2014 Security Trends: Attacks Advance, Hiring Gets … · Making Security Advances During Turbulent...
Transcript of 2014 Security Trends: Attacks Advance, Hiring Gets … · Making Security Advances During Turbulent...
2014 Security Trends: Attacks Advance, Hiring Gets
Harder, Skills Need Sharpening
John Pescatore, Director SANS
© 2014 The SANS™ Institute – www.sans.org
Making Security Advances During Turbulent Times
Threats aren’t standing still
Business/technology demands aren’t, either
Staffing: Force Multipliers Needed
© 2014 The SANS™ Institute – www.sans.org 2
CXO’s View of Security 2014
• University of Maryland
• Target breached, CIO resigns
• NSA/Snowden drip, drip, drip
• Heartbleed!
© 2014 The SANS™ Institute – www.sans.org 3
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Top 5 Game Changers
Choose your own IT (CYOIT)
Increased virtualization and use of cloud and software-as a-service (SaaS)
The Internet of Things/everything
Supply chain integrity worries
Increased threat targeting/evasion
© 2014 The SANS™ Institute – www.sans.org 5
Mobility Drives Cloud and CYOIT
IT has less control over user devices
Heterogeneity will be the norm
Tablets and smartphones are not just small PCs!
© 2014 The SANS™ Institute – www.sans.org 6
% of employees using personally owned devices for work
Cost Reduction Drives Cloud and Virtualization
© 2014 The SANS™ Institute – www.sans.org 7
20
15
20
14
20
13
20
12
20
11
20
10
20
09
20
08
77%
72%
65%
58%
49%
38%
27%
18%
Percentage of installed x86 workloads running in a VM
Plans for use of hybrid cloud by YE2015
Ladders
Near term Mobile Device Management/NAC
Cloud Security Standards
Policy/legal/awareness
Next year Security as a Service
Business App Store
Data Encryption
© 2014 The SANS™ Institute – www.sans.org 8
What Things Will Be First?
0%
10%
20%
30%
40%
50%
60%
70%
80%
Co
nsum
er
devic
es (
set to
ps,
security
/cam
era
, e
tc.)
Sm
art
build
ing
/HV
AC
au
tom
ation/c
om
me
rcia
lbu
ildin
g m
ana
gem
en
t
Ele
ctr
ica
l, w
ate
r, g
as
pro
ductio
n, u
tilit
ies
Me
dic
al d
evic
es
Oth
er
transpo
rta
tio
n s
ma
rtsyste
ms
Auto
motive s
mart
syste
ms
Ma
nufa
ctu
rin
g s
yste
ms (
not
ele
ctr
ical, w
ate
r, g
as)
Foo
d p
roduction
syste
ms/r
efr
igera
tion
What types of IoT applications is your organization involved in or planning to be involved in?
Producing
Operating/Managing
Source: SANS 2013
Major Differences
Old Things
General purpose OS
Fixed, wired
TCP/IP, 802.11, HTML5
Layered apps
Homogeneous
Enterprise-driven
2-3 year life cycle
Impact data
New Things
Embedded OS
Mobile, wireless
Zigbee, IoT6, WebHooks
Embedded apps
Heterogeneous
Consumer-driven
.2 to 20 year life cycle
Impact health/safety
12
Supply Chain Threats and Integrity
Assuring products haven’t been compromised
Detecting attacks against 3rd party vendors
Shortening incident response time
© 2014 The SANS™ Institute – www.sans.org 13
Ladders
Near term
Discovery/inventory (no client SW)
NNGFW/”Data Diodes”
Expand penetration testing
Next year
Next Generation DMZ/Security as a Service
Community “Device Stores”
OT/IT Integrtion
© 2014 The SANS™ Institute – www.sans.org 14
Increased Targeting and Evasion
More targeting of people and data
Evasion techniques extending compromises
Customers should not be our IDS!
© 2014 The SANS™ Institute – www.sans.org 15
Source: Verizon 2013 DBIR
Ladders
Near term
Critical Security Controls gap assess
Advanced Threat Detection/Forensics
White list on servers
Next year
Beachheads: data encryption, stronger authentication, privilege management
ISAC/Info Sharing/What Works
© 2014 The SANS™ Institute – www.sans.org 16
Staffing Growth Today
© 2014 The SANS™ Institute – www.sans.org 19
0%
5%
10%
15%
20%
25%
30%
Un
kn
ow
n
Mo
re th
an 1
0%
redu
ction
1-1
0%
redu
ction
No
ch
ang
e
1-1
0%
incre
ase
Mo
re th
an 1
0%
incre
ase
Did your organization reduce or increase security staffing over the past 12 months?
Staffing Growth Tomorrow
© 2014 The SANS™ Institute – www.sans.org 20
0%
5%
10%
15%
20%
25%
30%U
nkn
ow
n
Mo
re th
an 1
0%
redu
ction
1-1
0%
redu
ction
No
ch
ang
e
1-1
0%
incre
ase
Mo
re th
an 1
0%
incre
ase
What is the projection for security staffing over the next 12 months?
Career Focus
Reduce: Administrative time spent Technical time
Increase: Upwards focus Forensics
© 2014 The SANS™ Institute – www.sans.org 21
Area of Focus Today Next 5 yrs
Management/Leadership 25.4% 33.1%
Administration 18.0% 5.2%
Engineering 17.8% 10.0%
Other 11.9% 4.3%
Audit 10.7% 5.9%
Forensics 7.7% 9.7%
Testing 4.4% 3.3%
Development 4.1% 3.0%
Making Sure Load-bearing Security Processes Survive the Renovation
When something goes wrong, it’s either because there is too much process, too little process or the wrong process. (Mihnea Galeteanu)
• These inescapable trends will cause much breakage in existing governance and security processes and controls
• Critical Security Controls to review and update: • Inventory/Vulnerability Management • Privilege Management • Incident detection/prevention/response • Application security • Data protection • Staffing/awareness
• Communicating to management – ladders to take, chutes to avoid.