View
2
Download
0
Category
Preview:
Citation preview
The Evolving Security Landscape
Andreas M Antonopoulos
Senior Vice President & Founding Partner
www.nemertes.com
© Copyright 2010 Nemertes Research
About Nemertes
Security and Compliance Trends
Technology Overview and Business Drivers
Conclusion and Recommendations
Agenda
© Copyright 2010 Nemertes Research
Quantifies the business impact of emerging technologies
Conducts in-depth interviews withIT professionals
Advises businesses on critical issues such as:
Unified Communications
Social Computing
Data Centers & Cloud Computing
Security
Next-generation WANs
Cost models, RFPs, Architectures, Strategies
Nemertes: Bridging the Gap Between Business & IT
© Copyright 2010 Nemertes Research
Security and Compliance Trends
© Copyright 2010 Nemertes Research
Security and Compliance Outlook
Amended FRCP
Breach Notification National Breach Disclosure
HITECHPCI-DSSHIPAA, GLBA, Sarbanes Oxley
2001-2009 20010-2011+1990-2000
Organized CybercrimeHacking for Fun and Fame Cyber Warfare
RISE OF THE BOTNETS/ DDOS Silent BOTNETSDOS
Worms/Trojans Polymorphic Attacks/ MalwareViruses
XSS and SQL InjectionWebsite Defacement Website defacement
Phishing/Identity Theft
© Copyright 2010 Nemertes Research
De-Perimeterization
Is that a word?
No, but it’s happening anyway!
You used to have “The Internet Connection” and “The Firewall”
We are rapidly moving to ubiquitous connectivity and mobility
The Internet is everywhere! There is no INSIDE and OUTSIDE in your network
© Copyright 2010 Nemertes Research
The Changing End-User Landscape
Employee personal use of technology influences IT decisions for 46% of organizations
About 67% of organizations have a formal telework policy
iPhone already target of attacks against known vulnerabilities
Mobile devices are a significant data loss risk
The line between personal and work computing is blurring
© Copyright 2010 Nemertes Research
Security by Location
Most security today is LOCATION-CENTRIC
Servers and desktops are becoming virtual
Firewalls, VLANs, ACLs, IP Addresses – Locations
Location should not be the foundation of your security policy!
© Copyright 2010 Nemertes Research
Compliance on the Rise
If Enron gave us Sarbanes-Oxley, what will 100xEnron give us?
Legislation to pass a national breach disclosure law
HITECH Act adds more teeth to HIPAA
PCI-DSS is driving security behavior
Compliance drives security spending for 37% of organizations
Compliance requirements will get more prescriptive with sharper teeth
© Copyright 2010 Nemertes Research
Data-Centric Security
Data-centric means INSPECTING and PROTECTING the data
Regardless of where it is
Anti-malware inwards, data leakage outwards
Content inspection
Encryption
Fingerprinting
Digital certificates
Security meta-data
ALL DATASUBJECT
TO SEARCH
© Copyright 2010 Nemertes Research
Technology Overview and Business Drivers
© Copyright 2010 Nemertes Research
Application and Endpoint
Technology Architecture & Evolution
Network Security
Virtu
alized S
ecurity
Management
PKI
Application Policy
Identity Mgt
Incident and Event Mgt
Network Mgt
Identity Layer
Data Encryption and Inspection
Application Security
© Copyright 2010 Nemertes Research
Cyber Crime
A coordinated approach to cyber crime:
People
Education about phishing, malware and detection of social engineering
Process
Password management, user account deprovisioning, privileged user management, alert notification process and incident response
Technology
Web application firewall, endpoint protection (AV, anti-malware), email scanning, IDS/IDP, firewall, VPN, NAC, encryption/key management, multi-factor authentication and physical security
© Copyright 2010 Nemertes Research
Anti-Malware
Anti-malware delivery is evolving with four delivery modes: endpoint, appliance, cloud and hybrid
White/Black listing is becoming obsolete. A “good” web page can turn “bad” and then back to “good” before the next scan
Anti-malware – Worms, viruses and trojans are stealthier than ever, vastly more numerous and proliferate mainly via web pages
Botnets, buffer overflow, cross-site scripting, SQL injections, invisble iFrames
© Copyright 2010 Nemertes Research
Identity Management
© Nemertes Research 2009 www.nemertes.com 1-888-241-2685 DN045715
Identity is the foundation of trust
Three key identity management areas
User management, Authentication management, Authorization management
Most organizations have a scattered collection of directories and controls.
Evolving standards
SAML – Secure Assertion Markup Language Single Sign-on (SSO)
XACML – eXtensible Access Control Markup Language least privilege
OAuth – Open Authentication sharing data between clouds
© Copyright 2010 Nemertes Research
Regulatory Compliance
Compliance is typically a component of governance, risk management and compliance (GRC)
The most onerous compliance requirement is privacy protection:
HIPAA (1996) and HITECH (2009), FERPA (1974), PCI-DSS (2002), GLBA (1999) and breach disclosure laws such as CA SB1386 (2002)
Compliance requires adoption, implementation, verification and auditing of security best practice
Look for security products that include compliance templates to ease the selection of controls and procedures
© Copyright 2010 Nemertes Research
Data Loss Prevention
Multiple approaches to Data Loss Prevention (DLP):
Advantage Disadvantage
Endpoint Local knowledge and offline protection
Requires install on every machine and susceptible to malware
Appliance Global knowledge, dedicated performance and hardened device
No protection for offline machines and no local USB support
Cloud No hardware/software investment and support for mobile and teleworkers
No local protection and leaks are caught in the cloud rather than inside the firewall
© Copyright 2010 Nemertes Research
e-Discovery
The ground rules for e-discovery are the Federal Rules of Civil Procedure (FRCP), amended in 2006.
“produce and permit the party making the request, to inspect, copy, test, or sample any designated documents or electronically stored information-(including writings, drawings, graphs, charts, photographs, sounds recordings, images, and other data in any medium from which information can be obtained, - translated , if necessary, by the respondent into reasonably usable form.”
Warning! Voicemail is discoverable – ramifications for unified messaging
The scope of electronically stored information (ESI) requires use of e-discovery tools to locate, categorize, copy and manage retention
Safe Harbor provision protects inadvertent deletion
© Copyright 2010 Nemertes Research
Virtualization Security
Virtualization reduces defense in depth requiring virtualization security such as virtual FW, virtual IDS and virtual anti-malware
Adoption of virtualization security is low with less than 10% of organizations deploying today
Compliance will drive virtualization security adoption
Requires prescriptive guidance
All major security vendors will have VirtSec products in 2010
Physical Network Infrastructure
Strong perimeter Defense
Virtualization SecurityNew
Defense
in Depth
Virtualized Network
Physical
Legacy
SystemsVirtualized Storage
IaaS
PaaS
SaaS
© Copyright 2010 Nemertes Research
Cloud Security
Cloud computing adoption is < 1% of organizations
Security and compliance issues
Top concerns of cloud computing:
Service provider lock-in
Compliance risks
Isolation failure
Undetected breaches
Data location
Cloud requires VirtSec plus identity management, encryption, data leak prevention and control over data location
© Copyright 2010 Nemertes Research
Enabling TechnologiesRisks Addressed Business Drivers
TechnologyInsider Threat Malware
Data Leakage Compliance Agility Mobility
Network Security ● ● ● ● ● ●
Content Inspection ● ● ● ● ● ●
Encryption ● ● ● ● ● ●
Security Information And Event Management ● ● ● ● ● ●
OS Security ● ● ● ● ● ●Identity And Authentication ● ● ● ● ● ●Application Security ● ● ● ● ● ●Virtualized Security ● ● ● ● ● ●Security As A Service ● ● ● ● ● ●
© Copyright 2010 Nemertes Research
Conclusion and Recommendations
© Copyright 2010 Nemertes Research
What Should You Be Doing?
Urgent: Act Now
Short-Term Plans
Long-Term Plans
Specific Needs
Technology has become mainstream. R&D for predecessor technology has dried up. Competitors will gain advantage.
Technology is becoming mainstream. Business benefit too large to ignore. Implement within 1 year.
Technology can provide some benefits. Some may be too new for business adoption. Implement in 1-3 years
Technology is relevant for certain companies. Implementation is case-by-case, depending on industry or size.
© Copyright 2010 Nemertes Research
Security Roadmap
Move Security Up the Stack
Implement Identity Infrastructure
Implement DLP
Implement Encryption
Review employee security training
Urgent: Act Now
© Copyright 2010 Nemertes Research
Security Roadmap
Assess compliance issues
Evaluate e-discovery preparedness
Centralize and protect logs
Implement SIM/SEM
Outsource Specialized Functions
Short-Term Plans
© Copyright 2010 Nemertes Research
Security Roadmap
Evaluate OS choices
Harden OS
Implement Application Security
Implement Virtualized Security
Prepare for de-perimeterization
Prepare for continuous mobility
Long-Term Plans
© Copyright 2010 Nemertes Research
Conclusions and Recommendations
Perimeters are melting away
Ubiquitous data and people need ubiquitous security
Threats from organized crime and giant botnets
Identity-centric and data-centric security is the future
Defense-in-depth
Network security
Endpoint security
OS security
Application security
Security information and event management
Thank You
Andreas M Antonopoulos
SVP & Founding Partner
andreas@nemertes.com
Recommended