+ All Categories
Home > Documents > The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame...

The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame...

Date post: 29-Jul-2020
Category:
Upload: others
View: 0 times
Download: 0 times
Share this document with a friend
28
The Evolving Security Landscape Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com
Transcript
Page 1: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

The Evolving Security Landscape

Andreas M Antonopoulos

Senior Vice President & Founding Partner

www.nemertes.com

Page 2: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

About Nemertes

Security and Compliance Trends

Technology Overview and Business Drivers

Conclusion and Recommendations

Agenda

Page 3: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Quantifies the business impact of emerging technologies

Conducts in-depth interviews withIT professionals

Advises businesses on critical issues such as:

Unified Communications

Social Computing

Data Centers & Cloud Computing

Security

Next-generation WANs

Cost models, RFPs, Architectures, Strategies

Nemertes: Bridging the Gap Between Business & IT

Page 4: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Security and Compliance Trends

Page 5: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Security and Compliance Outlook

Amended FRCP

Breach Notification National Breach Disclosure

HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley

2001-2009 20010-2011+1990-2000

Organized CybercrimeHacking for Fun and Fame Cyber Warfare

RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS

Worms/Trojans Polymorphic Attacks/ MalwareViruses

XSS and SQL InjectionWebsite Defacement Website defacement

Phishing/Identity Theft

Page 6: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

De-Perimeterization

Is that a word?

No, but it’s happening anyway!

You used to have “The Internet Connection” and “The Firewall”

We are rapidly moving to ubiquitous connectivity and mobility

The Internet is everywhere! There is no INSIDE and OUTSIDE in your network

Page 7: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

The Changing End-User Landscape

Employee personal use of technology influences IT decisions for 46% of organizations

About 67% of organizations have a formal telework policy

iPhone already target of attacks against known vulnerabilities

Mobile devices are a significant data loss risk

The line between personal and work computing is blurring

Page 8: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Security by Location

Most security today is LOCATION-CENTRIC

Servers and desktops are becoming virtual

Firewalls, VLANs, ACLs, IP Addresses – Locations

Location should not be the foundation of your security policy!

Page 9: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Compliance on the Rise

If Enron gave us Sarbanes-Oxley, what will 100xEnron give us?

Legislation to pass a national breach disclosure law

HITECH Act adds more teeth to HIPAA

PCI-DSS is driving security behavior

Compliance drives security spending for 37% of organizations

Compliance requirements will get more prescriptive with sharper teeth

Page 10: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Data-Centric Security

Data-centric means INSPECTING and PROTECTING the data

Regardless of where it is

Anti-malware inwards, data leakage outwards

Content inspection

Encryption

Fingerprinting

Digital certificates

Security meta-data

ALL DATASUBJECT

TO SEARCH

Page 11: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Technology Overview and Business Drivers

Page 12: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Application and Endpoint

Technology Architecture & Evolution

Network Security

Virtu

alized S

ecurity

Management

PKI

Application Policy

Identity Mgt

Incident and Event Mgt

Network Mgt

Identity Layer

Data Encryption and Inspection

Application Security

Page 13: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Cyber Crime

A coordinated approach to cyber crime:

People

Education about phishing, malware and detection of social engineering

Process

Password management, user account deprovisioning, privileged user management, alert notification process and incident response

Technology

Web application firewall, endpoint protection (AV, anti-malware), email scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multi-factor authentication and physical security

Page 14: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Anti-Malware

Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybrid

White/Black listing is becoming obsolete. A “good” web page can turn “bad” and then back to “good” before the next scan

Anti-malware – Worms, viruses and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pages

Botnets, buffer overflow, cross-site scripting, SQL injections, invisble iFrames

Page 15: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Identity Management

© Nemertes Research 2009 www.nemertes.com 1-888-241-2685 DN045715

Identity is the foundation of trust

Three key identity management areas

User management, Authentication management, Authorization management

Most organizations have a scattered collection of directories and controls.

Evolving standards

SAML – Secure Assertion Markup Language Single Sign-on (SSO)

XACML – eXtensible Access Control Markup Language least privilege

OAuth – Open Authentication sharing data between clouds

Page 16: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Regulatory Compliance

Compliance is typically a component of governance, risk management and compliance (GRC)

The most onerous compliance requirement is privacy protection:

HIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA (1999) and breach disclosure laws such as CA SB1386 (2002)

Compliance requires adoption, implementation, verification and auditing of security best practice

Look for security products that include compliance templates to ease the selection of controls and procedures

Page 17: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Data Loss Prevention

Multiple approaches to Data Loss Prevention (DLP):

Advantage Disadvantage

Endpoint Local knowledge and offline protection

Requires install on every machine and susceptible to malware

Appliance Global knowledge, dedicated performance and hardened device

No protection for offline machines and no local USB support

Cloud No hardware/software investment and support for mobile and teleworkers

No local protection and leaks are caught in the cloud rather than inside the firewall

Page 18: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

e-Discovery

The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP), amended in 2006.

“produce and permit the party making the request, to inspect, copy, test, or sample any designated documents or electronically stored information-(including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated , if necessary, by the respondent into reasonably usable form.”

Warning! Voicemail is discoverable – ramifications for unified messaging

The scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retention

Safe Harbor provision protects inadvertent deletion

Page 19: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Virtualization Security

Virtualization reduces defense in depth requiring virtualization security such as virtual FW, virtual IDS and virtual anti-malware

Adoption of virtualization security is low with less than 10% of organizations deploying today

Compliance will drive virtualization security adoption

Requires prescriptive guidance

All major security vendors will have VirtSec products in 2010

Physical Network Infrastructure

Strong perimeter Defense

Virtualization SecurityNew

Defense

in Depth

Virtualized Network

Physical

Legacy

SystemsVirtualized Storage

IaaS

PaaS

SaaS

Page 20: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Cloud Security

Cloud computing adoption is < 1% of organizations

Security and compliance issues

Top concerns of cloud computing:

Service provider lock-in

Compliance risks

Isolation failure

Undetected breaches

Data location

Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data location

Page 21: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Enabling TechnologiesRisks Addressed Business Drivers

TechnologyInsider Threat Malware

Data Leakage Compliance Agility Mobility

Network Security ● ● ● ● ● ●

Content Inspection ● ● ● ● ● ●

Encryption ● ● ● ● ● ●

Security Information And Event Management ● ● ● ● ● ●

OS Security ● ● ● ● ● ●Identity And Authentication ● ● ● ● ● ●Application Security ● ● ● ● ● ●Virtualized Security ● ● ● ● ● ●Security As A Service ● ● ● ● ● ●

Page 22: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Conclusion and Recommendations

Page 23: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

What Should You Be Doing?

Urgent: Act Now

Short-Term Plans

Long-Term Plans

Specific Needs

Technology has become mainstream. R&D for predecessor technology has dried up. Competitors will gain advantage.

Technology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year.

Technology can provide some benefits. Some may be too new for business adoption. Implement in 1-3 years

Technology is relevant for certain companies. Implementation is case-by-case, depending on industry or size.

Page 24: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Security Roadmap

Move Security Up the Stack

Implement Identity Infrastructure

Implement DLP

Implement Encryption

Review employee security training

Urgent: Act Now

Page 25: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Security Roadmap

Assess compliance issues

Evaluate e-discovery preparedness

Centralize and protect logs

Implement SIM/SEM

Outsource Specialized Functions

Short-Term Plans

Page 26: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Security Roadmap

Evaluate OS choices

Harden OS

Implement Application Security

Implement Virtualized Security

Prepare for de-perimeterization

Prepare for continuous mobility

Long-Term Plans

Page 27: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

© Copyright 2010 Nemertes Research

Conclusions and Recommendations

Perimeters are melting away

Ubiquitous data and people need ubiquitous security

Threats from organized crime and giant botnets

Identity-centric and data-centric security is the future

Defense-in-depth

Network security

Endpoint security

OS security

Application security

Security information and event management

Page 28: The Evolving Security Landscape · 1990-2000 2001-2009 20010-2011+ Hacking for Fun and Fame Organized Cybercrime Cyber Warfare DOS RISE OF THE BOTNETS/ DDOS Silent BOTNETS Viruses

Thank You

Andreas M Antonopoulos

SVP & Founding Partner

[email protected]


Recommended