CyberSecurity Innovation Assessing your Organizations Vulnerability to a Cyber breach Steve Mullan Co Founder of Cognition Secure Ltd https://cognitionsecure.com
Thank You 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
The Evolving Face (and audience) of IT Security 2006 ISA Firewall VPN Throughput Nears 150Mbps ISAserver.org 2010 Consolidate Network Security to Reduce Cost and Maximise Enterprise Protection 2015 Coming into Focus: Cyber Security Operational Risk 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Cognition A Cyber Security Integrator What is cyber security? Cyber security can be described as the digital or human measures you can take to reduce the risk and harm to your company's information and information based systems through theft, alteration or destruction. (HM Government Report to Non Exec Directors, Dec 14) Digital AND Human PEOPLE PROCESS TECHNOLOGY 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
So why is Cyber Security Integration so important? Traditional Security still has an important role to play Dec 2014 report 317 Million new pieces of malware, 1 Million/day Adopt a policy for implementing Innovative & Emerging Technology Integrate the solutions correctly it s not about rip & replace or about single point solutions, a multi layered approach. 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
WhiteHat Sentinel Andrew Lawton VP EMEA WhiteHat Security
The Reality 6
Internal Audit and Cybersecurity Definition: An independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes This definition of internal audit is taken from the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors. 2014 WhiteHat Security, Inc. 7
Current challenges Application security is normally annual pentest plus scanning. 1. No consistency Data is delivered in different formats 2. Lack of trust Data is often false positive 3. No standardisation Assessments are undertaken in different ways 4. No disciplined approach assessments adhoc or annual 2014 WhiteHat Security, Inc. 8
ABOUT WHITEHAT Company Overview Pioneer in Application Security Founder: Jeremiah Grossman Headquartered in Santa Clara CA Employees: 370+ (180 security engineers) Customers: 900+ Long term customers strategic partner and trusted advisor Websites under assessment: 45,000 WhiteHat a leader in the Gartner Magic Quadrant for Application Security Testing 2013 and 2014 Whitehat a Leader in the Forrester Wave: Application Security Review
A Comprehensive Approach To Threats
The Value Visibility
Whitehat Security Index
Enhanced Reporting
Key Value Deliverable Value Expert and professional team Highly accurate assessments Unlimited consulting hours through Ask a question feature An extension of your security team Remediation advice provided Continuous assessment Catch vulns in new code as it is pushed and zero days as they happen The business apps changes all the time so the assessments must continue all the time Zero false positive output Saves a huge amount of time and money in filtering through the noise Means that data can be trusted to be fed into automation XML API Open XML API allows simple integration with security and compliance infrastructure Out of the box with: o F5 ASM o Imperva o RSA Archer o Jira
Internal Audit and Whitehat Definition: An independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes This definition of internal audit is taken from the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors. 2014 WhiteHat Security, Inc. 15
WhiteHat Security Summary Differentiators Strategic partner for end to end security in the SDLC Continuous and unlimited assessments Zero false positives Threat Research Centre Overlay One service covering code in development and live applications Massive speed and scalability throughout SDLC Production safe Value Save time and money on determining what needs action Clear information on vulnerability and remediation to communicate from security to developers Access to security team to help an extension of your team Integrates with and feeds actionable intelligence into your security infrastructure Clear metrics and analysis trending and drill down capability Validation Happy customers 94% renewal rate Gartner and Forrester position us as a Leader
We pre We prevent. DDoS Attacks Data breach
DDoS attack
Web Application Security Bank ransomed Customers blackmailed Account & transaction details published online
Application Breaches
Data breach Network security Databases Applications
Zenedge solution Databases Applications
Simple Process driven Security Intelligence
Imagine there s no malware Paul Davis VP EMEA December, 2015
Current Threat Prevention Solutions: Good vs Bad Mistakes are inevitable and costly 28
Can I get infected by just surfing a site? Yes! Malware can be injected into your system without clicking on any downloads, plugins or intentionally opening any files! Drive By Malware, Malvertising, etc. Numerous Examples Forbes.com Sept 2015 Yahoo Aug 3 2015 Huffington Post 2014 Menlo Security, Inc. 29
Why it s so easy to get infected with a single click... Website Lines of Source Code on Front Page # Of Different Domains Connected To (In Background) Lines of Source Code Executed from Different Domains Total Lines of Code You Are Exposed To! www.forbes.com 2,555 36 7,168 9,723 www.forbes.com User 36 Sites Forbes Connects to in the Background. These Random Sites Execute Code in Your Browser! Adsafeprotected.com Realtime.co Sharethrough.com Forbesmig.com Googletagservices.com Liftdna.com Media.net etc.. 2014 Menlo Security, Inc. 30
UAE Top 25 Sites Average # Scripts per site 18 Average # Domains serving scripts 7 Average Amount of code downloaded 1.3 MB Top site for #scripts? facebook.com (85) Top site for #3 rd party domains? Abs cbnnews.com (23) Top Site for amount of script code? Gulfnews.com (3.3MB) 2014 Menlo Security, Inc. 31
Isolation Security Promising, but Challenging Completely contain and execute Web content, including any malware Significant promise No false positives or negatives The potential for perfect security Significant challenges to date Hard to deploy (endpoint software) Poor user experience Brittle 2015 Menlo Security Inc., Confidential 32
Menlo Security is Introducing a New Isolation Platform Eliminates malware from the Web & email Public (SaaS) or private cloud deployment No endpoint software any device, OS, browser No latency or impact on user experience 2015 Menlo Security, Inc. 33 CONFIDENTIAL
Eliminate Web Malware Internet Users All content (good and bad) executes in Disposable Virtual Containers Native user experience Malware free Execute, Render 100% safe rendering info Dispose (every domain, every session) Adaptive Clientless Rendering (ACR) Any Device Any OS Any Browser Open up the Web and reduce risk 2015 Menlo Security Inc., Confidential 34
Powerful Platform Supports Multiple Use Cases Isolate uncategorized Web sites all Web sites Eliminate Java and Flash Read only for social sites Proxy replacement Email security (links & phishing) Prevent attacks; Reduce trouble tickets, alerts & patching 2014 Menlo Security, Inc. 35 35
Panel Discussion: Q1: What are some of the simple things that people can do to reduce risk in the organisation? 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Panel Discussion: Q2: Why do organisations find it so hard to measure and reduce the risk associated with cyber attack? 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Panel Discussion: Q3: How much responsibility should Internal Audit & Risk take for their Organisations Cyber Security policy? 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Panel Discussion: Q4: With Dubai planning to transition to a Smart City over the next couple of years, what role could you play in this to assist the enablement? 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Panel Discussion: Q5: My organisation currently runs annual Penetration testing surely that s a sufficient measure for my risk strategy. 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Panel Discussion: Q6: The Internet of Things (IoT) is a phenomenon which will be critical to a range of industries across the Middle East. How will we take steps to ensure we can implement IoT securely. 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Panel Discussion: Q7: Moving forward, where do you see an Organisations IT Security department reporting into? 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Conclusion An effective Security Posture needs to incorporate: People Process Technology Innovative Technology is vital for dealing with the threat of the Unknown and reducing your business risk exposure You need to have a starting point and an understanding of where you are today otherwise how do you know if you re making improvements Ensure your organisation adopts a Proactive stance on it s Cyber Security Strategy it s a question of when, not if 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC
Steve Mullan Cognition Secure Ltd steve@cognitionsecure.com Thank you Andrew Lawton WhiteHat Security andrew.lawton@whitehatsec.com Simon Minton ZenEdge simon@zenedge.com Paul Davis Menlo Security Paul.davis@menlosecurity.com 7/12/2015 Copyright Cognition Secure Ltd 2015 The 5th CAE Annual Conference SM PUBLIC