Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | august-mills |
View: | 222 times |
Download: | 0 times |
Victor Wheatman
Lead Presentation: Information Security Strategies Scenario: Protecting Corporate Assets
These materials can be reproduced only with Gartner’s official approval. Such approvals may be requested via e-mail -- [email protected].
• French track encrypted satellite transmissions and eavesdrop on video conference while Boeing engineers discuss test data
• Code Red and Nimda cost enterprises as much as $3 billion
• Oracle hired dumpster divers to gather information in the Microsoft anti-trust case
• The German Bundesnachrichtendienst’s Project Rahab hacked the international SWIFT system to monitor global financial transactions
Corporate Espionage Is One of the Threats
Copyright © 2002
Top 11 Security Issues — 2003
• Web Services Security
• Wireless LAN Security
• Identity Management and Provisioning
• Transitioning to Intrusion Prevention Systems
• Correlation of Events for Reporting/ Monitoring/ Managing Consoles
• The next Code Red/NIMDA
• Instant Messaging Security
• Homeland Security (Industry Specific)
• Tactical Security ---> Infrastructure Security
• Protecting Intellectual Property
• Transaction Trustworthiness/Audibility
Copyright © 2002
Impact
Frequency
Experimentation
Vandalism
“Hactivism”
“Cybercrime”
Information Warfare
Copyright © 2002
Internet Threat Hierarchy
Supplier Customer
Collaborative CommerceIntellectual Property
Search, Discovery, OfferingReputation
EFTValue
Logistics/SCMTheft
Trusted TransactionsIntegrity
CRM — Intimate KnowledgePrivacy
Marketing
Selling
Shipping
Service andSupport
Design
Receivables
Shopping
Purchasing
Using, Maintaining
Development
Payables
Receiving
E-Business Information Security Vulnerabilities
Copyright © 2002
Behavior-BasedAntivirals
Maturity
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivity
TechnologyTrigger
Peak of Inflated
Expectations
Public-Key Infrastructure
WEPSecurity
Biometrics
Managed Security Service Providers
FirewallAppliances
Visibility
QuantumCrypto
Secure Sockets Layer
Kerberos
Virtual Private Network
XML Security
Standards
SingleSign-On
IDS
Data Encryption Standard
AdvancedStandard
Encryption
IdentityManagement
Copyright © 2002
Will reach the “plateau” in:Less than two yearsTwo to five yearsFive to 10 yearsMore than 10 yearsNever
IM Security
SecurityPlatforms
Information Security Hype Cycle
Source: Gartner Inc. & Goldman SachsIT Spending & Demand SurveySymposium/ITxpo 2002
16.0%
28.7%
13.7%
74.1%
83.5%
58.3%
77.2%
56.6%
26.7%
31.4%
7.1%
13.0%
13.9%
21.1%
21.7%
30.7%
39.2%
0.9%
3.5%
24.1%
17.9%
0% 20% 40% 60% 80% 100%
VPN
Firewalls
Intrusion Detection Software
Anti-virus
Access Management
Public Key Infrastructure
Managed Security Services
Yes, first time Yes, expand No N/A
Will Your Co. Purchase/Expand the Following Security Prods. in 2002?
Copyright © 2002
Disaster Recovery
Business Recovery
Business Resumption
Contingency Planning
ObjectiveMission-critical applications
Mission-critical business processing (workspace)
Business process workarounds
External event
FocusSite or component outage (external)
Site outage (external)
Application outage (internal)
External behavior forcing change to internal
Deliverable Disaster recovery plan
Business recovery plan
Alternate processing plan
Business contingency plan
Sample Event(s)
Fire at the data center; critical server failure
Electrical outage in the building
Credit authorization system down
Main supplier cannot ship due to its own problem
Sample Solution
Recovery site in a different location
Recovery site in a different power grid
Manual procedure
25% backup of vital products; backup supplier
Crisis Management
Copyright © 2002
Business Continuity Components
Copyright © 2002
Firewalls
IDS
VA
Gateway AV
Security Platform
In the Cloud MSS
IntrusionPreventionAppliances
Anti-Spam
ContentScanning
Sub 100 Mb
Gigabit+
2002 20042006
?
?
Honey Pots, Application Traces and Forensics
Policies and Parameters
Capabilities Converge(So Who’s the Buyer?)
Copyright © 2002
Wot the….?
Security Monitoring in the Real — Time Enterprise
Outsourcing not corporate practice
Frequent firewall changes
Legacy security applications
Security is “other duty as assigned”
E-business is mandatoryHow did you do on Code Red, NIMDA?
“Buy, do not build” is the mantra
Privacy or security is a line of business
People, people, people
People, people, people
Copyright © 2002
Security Outsourcing —Accelerators and Inhibitors
Copyright © 2002Strength of Security Solution
“Field of Dreams”or “White Coats”
“AlmostGood Enough”
“Smoke andMirrors”
StrongWeak
Optimal PlacementMarketShare
Buyer’s Remorse •PKI
•Y2K (->BCP)
Big Projects•Infrastructure
•Homeland Security
•Espionage
How Is the InfoSec Market Balanced?
Antivirus and Intrusion Detection Systems
VisionariesNiche Players
Challengers Leaders
As of April 2002
NetworkAssociates
SymantecTrend Micro
ComputerAssociates
Sophos
F-Secure
Completeness of Vision
Abilityto
Execute
Source: Enterprise Antivirus 2Q02 MQ: Room for Improvement, July 2002
Niche Players Visionaries
Abilityto
ExecuteNFR
Entercept
SymantecCisco Systems
Enterasys
Internet Security Systems
Completeness of Vision
Intrusion
As of June 2002
LeadersChallengers
Tripwire
Recourse
Source: Intrusion Detection Systems Magic Quadrant : 2H02, August 2002
Antivirus Intrusion Detection
Copyright © 2002
As of January 2002
FirewallsMSSPs
Copyright © 2002
VisionariesNiche Players
Challengers Leaders
(Source: 2H01 Managed Security Service Provider Magic Quadrant, February 2002)
Sprint
AT&T
SymantecNetSolve
IBM
RiptechUnisys
Guardent
Veritect
VeriSignSecureWorks
Worldcom/UUNET
Computer SciencesCorporation (CSC)
EDS
CounterpaneInternet Security
Genuity
Ubizen
VisionariesNiche Players
Challengers Leaders
(Source: Firewall Market Magic Quadrant 1H02, September 2002)
Internet SecuritySystems (ISS)
Completeness of Vision Completeness of Vision
Ability toExecute
Ability toExecute
Managed Security Service Providers, Firewalls
Cyberguard
WatchGuard SecureComputing
Microsoft
Cisco Systems
Symantec
Check Point
NetScreen
Borderware
StoneSoft
As of September 2002
SonicWALL
Whale
YesterdayNear Term2002-2004
Med. Term2005
Long Term2005+
Business/Industry StandardsNever
FIPS 140-2
SAS70 Type 2
SSL/TLS
IP v6XML Digital SignatureXML EncryptionSAML
Technical Security Standards
Infrastructure Security Standards
CoBIT
VISA CIS P
HIP AA
Common Criteria
GLB
AESKerberosDES
ISO 17799/BS7799X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
XCopyright © 2002
Security Standards Investments
3DES
Extensible Markup Language (XML)
Simple Object Access Protocol (SOAP)
Web Services Definition Language (WSDL)
XML-Dsig, XML-Enc,
Passport, Liberty, ??
SAML, XRML
FormatTransport
MessageDescription
Search & findBase SecurityBuilding trust
Identity
StandardNeed
Web ServicesInteroperability
Organization
Universal Description, Discovery & Integration (UDDI)
Common internet protocols (TCP/IP, HTTP, etc.)
Copyright © 2002
Level of implementation
WS-Security
WS-Authorization
WS-Federation
WS-Secure Conversation
WS-PrivacyWS-Policy
WS-Trust
Security Standards Still Developing
Copyright © 2002
Chief Information Security Officer
CISOCIOCEO
Business Unit Management BISO
Policy Management• Policies and Standards • Risk Assessment/Profiling• Policy Compliance and Consulting• Awareness Training• Business Security Architecture
Security Engineering• Minimum Platform Standards• Technical Security Architecture
Incident Response• ID Threat + Solution
Security Administration• Platform/Application User Management
Board of Directors
Cost of Doing
BusinessInsurance• Loss• Fines
ROI
The Business Value of InfoSec
Copyright © 2002
Keeping the Bad Guys Out . . .Letting the Good Guys In
Copyright © 2002
Recommendations
• Enterprises now conservatively implementing short-term tactical security and business continuity solutions should plan for improvements in infrastructure security. Web services, corporate espionage threats and the possibility of outsourcing security are new drivers to action as the economy improves.
• Enterprises should develop an enterprisewide, cross-application view of their information security requirements, beginning with policies and cultural change. A Chief Information Security Officer function is a good focal point for this dynamic.