HP Software Performance Tour 2014 - Guarding against the Data Breach

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Guarding against the Breach The 2014 Vulnerability Landscape

Pierpaolo Ali’South Europe Sales Director HP Enterprise Security Products

June 17, 2014

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2

Discovery

The attack lifecycle

Research

Our enterprise

Their ecosystem

Infiltration

Capture

Exfiltration

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Discovery

How we can disrupt the market

Research

Our enterprise

Their ecosystem

Infiltration

Capture

Exfiltration

Planning damage mitigation

Educating usersCounter intel

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4

Agenda

2013 Cyber Risk Report key findings

Understanding Exactly how the Attacker Ecosystem Works

HP Security Research

Building Security in Maturity Model

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2013 Cyber Risk Report

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6

Key Findings

Research gains attention, but vulnerability disclosures stabilize and decrease in severity

80% of applications contain vulnerabilities exposed by incorrect configuration

Differing definitions of “malware” make measuring mobile malware risk extremely difficult

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7

Key Findings

The attack surface allows for multiple avenues for

compromise

46% of mobile iOS and Android applications use encryption

improperly

Internet Explorer was the software most targeted by Zero Day Initiative

(ZDI) researchers

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8

Key Findings

SCADA systems are increasingly targeted

Sandbox bypass vulnerabilities are the #1 issue for Java

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9

Conclusions

Mitigate

Risk

Respond

Appropriately

Reduce

Attack Surface

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10

Going beyond the basics of best practices

Remember that people are part of your organization’s perimeter too

Don’t rely solely on traditional defensive perimeter security

Expect to be compromised

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11

Going beyond the basics of best practices

Make security and response a continuous process

Understand that not all information and network assets are equal

Seek out credible and reliable security intelligence

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Understanding exactly how the Attacker Ecosystem Works

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13

A recent event

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14

Repeat attacks

Company A NEW EVENT

Zero Day

Company B

Company CMalicious IP

Address

Malware

Variant

NEW EVENT

NEW EVENT

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15

Recruiting

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16

Job offers

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17

Escrow services

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18

Training

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Security Research

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20

HP Enterprise Security Products

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21

HP Security ResearchSANS, CERT, NIST, ReversingLabs, software, and reputation vendors

• ~3000 researchers

• 2000+ customers sharing data

• 7000+ managed networks globally

Ecosystem

partner

ESS

HP Security Research

Innovative research

Thought leadership

• Automatically integrated into HP products

• HP finds more vulnerabilities than the rest of the market combined

• Top security vulnerability research organization for the past three years —Frost & Sullivan

Actionable security intelligence

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22

The Value HP TippingPoint DVLabs Provides

Vulnerability Research

Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI)

Original vulnerability research on widely-used software

Targeted research on emerging threat technologies and trends

Malware Research

Reputation feed of malicious hosts and IP addresses

In-depth threat research

Weekly updates for to stay ahead of the threats

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24

Heartbleed…

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25

Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, …)

Building Security In: HP SSR

Original Research Malware analysis, access control validation, …Secure Coding Rulepacks (SCA) 563 unique categories of vulnerabilities across

21 languages and over 720,000 individual APIsRuntime Rulepack Kits HP Fortify SecurityScope HP Fortify Runtime Application Logging HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect) Next-generation security testing capabilities

HP

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Building Security in Maturity Model(BSIMM)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27

Building BSIMM (2009)

Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives

Created a software security framework Interviewed nine firms in-person Discovered 110 activities through observation Organized the activities in 3 levels Built a scorecard

The model has been validated with data from 67 firms

There are no special snowflakes

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28

Prescriptive versus Descriptive Models

Prescriptive models describe what you should do (circa 2006)

SAFECode SAMM MS SDL Touchpoints

Every firm has a methodology they follow (often a hybrid)

You need an SSDL!

Descriptive models describe what is actually happening

BSIMM is a descriptive model used to measure multiple prescriptive SSDLs

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29

Plus 22 firms that remain anonymous

67 Firms in the BSIMM-V Community

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30

Compare yourself with…

•Your peers•Other business units

Track your performance over time…

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31

BSIMM by the Numbers

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32

Conclusion

Don’t rely solely on traditional defensive perimeter security.

Know thy enemy. Expect to be compromised.

Security Research can provide proactive insight into global, vertical-specific, and geographic threats.

BSIMM: Measure how well you’re doing

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Questions?

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34

Join Our Conversation

We are on your side. Visit our blogs.

HP Security Research: hp.com/go/HPSRblog

HP Security Products: hp.com/go/SecurityProductsBlog

HP Threat Briefings: hp.com/go/ThreatBriefings

BSIMM Information: bsimm.com bsimm@hp.com

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank You