Santiago Cavanna IBM Security Systems Argentina-Uruguay-Paraguay Marzo 2014 cavanna@ar.ibm.com

El costo oculto de las

aplicaciones … Vulnerables

The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter

Trusted  Intranet  Online  Banking  Applica5on  

Employee  Applica5on  

DMZ   Untrusted  Internet  

2  

…. With Mobile and Cloud There Is No Perimeter Security must be centered on applications and transactions

Online  Banking  Applica5on  

Investment  API  Services  

Employee  Applica5on  

Deliver  Mobile  App  

Consume  Apps  and  Services  

Leverage  Public  Clouds  

Trusted  Intranet   DMZ   Untrusted  Internet  

3  

media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf

In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and

85% reported internal incidents.

Threats increase along with old and new targets

??????????????????????  Web  Apps  Targeted  

Mobile  Devices  Targeted  

Escala9ng  Threats  

??????????????????????  Mobile  Malware  Increasing  

31%    of  new  aAacks  in  1H  2013  targeted    Web  app  vulnerabili9es  

50%  +    of  Web  app  vulnerabili9es  are  cross-­‐site  scrip9ng  

Mobile  devices  are  twice  as  appealing  hackers  can  obtain  personal  and  business  data  

Source: Juniper Networks Third Annual Mobile Threats Report: 3/12 – 3/13

Source:  IBM  X-­‐Force  2013  Mid-­‐Year  Trend  and  Risk  Report    Source:  IBM  X-­‐Force  2013  Mid-­‐Year  Trend  and  Risk  Report    

83%

of enterprises have difficulty finding the security skills they need

tools from

vendors

85

45

IBM client example

70%

of security exec’s are concerned about

cloud and mobile security

Mobile malware grew

614%

from March 2012 to March 2013

in one year

A New Security Reality Is Here

61%

Data theft and cybercrime are the greatest threats to their reputation

of organizations say

Average U.S. breach cost $7million+

2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report

2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research

A new security reality is here Sophisticated attackers break through conventional safeguards every day. Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2

Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute <MOUSE CLICK> Cloud, mobile, social and big data drive unprecedented change. Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud and mobile security.3 Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection, an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed. Sources: (3) 2013 CISO Survey, IBM; 2013 Juniper Mobile Threat Report <MOUSE CLICK> Yesterday’s security practices are not sustainable Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty finding the security skills they need.4 And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by an inability to measure the effectiveness of their current security efforts5 and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark. Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM

Agenda

•  IBM as Security Solution Provider

•  IBM Security Framework

•  X-Force, Security Reports and SecurityIntelligence.com

•  Standards and regulations (NIST)

•  Challenges for Security team at Application Security.

•  Application Security Framework.

•  Vulnerability at different SDLC Stage. –  Dynamic and static analysis.

•  Self-assessment and recommendations.

IBM Security Investment

•  6,000+ IBM Security experts worldwide

•  3,000+ IBM security patents

•  4,000+ IBM managed security services clients worldwide

•  25 IBM Security labs worldwide

IBM Security: Market-changing milestones

Mainframe and Server

Security

SOA Management and Security

Network Intrusion Prevention

Database Monitoring

Access Management

Application Security

Compliance Management

1976  

Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security

1999  

Dascom is acquired for access management capabilities

2006  

Internet Security Systems, Inc. is acquired for security research and network protection capabilities

2007  

Watchfire is acquired for security and compliance capabilities Consul is acquired for risk management capabilities Princeton Softech is acquired for data management capabilities

2008  

Encentuate is acquired for enterprise single-sign-on capabilities

2009  

Ounce Labs is acquired for application security capabilities Guardium is acquired for enterprise database monitoring and protection capabilities

2010  

Big Fix is acquired for endpoint security management capabilities NISC is acquired for information and analytics management capabilities 2005  

DataPower is acquired for SOA management and security capabilities

2013  Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection

2002  

Access360 is acquired for identity management capabilities MetaMerge is acquired for directory integration capabilities

Identity Management

Advanced Fraud Protection

Security Analytics

Security Intelligence

IBM Security Systems division is created

2011  Q1 Labs is acquired for security intelligence capabilities

2012  

IBM Security Framework

hAp://www.redbooks.ibm.com/abstracts/sg248100.html  

X-Force Threat Intelligence: The IBM Differentiator

IBM  Confiden9al  

URL/Web  Filtering   •  Provides  access  to  one  of  the  world’s  largest  URL  filter  databases  containing  more  than  20  billion  evaluated  Web  pages  and  images  

An5-­‐Spam   •  Detect  spam  using  known  signatures,  discover  new  spam  types  automa9cally,  99.9%  accurate,  near  0%  overblocking  

IP  Reputa5on   •  Categorize  malicious  websites  via  their  IP  address  into  different  threat  segments,  including  malware  hosts,  spam  sources,  and  anonymous  proxies

Web  Applica5on  Control   •  Iden9fying  and  providing  ac9ons  for  applica9on  traffic,  both  web-­‐based,    such  as  Gmail,  and  client  based,  such  as  Skype

The mission of X-Force is to: §  Monitor and evaluate the rapidly changing

threat landscape

§  Research new attack techniques and develop protection for tomorrow’s security challenges

§  Educate our customers and the general public

Advanced Security and Threat Research

Security  Intelligence

hAp://www-­‐03.ibm.com/security/xforce/  hAp://securityintelligence.com/  

Safeguard  pa9ent  data  

Secure  the  credit  card  environment  

Protect  self-­‐service  DMV  portal  

Protect  cri9cal  infrastructure  for  the  smart  grid  

Reduce  online  banking  fraud    

Secure  data  exchange  among  insurance  providers  

Control  access  to  auto  designs    and  intellectual  property  

Security  func9onality  examples  

Standards and Regulations

hAp://securityintelligence.com/nist-­‐cybersecurity-­‐framework-­‐applica9on-­‐security-­‐risk-­‐management/  

v1.0  of  the  NIST  Framework  for  Improving  Cri9cal  Infrastructure  Cybersecurity.    Execu9ve  Order  13636  from  President  Obama  was  issued  on  February  12th  2014  

Sogware  Risk  and  the  Framework    

SoRware  security  is  a  cri5cal  component  of  cybersecurity.  If  the  apps  you’re  running  can  be  exploited,  the  services  they’re  running  are  at  risk.  And  though  there  isn’t  a  special  sec9on  devoted  to  applica9ons  or  building  sogware  in  the  NIST  Framework,  sogware  is  men9oned  a  number  of  9mes  and  should  be  addressed  as  part  of  the  broader  cybersecurity  program.  

Security team challenges

16

1000s  of  apps  

 

A  small  team  

 

What  is  our  applica5on  security  status?  Which  are  our  most  important  applica1ons?  

How  many    of  them  have  we  assessed?  Which  ones  present  the  highest  risk?  

Which  vulnerabili1es  should  we  fix  first?  What  are  the  most  common  mistakes  developers  make?  

Applications

Reducing  the  costs  of  developing  secure  applica9ons  and  assuring  the  privacy  and  integrity  of  trusted  informa9on  

Portfolio Overview

AppScan Enterprise Edition • Enterprise-class solution for implementing and managing an application security program, includes high-level dashboards, test policies, scan templates and issue management capabilities

• Multi-user solution providing simultaneous security scanning and centralized reporting

AppScan Standard Edition • Desktop solution to automate web application security testing for IT Security, auditors, and penetration testers

AppScan Source Edition •  Static application security testing to identify vulnerabilities at the line

of code. Enables early detection within the development life cycle.

Application Security Framework

Test      

Scan    &  Remediate  

Security  Intelligence,  Policy  and  Governance  Ac9vity  monitoring,  context,    risk  assessment,  compliance  repor9ng        

Development          eLearning  Correla5on  Vuln  Disclosure  

Integra5ons   Integra5ons  

Deployment          White/Black  Lists  Big  Data  Analy5cs  Procurement  

Protect      

Block  &  Prevent  Web  Applica9on  Firewall  Intrusion  Preven9on  Database  Ac9vity  Monitoring  Containeriza9on  /  Sandbox    Dynamic  Scanning  (light)    

Assure      

Rank  &  Validate  Applica9on  Reputa9on  Vendor  Rankings  Compliance  Scanning  Research  Updates…  Sta9c,  Dynamic,  Binary  of  Manifest  tes9ng  based  on  access  

Sta9c  Source  Dynamic  Pre-­‐Launch  Sta9c  Binary  Dynamic  Produc9on  

Applica9on  Tes9ng  Services  from  the  Cloud  Full  managed  service  –  easy  to  start  and  easy  to  test  third  party  apps  

Mobile  Applica9on  Tes9ng  Mobile  Applica9on  Reputa9on  Services    

                             Integrated  Solu9ons  –  From  Development  to  Deployment                                Risk  Management  and  Visibility  

Key  Trends  

The Old Story – Still Valid But There’s More….

Find  during  Development  $80/defect  

Find  during  Build  $240/defect  

Find  during  QA/Test  $960/defect  

Find  in  Produc9on  

$7,600  /  defect  

80%  of  development  costs  are  spent  iden4fying  and  correc4ng  defects!*  

 **  Source:  Ponemon  Ins9tute  2009-­‐10    *  Source:  Na9onal  Ins9tute  of  Standards  and  Technology  

Average  Cost  of  a  Data  Breach  $7.2M**  from  law  suits,  loss  of  customer  

trust,  damage  to  brand  

Application Security: Helping to protect against the threat of attacks and data breaches

Finding more vulnerabilities using advanced techniques

Sta9c  Analysis  -  Analyze  Source  Code  -  Use  during  development  -  Uses  Taint  Analysis  /  PaAern  Matching  

Dynamic  Analysis  

-  Correlate  Dynamic  and  Sta9c  results  

-  Assists  remedia9on  by  iden9fica9on  of  line  of  code  

Hybrid  Analysis  

21

-  Analyze  Live  Web  Applica9on  -  Use  during  tes9ng  -  Uses  HTTP  tampering  

Client-­‐Side  Analysis  -  Analyze  downloaded  Javascript  code  which  runs  in  client  

-  Unique  in  the  industry  

Run-­‐Time  Analysis  -  Combines  Dynamic  Analysis  with  run-­‐9me  agent  

-  More  results,  beAer  accuracy  

Total  Poten9al  Security  Issues  

Applica9ons  

No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed. To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox). Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability). Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle). Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test. Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market. Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.

Important Questions to Consider

Do the applications contain sensitive data?

§  Is the data protected?

§  How do you know if it’s protected?

Do  you  outsource  your  mobile  applica5on  development?  

How  do  you  keep  pace  with  the  constant  mobile  updates?    

§  How  do  you  determine  risk?  

§  Do  you  have  mobile  specific  security  exper9se?  

§  Do  you  have  acceptance  criteria?  

§  Do  you  check  applica9on  security  every  release?  

§  Do  you  have  a  way  to  automate  tes9ng?  

What is application security testing?

Just got breached, how do we prevent this?

How  do  we  protect  our  mobile  apps?  

Application Security Awareness

From “Do Nothing” to “Reactive” to Proactive”!

Where  are  you  on  this  spectrum?  

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security

http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0

https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf

Security Cloud Vs Virtual …

http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security

http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg

Guide to implementing a secure cloud

The following security measures represent general best practice implementations for cloud security.

•  Implement and maintain a security program. •  Build and maintain a secure cloud infrastructure. •  Ensure confidential data protection. •  Implement strong access and identity management. •  Establish application and environment provisioning. •  Implement a governance and audit management program. •  Implement a vulnerability and intrusion management program. •  Maintain environment testing and validation.

Build and maintain a secure cloud infrastructure 4. Protect administrative access. 4.3. Maintain am audit trail of administrative actions.

4.4. The cloud host should develop and publish configuration management guidelines. 4.5. Implement an Asset Discovery Mechanism to identify resources in use in the target environment. 4.6. Regularly review Asset Maps to understand assets in the cloud environment. 4.7. Maintain a Configuration Data Store to enable auditability and general security understanding.

5. Ensure patch management.

5.1. The cloud host should develop and publish a patch and change management program. 5.2. Develop a pre-production patch management system to enable business resiliency. 5.3. Ensure logging is enabled for all patch processes, and develop the appropriate documentation. 5.4. Ensure that all systems, and applications are running the latest vendor supplied patches, and updates within the specified

period as specified in the patch and change management program. Ensure that an appropriate time frame is established. 5.5. Establish a process or utilize a third-party vendor to maintain awareness of the latest security vulnerabilities.

http://www.redbooks.ibm.com/abstracts/redp4614.html

http://www.redbooks.ibm.com/abstracts/redp4893.html

http://publib-b.boulder.ibm.com/abstracts/sg247928.html

https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Slide 04 media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf Slide 05 http://www.slideshare.net/junipernetworks/third-annual-mobile-threats-report http://www.juniper.net/us/en/forms/mobile-threats-report/ http://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html http://www-935.ibm.com/services/us/gbs/bus/html/reputational-risk-resolution-for-2013.html http://www.ibm.com/developerworks/library/se-global/ http://www.ponemon.org/data-security http://www.esg-global.com/blogs/more-on-the-security-skills-shortage-issue/ http://www.esg-global.com/blogs/the-security-skills-shortage-is-worse-than-you-think/ http://www.esg-global.com/blogs/what-cisos-can-do-about-the-cybersecurity-skills-shortage/ http://www.slideshare.net/IBMGovernmentCA/reputational-risk-16787581 Slide 10 http://www.redbooks.ibm.com/abstracts/sg248100.html Slide 12 http://securityintelligence.com/ http://www-03.ibm.com/security/xforce/ Slide 15 http://securityintelligence.com/nist-cybersecurity-framework-application-security-risk-management/

Slide 27 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 28http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0 http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on Slide 29 https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Slide 30 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 31 http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg Slide 35 http://www.redbooks.ibm.com/abstracts/redp4614.html http://publib-b.boulder.ibm.com/abstracts/sg247928.html http://www.redbooks.ibm.com/abstracts/redp4893.html Slide 35 http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf