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings BSIMM Information: bsimm.com bsimm@hp.com 79 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

If you want better security, think like a bad guy. Why attend? Collaborate with ~1,500 security professionals to jointly identify primary targets, predict vulnerabilities, trade threat secrets, and determine how to attack adversaries relentlessly. Nearly 150 breakout sessions and turbo talks Dozens of roundtables and birds-of-a-feather lunches Networking activities Demos, new product previews, mock SOC, onsite service/support 2013 attendee feedback High-quality participants I really enjoyed this conference. Very valuable I appreciate the depth of content. hp.com/go/protect 80

Thank You Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Coffee Break Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Coffee Break Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Stop infiltration with robust architecture Henk Janssen Security Consultant Network Security Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The attack life cycle Research Infiltration Their ecosystem Discovery Capture Our enterprise Exfiltration 85 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

How we can disrupt the market Educating users Counter Research intel Blocking Infiltration access Finding Discovery them Their ecosystem Planning damage Exfiltration mitigation Protecting Capture the target access Our enterprise 86 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Seeing is half the battle 1. Monitor 2. Detect 3. Report Detect the bad guys 87 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Blocking is the other half 88 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP TippingPoint Helps Customers Stay Out of the News with Proactive, Next-Generation Protection Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Heartbleed Vulnerability Protection on Day 1 Every second matters! OpenSSL Vulnerability affecting 2/3 of the world s web servers HP TippingPoint customers are protected on Day 1 via Digital Vaccine Virtual patch stops attack and theft of critical customer information 90 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Malware Threat from Anonymous Proxies Chewbacca malware example Bad guys targeting POS/financial systems Launched from TOR network Operates by installing TOR client on infected devices for exfiltration purposes Set policy on your network for unpublished, unknown anonymous proxy exit nodes 91 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Customer Attack Leads to Unexpected Intel Neverquest trojan Targeted attack against large retailer Traffic capture analysis uncovers previously unknown exfiltration sites Take action before the bad guys know they are exposed! 92 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Network Security TippingPoint Product Family Protects the data and applications that matter 93 Next-Generation IPS Inspects network traffic and blocks against known vulnerabilities 99.99999% of network uptime track record Next-Generation Firewall Next Marries Gen FW NGIPS with enterprise firewall Granular application visibility and control Integrated Policy Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Digital Vaccine Labs Industry-leading security research Delivers zero-day coverage Security Management System Centralized management console across NGIPS and NGFW Single console to deploy devices and policies

Kuoni Travel Implementing HP TippingPoint was fast and painless. The solution was up and running in just a couple of hours, and attacks were already being blocked.. Lorenzo De Lucia, Head of Network Kuoni Travel 94 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Image Kuoni Travel Holding, Ltd

The Value HP TippingPoint Provides Simple Easy-to-use, configure and install with centralized management Effective Industry leading security intelligence with weekly DVLabs updates Reliable NGIPS with 99.99999% network uptime track record 95 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP TippingPoint has the numbers to back you up Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Data Driving Security Intelligence Leadership HP TippingPoint DVLabs Keeps Organizations Up-to-Date 8,700 filters right out of the box 30% of filters are turned on in recommended settings 20 filters release each week 1 in 12 is a Zero Day filter 10% are application filters 3,000 whitehat hackers behind HP Security Research Zero Day Initiative 245 Microsoft Vulnerability Acknowledgements (2006 thru Today) 70% of total vulnerabilities discovered by HP TippingPoint 116 Adobe Vulnerability Advisories (2007 thru Today) 51% of total vulnerabilities discovered by HP TippingPoint Industry Leading Security Intelligence 97 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

But, it s our Security Effectiveness that keeps you ahead of the bad guys Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The Value HP TippingPoint DVLabs Provides Vulnerability Research Malware Research Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI) Original vulnerability research on widely-used software Targeted research on emerging threat technologies and trends Reputation feed of malicious hosts and IP addresses In-depth threat research 99 Weekly updates for to stay ahead of the threats Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Digital Vaccine Filters A Virtual Software Patch Exploit A Fingerprint Exploit B Fingerprint (Missed by Coarse Exploit A signature) Virtual Software Patch Vulnerability Fingerprint Simple Exploit A Filter False Positive (coarse signature) Vulnerability > A security flaw in a software program Exploit > A program that takes advantage of a vulnerability to gain unauthorized access or block access to a network element, compute element, O/S, or application Exploit Filter > Written only to a specific exploit > Filter developers often forced to basic filter design due to engine performance limitations > Impact - Missed attacks, false positives and continued vulnerability risk Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 100 100

Huge Filter Numbers Don t Prove Anything Digital Vaccine Filters are Based on the Vulnerability, Not Exploits Digital Vaccine addresses the root cause of the vulnerability, in order to cover variations in exploit cases Variations are guaranteed Addressing just one exploit is like plugging one of the holes in a sieve Reduces the number of false positives to a minimum DVLabs Filters Improve Security Efficacy 101 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security Effectiveness depends on Security Intelligence Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Effectiveness is Only as Good as the Security Intelligence 4 years in a row! ~3,000+ independent researchers DVLabs Research & QA Leading security research and filter development with 30+ dedicated researchers 2,000+ customers participating Partners SANS, CERT, NIST, etc. Software & reputation vendors DVLabs Services: Digital Vaccine ReputationDV CustomDV ThreatLinQ Lighthouse Program Analysis of Vulnerabilities by Severity Note: All figures are rounded. The base year is CY 2012. Source: Frost & Sullivan analysis 103 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Every Second Matters for Security Effectiveness Over 8,700 filters published to date Over 3,000 security researchers Focused on vulnerabilities rather than exploits Frost & Sullivan Market Share Leadership Award for Vulnerability Research Microsoft Vulnerability Acknowledgements 300 250 200 150 100 50 0 8x MSFT competitor over last 8 years At any time, 200 to 300 zero day vulnerabilities only HP knows about TP customers enjoy Zero Day peace of mind 2006 2007 2008 2009 2010 2011 2012 2013 Compiled from public data available at http://www.microsoft.com/technet/security/current.aspx and Adobe Advisories 104 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Effective: World Class Security Research MICROSOFT PUBLIC VULNERABILITY ACKNOWLDGEMENTS 2006-2013 Cisco/ Juniper Checkpoint SourceFire 0% 1% ~3,000+ 1% independent researchers Radware DVLabs Research & QA Palo McAfee 0% Alto Stonesoft Corero Networks 3% 0% 8% IBM 8% ADOBE PUBLIC VULNERABILITY ACKNOWLDGEMENTS 2007-2013 Cisco/ Juniper Checkpoint SourceFire 0% 1% 1% Radware Palo McAfee 0% Alto Stonesoft Corero Networks 3% 0% 7% IBM 8% Fortinet 9% 2,000+ customers participating TippingP oint 70% TippingP oint 51% Fortinet 29% Compiled from public data available at http://www.microsoft.com/technet/security/current.aspx Compiled from Adobe Advisories 105 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions? Henk Janssen PreSales Technical Consultant HP Enterprise Security Products hj@hp.com M: +31 6 297 33 550 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank You! Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Find the intruders using correlation and context Ofer Shezaf/ May 15, 2014 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agenda The changing threat landscape What can you do to find intruders? Best practices for timely detection and mitigation HP ArcSight 109 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Find the intruder at each and every step of the process Research Infiltration Discovery Their ecosystem Capture Our enterprise Exfiltration 110 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Threat landscape Riskier Enterprises + Advanced Attackers = More Attacks New Technologies Cloud SDN Mobile/BYOD Attacks 24 Million 40 Million 95 Million 101 Million 130 Million Hacktivists Anonymous State funded LulzSec 111 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

243days average time to detect breach 2013 January February March April May June July August September October November December 2014 January February March April 112 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Since 2009, time to resolve an attack has grown 130% 113 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Current solutions are not enough Big data Silo d products Limited context No effective way hundreds of apps Apps and devices are in need a domain expert to Too many products, emitting large volumes of silos that don t learn or understand and make vendors, solutions raw machine data share information sense of raw logs 114 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What can you do to find intruders? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 69% of breaches discovered by an external party 116 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 56% of malware evades sandboxing technologies 117 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior Monitor your applications 42% of breaches involved social engineering or malicious insiders 118 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

What can you do to find them? Put the clues together Detect anomalous patterns Profile user behavior 84% of breaches occur at the application layer Monitor your applications 119 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Best practices for timely detection and mitigation Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Transform Big Data into actionable intelligence Collect/correlate up to 100,000 events/ second from 350+ connectors Search 2 million+ events per second Analyze a breach in 4 hours with quick forensic investigation 121 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Transformation in Detail Capability Collect Enrich Search Store Correlate? Benefit Collect logs from any device, any source, and in any format at high speed Machine data is unified into a single format through normalization and categorization Simple text-based search tool for logs and events without the need of domain experts Archive years worth of unified machine data through high compression ratios Automate the analysis, reporting, and alerting of machine data for IT security, IT operations, and IT GRC 122 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Adding context to security intelligence Event correlation Users & Roles User monitoring Fraud monitoring Data capture Controls monitoring App Context App monitoring Threat Intelligence Business Asset model Log management Applications 123 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Assets: Business relevant risk management 124 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Shared threat intelligence Partners InQuest Open Source Threat Central Private Community Threat DB Privacy Enhanced TC Forum Feeds Sector Community HP Security Research TC Portal 125 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Global Community

Adding identity and role context The multiple login example Action: login Application: Windows User: johnd Login time: 1/1/14, 10:00pm Place: Sunnyvale, CA, USA Action: login Application: Sales Force User: john.doe@acme.com Login time: 1/1/14, 10:05pm Place: London, UK 126 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Application Layer Intelligence Example: add user context to database logging SQL User name User name Only by logging through the application database logs can include user information. Events 127 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP ArcSight Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security is complex, ArcSight helps you. Get Control Get Efficient Get Compliant Transform Big Data into actionable security intelligence Faster resolution with fewer resources Automate your compliance out-ofthe box 129 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP ArcSight delivers 4 hours to respond to a breach ArcSight enables forensic investigation and a quick response to a data breach that otherwise would take 24 days 10 minutes to fix an IT incident Full-text searching of any data enables incident resolution that otherwise would take 8 hours 5 minutes to generate IT GRC report ArcSight content generates IT GRC reports that otherwise would take 4 weeks 3 days to run an IT audit Search results yield audit-quality logs that otherwise would take 6 weeks 2 days to fix a threat vulnerability Seamless integration allows faster remediation, that otherwise would take 3 weeks 130 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

ArcSight takes the complexity out of Big Data Volume Cross-device, real-time correlation of data across IT Long term archival at 10:1 compression ratio with ArcSight Send it to Hadoop at over 100,000 EPS Velocity SmartConnectors collect logs, events, flows at over 100,000 EPS from almost any log generating source Search data at over 2,000,000 EPS Variety Collects machine generated data from 350+ distinct sources Autonomy collects human generated data from 400+ distinct sources Collect from Hybrid network such as physical, virtual, and cloud VELOCITY 131 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP ArcSight named leader in Gartner SIEM MQ 2013 HP ArcSight named A LEADER in the Gartner Magic Quadrant for Security Information and Event Management (SIEM), 10 YEARS IN A ROW. The MOST VISIONARY PRODUCT in the Gartner SIEM MQ 132 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

BMW HP ArcSight ESM has enabled our IT department to be an enabler of the business. We can act very fast on security incidents and can reduce the loss of contracts and financial services due to the improved integrity of our network. Marc Seiffert, Senior IT Specialist BMW Group 133 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP ArcSight Information Security Product Family A comprehensive solution for big data security and compliance Universal Log Management Collect, store, analyze machine data from anywhere Cost-effective compliance solution Security Information and Event Next Management Gen FW (SIEM) Leaders in Gartner MQ for 10 years in a row Real-time threat intelligence for big data Big Data Security SOC Appliance for mid-market One box solution for security use cases Delivers value out-of-thebox Security Intelligence and Operations Center Largest number of SOCs built through HP ArcSight Integrated solution with TippingPoint, Fortify, Hadoop, & Autonomy 134 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions? Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Join Our Conversation We are on your side. Visit our blogs. HP Security Research HP Security Products HP Threat Briefings hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings 136 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Protect your weakest link: your software Tracey Varnum Strategic Sales Manager EMEA, HP Enterprise Security Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The weakest link software security challenges Does software security pay? How to Fortify your apps 139 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Disrupting the adversary Research Stopping Infiltration access Their ecosystem Discovery Protecting Capture the target access Our enterprise Exfiltration 140 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

84% of breaches occur at the application layer 141 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The business challenge Applications are being driven by the brands not by IT Commissioned by the brands Focus on wow factor and marketing-related functionality Frequently developed by small boutique consultancies Intense pressure on timescales with little thought given to non-functional requirements Capturing personal data is the norm Key to building the direct customer relationship (brand trust) Applications are proliferating Websites, Facebook applications, Mobile applications Marketing Campaigns run outside normal process, no governance Do you even know how many applications you have? 142 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Business impact of successful attack Example 1 Hackers exploited security flaw in the website. Customer credit card numbers, email addresses, mailing addresses, telephone numbers, full names accessed. Example 2 A customer using a mobile app to check a prescription noticed that he was able to access the names, addresses, and prescription records of other customers. Example 3 After an application security incident HP FOD was used to assist in detection, containment, and eradication. FOD discovered the root cause, a vulnerability that allowed access to 250k user s records by executing a SQL Injection attack against the website. The records included names, addresses, and passwords. Example 4 Website allowed attackers to bypass username/password requirements and impersonate an admin on the system. This allowed for disclosure of sensitive customer details and pricing. 143 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security Challenge Key Requirements Identify and fix application security issues before application goes into production Systematic Support all types of applications Support all development approaches No impact on time to market Implement solution rapidly No complex hardware/software to install No need to hire, train and retain a team of application security experts Scale rapidly to test all applications Cost Effective Cheaper than existing approach Predictable 144 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Application security challenges Monitoring/protecting production software Existing software Securing legacy applications Demonstrating compliance Procuring secure software Certifying new releases In-house development Outsourced Commercial Open source 145 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Does software security pay? 2013 ROI Study Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Research background 147 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mainstay Study - 2012

2013 Key Findings 148 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mainstay Study - 2013

Software Taken Together security with does pay! 2010 Findings, the Total Economic Impact has Increased Significantly in 2013 Productivity & Remediation Savings $9.7 M Revenue Protection $23.5M Risk Avoidance $15.5 Total Impact $49M 149 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Mainstay Study - 2013

Impact by delivery model 150 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Cost 30x more costly to secure in production 30X 10X 15X 5X 2X Requirements Coding Integration/component testing System testing Production After an application is released into production, it costs 30x more than during design. Source: NIST 151 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Assess, assure, protect 1 2 3 Enact an application security gate Embed security into SDLC Monitor and protect software running in production In-house Outsourced Commercial Open source Improve SDLC policies 152 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify is one of the first commercially available static analysis tools. is a leader in coverage of languages, platforms and frameworks. can be integrated into your SDLC to find vulnerabilities in your code. Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Application Security Gate Secure ALL your applications before deployment Web, Facebook, Mobile In-house, out-sourced, third-party on Demand Security Testing Service Code Test Deploy Contract/Outsource Procure Security Gate 154 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Embed Security into Software Development Lifecycle 155 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Fortify Solutions on premise and on demand Static Analysis Dynamic Analysis Runtime Analysis Actual attacks Source code mgt system Static analysis via build integration Dynamic testing in QA or production Real-time protection of running application Hackers Vulnerability management Remediation Normalization (Scoring, guidance) Application Lifecycle IDE Plug-ins (Eclipse, Visual Studio, etc.) Correlate target vulnerabilities with common guidance and scoring Vulnerability database Correlation (Static, Dynamic, Runtime) Defects, metrics and KPIs used to measure risk Developers (onshore or offshore) Threat intelligence Rules management Development, project and management stakeholders 156 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify on Demand Simple Launch your application security initiative in < 1 day No hardware or software investments or maintenance No experts to hire, train and retain Fast Scale to test all applications in your organization 1 day turn-around on application security results Support 1000s of applications Flexible Tests all types of applications Web, Facebook, Mobile, desktop In-house, open source and third party, commercial applications 157 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Application security in three easy steps Upload Test Review Software author provides URL and/or uploads software to the HP Fortify on Demand cloud HP Fortify on Demand conducts appropriate application security test(s) based on the risk category of the application Customer reviews and analyzes the results of the application test and provides information to development to fix 158 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Full Mobile Application Security Support Mobile support for: Objective-C (Apple ipad/ iphone) Client Network Server Android Windows Blackberry Test all three tiers Utilize Hybrid Analysis Source Code Running Application Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Etc. Cleartext credentials Cleartext data Backdoor data Data leakage Etc. SQLi XSS LFI Authentication Session Management Logic Flaws Etc. 159 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Comprehensive and accurate testing Multiple levels of testing based on risk Static Analysis Powered by HP Fortify SCA Dynamic Analysis Powered by HP WebInspect Manual Review Enterprise proven technology 100% code coverage Support for 21 development languages Production safe Three testing levels QA or production environments Security expert review Reduce false positives 160 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Vendor Work-flow Management FOD is the trusted third-party Vendor FOD account Procurer FOD account Automated Testing Expert Review Detailed results Static Analysis Dynamic Analysis Vendor publishes report to Procurer s account Vendor Uploads Application Remediate 161 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Powerful remediation and guidance Insightful Dashboard Executive Summary Most prevalent vulnerabilities Top 5 applications Heat Map Detailed Test Reports Star Rating Remediation roadmap Detailed vulnerability data Recommendations Developer support Vulnerabilities in Line of code context - Web based IDE - IDE Plug-in Assign issues to developers 162 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify on Premise 163 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify - Software Security Assurance HP Fortify Software Security Center 164 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify named leader in Gartner AST MQ HP Fortify has been named a leader in the Gartner 2013 Magic Quadrant for Application Security Testing (AST), a position it has held in every application security Magic Quadrant Gartner has ever issued. Gartner acknowledged Fortify s years of successful market execution and continued innovation by scoring it highest in completeness of vision and near the top in ability to execute. 165 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

SAP Enterprise Software Client Outcome Significantly enhanced the security of SAP software, with increased number of security patches since 2010 Met board requirements for product security Protected revenue-generating applications and customer reputation 166 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Global Consumer Packaged Goods Business Need Secure over 1,500 external-facing web and mobile applications that comprise more than 120 Global Brands Verify PCI and other regulations are being met. Ensure that customer data is being protected Cost effective solution HP Solution Deploy Fortify on Demand for all applications entering UAT. Perform security testing and remediation before putting external-facing applications into production Perform Security testing on all applications in production every 6 months to verify nothing has missed the UAT stage gate. Client Outcome Consistent approach to application security Full coverage of all consumer facing Web and Mobile Applications Protects corporate brands from adverse publicity associated with a breach Cheaper solution than engaging external penetration testers 167 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Summary: Find, Fix and Fortify 1 2 3 4 Find & Fix security issues in development Fortify applications against attack Save money in development Reduce risk from applications 168 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions? Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Join Our Conversation We are on your side. Visit our blogs. HP Security Research HP Security Products HP Threat Briefings hp.com/go/hpsrblog hp.com/go/securityproductsblog hp.com/go/threatbriefings 170 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Lunch Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.