Victor Wheatman

Lead Presentation: Information Security Strategies Scenario: Protecting Corporate Assets

These materials can be reproduced only with Gartner’s official approval. Such approvals may be requested via e-mail -- quote.requests@gartner.com.

• French track encrypted satellite transmissions and eavesdrop on video conference while Boeing engineers discuss test data

• Code Red and Nimda cost enterprises as much as $3 billion

• Oracle hired dumpster divers to gather information in the Microsoft anti-trust case

• The German Bundesnachrichtendienst’s Project Rahab hacked the international SWIFT system to monitor global financial transactions

Corporate Espionage Is One of the Threats

Copyright © 2002

Top 11 Security Issues — 2003

• Web Services Security

• Wireless LAN Security

• Identity Management and Provisioning

• Transitioning to Intrusion Prevention Systems

• Correlation of Events for Reporting/ Monitoring/ Managing Consoles

• The next Code Red/NIMDA

• Instant Messaging Security

• Homeland Security (Industry Specific)

• Tactical Security ---> Infrastructure Security

• Protecting Intellectual Property

• Transaction Trustworthiness/Audibility

Copyright © 2002

Impact

Frequency

Experimentation

Vandalism

“Hactivism”

“Cybercrime”

Information Warfare

Copyright © 2002

Internet Threat Hierarchy

Supplier Customer

Collaborative CommerceIntellectual Property

Search, Discovery, OfferingReputation

EFTValue

Logistics/SCMTheft

Trusted TransactionsIntegrity

CRM — Intimate KnowledgePrivacy

Marketing

Selling

Shipping

Service andSupport

Design

Receivables

Shopping

Purchasing

Using, Maintaining

Development

Payables

Receiving

E-Business Information Security Vulnerabilities

Copyright © 2002

Behavior-BasedAntivirals

Maturity

Trough ofDisillusionment

Slope ofEnlightenment

Plateau ofProductivity

TechnologyTrigger

Peak of Inflated

Expectations

Public-Key Infrastructure

WEPSecurity

Biometrics

Managed Security Service Providers

FirewallAppliances

Visibility

QuantumCrypto

Secure Sockets Layer

Kerberos

Virtual Private Network

XML Security

Standards

SingleSign-On

IDS

Data Encryption Standard

AdvancedStandard

Encryption

IdentityManagement

Copyright © 2002

Will reach the “plateau” in:Less than two yearsTwo to five yearsFive to 10 yearsMore than 10 yearsNever

IM Security

SecurityPlatforms

Information Security Hype Cycle

Source: Gartner Inc. & Goldman SachsIT Spending & Demand SurveySymposium/ITxpo 2002

16.0%

28.7%

13.7%

74.1%

83.5%

58.3%

77.2%

56.6%

26.7%

31.4%

7.1%

13.0%

13.9%

21.1%

21.7%

30.7%

39.2%

0.9%

3.5%

24.1%

17.9%

0% 20% 40% 60% 80% 100%

VPN

Firewalls

Intrusion Detection Software

Anti-virus

Access Management

Public Key Infrastructure

Managed Security Services

Yes, first time Yes, expand No N/A

Will Your Co. Purchase/Expand the Following Security Prods. in 2002?

Copyright © 2002

Disaster Recovery

Business Recovery

Business Resumption

Contingency Planning

ObjectiveMission-critical applications

Mission-critical business processing (workspace)

Business process workarounds

External event

FocusSite or component outage (external)

Site outage (external)

Application outage (internal)

External behavior forcing change to internal

Deliverable Disaster recovery plan

Business recovery plan

Alternate processing plan

Business contingency plan

Sample Event(s)

Fire at the data center; critical server failure

Electrical outage in the building

Credit authorization system down

Main supplier cannot ship due to its own problem

Sample Solution

Recovery site in a different location

Recovery site in a different power grid

Manual procedure

25% backup of vital products; backup supplier

Crisis Management

Copyright © 2002

Business Continuity Components

Copyright © 2002

Firewalls

IDS

VA

Gateway AV

Security Platform

In the Cloud MSS

IntrusionPreventionAppliances

Anti-Spam

ContentScanning

Sub 100 Mb

Gigabit+

2002 20042006

?

?

Honey Pots, Application Traces and Forensics

Policies and Parameters

Capabilities Converge(So Who’s the Buyer?)

Copyright © 2002

Wot the….?

Security Monitoring in the Real — Time Enterprise

Outsourcing not corporate practice

Frequent firewall changes

Legacy security applications

Security is “other duty as assigned”

E-business is mandatoryHow did you do on Code Red, NIMDA?

“Buy, do not build” is the mantra

Privacy or security is a line of business

People, people, people

People, people, people

Copyright © 2002

Security Outsourcing —Accelerators and Inhibitors

Copyright © 2002Strength of Security Solution

“Field of Dreams”or “White Coats”

“AlmostGood Enough”

“Smoke andMirrors”

StrongWeak

Optimal PlacementMarketShare

Buyer’s Remorse •PKI

•Y2K (->BCP)

Big Projects•Infrastructure

•Homeland Security

•Espionage

How Is the InfoSec Market Balanced?

Antivirus and Intrusion Detection Systems

VisionariesNiche Players

Challengers Leaders

As of April 2002

NetworkAssociates

SymantecTrend Micro

ComputerAssociates

Sophos

F-Secure

Completeness of Vision

Abilityto

Execute

Source: Enterprise Antivirus 2Q02 MQ: Room for Improvement, July 2002

Niche Players Visionaries

Abilityto

ExecuteNFR

Entercept

SymantecCisco Systems

Enterasys

Internet Security Systems

Completeness of Vision

Intrusion

As of June 2002

LeadersChallengers

Tripwire

Recourse

Source: Intrusion Detection Systems Magic Quadrant : 2H02, August 2002

Antivirus Intrusion Detection

Copyright © 2002

As of January 2002

FirewallsMSSPs

Copyright © 2002

VisionariesNiche Players

Challengers Leaders

(Source: 2H01 Managed Security Service Provider Magic Quadrant, February 2002)

Sprint

AT&T

SymantecNetSolve

IBM

RiptechUnisys

Guardent

Veritect

VeriSignSecureWorks

Worldcom/UUNET

Computer SciencesCorporation (CSC)

EDS

CounterpaneInternet Security

Genuity

Ubizen

VisionariesNiche Players

Challengers Leaders

(Source: Firewall Market Magic Quadrant 1H02, September 2002)

Internet SecuritySystems (ISS)

Completeness of Vision Completeness of Vision

Ability toExecute

Ability toExecute

Managed Security Service Providers, Firewalls

Cyberguard

WatchGuard SecureComputing

Microsoft

Cisco Systems

Symantec

Check Point

NetScreen

Borderware

StoneSoft

As of September 2002

SonicWALL

Whale

YesterdayNear Term2002-2004

Med. Term2005

Long Term2005+

Business/Industry StandardsNever

FIPS 140-2

SAS70 Type 2

SSL/TLS

IP v6XML Digital SignatureXML EncryptionSAML

Technical Security Standards

Infrastructure Security Standards

CoBIT

VISA CIS P

HIP AA

Common Criteria

GLB

AESKerberosDES

ISO 17799/BS7799X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

XCopyright © 2002

Security Standards Investments

3DES

Extensible Markup Language (XML)

Simple Object Access Protocol (SOAP)

Web Services Definition Language (WSDL)

XML-Dsig, XML-Enc,

Passport, Liberty, ??

SAML, XRML

FormatTransport

MessageDescription

Search & findBase SecurityBuilding trust

Identity

StandardNeed

Web ServicesInteroperability

Organization

Universal Description, Discovery & Integration (UDDI)

Common internet protocols (TCP/IP, HTTP, etc.)

Copyright © 2002

Level of implementation

WS-Security

WS-Authorization

WS-Federation

WS-Secure Conversation

WS-PrivacyWS-Policy

WS-Trust

Security Standards Still Developing

Copyright © 2002

Chief Information Security Officer

CISOCIOCEO

Business Unit Management BISO

Policy Management• Policies and Standards • Risk Assessment/Profiling• Policy Compliance and Consulting• Awareness Training• Business Security Architecture

Security Engineering• Minimum Platform Standards• Technical Security Architecture

Incident Response• ID Threat + Solution

Security Administration• Platform/Application User Management

Board of Directors

Cost of Doing

BusinessInsurance• Loss• Fines

ROI

The Business Value of InfoSec

Copyright © 2002

Keeping the Bad Guys Out . . .Letting the Good Guys In

Copyright © 2002

Recommendations

• Enterprises now conservatively implementing short-term tactical security and business continuity solutions should plan for improvements in infrastructure security. Web services, corporate espionage threats and the possibility of outsourcing security are new drivers to action as the economy improves.

• Enterprises should develop an enterprisewide, cross-application view of their information security requirements, beginning with policies and cultural change. A Chief Information Security Officer function is a good focal point for this dynamic.