Download - Connecting The Information Security Community...1,000+ clients: Technology & Service providers, corporate advisory, finance, professional services, and IT decision makers 15,000+ senior

UBM Copyright 2014. All Rights Reserved © 2015 Property of UBM Tech; All Rights Reserved

Pg. 1 UBM Copyright 2015. All Rights Reserved

Connecting The Information Security Community

Sara Peters Senior Editor, Dark Reading Eric Hanselman Chief Analyst, 451 Research


Pg. 2

2015 Enterprise Securities Priorities Connecting The Business Technology Community

1 – Source: Gartner, Aug 2014 2 – Source: InformationWeek Strategic Security Survey, April 2014

Worldwide IT security spending was over $70B in 2014, and expected to reach almost $77B in 2015.1

75% of IT professionals believe their organizations are about the same or more vulnerable to attacks than a year ago.2

Security’s Hottest Trends • Frequency, cost, and size of breaches continues to rise • Higher percentage of targeted and politically-motivated threats • Current, Single-Purpose Security Technology Is Not Working • Increasing Portion of Computing Is Out of IT’s Control • Shortage of Staffing, Skills

http://www.gartner.com/newsroom/id/2828722

http://reports.informationweek.com/abstract/21/12509/Security/Research:-2014-Strategic-Security-Survey.html

http://reports.informationweek.com/abstract/21/12509/Security/Research:-2014-Strategic-Security-Survey.html


Pg. 3

The Critical Role of IT Security Professionals Create A Secure Business That Doesn’t Hinder Operations

• Alerts on attacks and vulnerabilities as soon as they are discovered

• Insight on emerging threats and vulnerabilities to help “triage” current dangers and prioritize responses

• Feedback from industry colleagues on the right actions to take and how to implement them

• Understanding vendor strategies – not just what’s new

Today’s Enterprises Are Faced With Some of the Most Sophisticated Threats They Have Ever Encountered • Today’s security pros are tasked with figuring out what is compromising their

systems, how to fix the damage, and how to prevent it from happening again. • They have no single place to both gather and share information, relying on a myriad

of sites and social networks.

What IT Security Pros Need To Succeed


Pg. 4

451 Research

Founded in 2000

210+ employees, including over 100 analysts

1,000+ clients: Technology & Service providers, corporate advisory, finance, professional services, and IT decision makers

15,000+ senior IT professionals in our research community

Over 52 million data points each quarter

4,500+ reports published each year covering 2,000+ innovative technology & service providers

Headquartered in New York City with offices in London, Boston, San Francisco, and Washington D.C.

451 Research and its sister company Uptime Institute comprise the two divisions of The 451 Group

Research & Data

Advisory Services

Events

451 Research is an information technology research & advisory company


Pg. 5

Agenda

A true Crash Course – InfoSec in an hour • Introduction • The State of Enterprise Security • Today’s Enterprise Threat Environment • Why Enterprise Security Requires a Multi-Layered Defense • Understanding Targeted Attacks • The Real Risks of Mobile Technology In the Enterprise • Users, Endpoints, and Passwords – What Really Works • Insider Threats and Preventing Data Leaks • Social Engineering – How Users Get Fooled (And How to Stop It) • Eliminating Risk In Cloud Computing Environments • Q&A


Pg. 6

The State of Enterprise Security Collision of requirements

• Protection • Mitigation • Governance, regulatory, compliance • Enablement


Pg. 7

We’re Playing Defence Threats are on the attack

Whether in detection, control, or prevention, we are notching personal bests but all the while the opposition is setting world records. - Dan Geer, CISO In-Q-Tel


Pg. 8

Meet Your Adversaries Changing players with varied motivations

• Your users • Your vendors • Lower skilled attackers • Cyber criminals • Hacktivists • Nation states


Pg. 9

Your Users Well meaning and trying to get work done

• Risks: Device/data loss, Phishing victims • Consumer technology mindset • Limited understanding of risks • Some malicious users, too


Pg. 10

Your Vendors and Partners Good intentions, but imperfect

• Risks: Vulnerable software and equipment, data and identity compromise • Operational costs for maintenance and patching • Access often not limited well • Audits not often extended


Pg. 11

Lower skilled attackers Annoying, but potentially dangerous

• Risks: Door knob rattling, systems damage • Script kiddies and the like • Tool availability spawns experimentation

– A path for snooping or malicious users

• Can be part of reconnaissance process


Pg. 12

Cyber Criminals It’s just a job…

• Risks: Data and financial loss, denial of service • The rise of guild culture

– Specialized services

• Tools part of the infosec arms race – There’s money in this

• Persistent and sophisticated


Pg. 13

Hacktivists Politically motivated, but which politics?

• Risks: Data release, denial of service, collateral damage • Poorly defined groups • Motivations not always clear • Power in numbers • Reasonably sophisticated tools


Pg. 14

Nation States Complex motivations, murky definition

• Risks: Data loss, Denial of service, collateral damage • More actors arriving • The most sophisticated tools • Often invoked, seldom fully identified


Pg. 15

Anatomy of an Attack Determined attackers have a plan

Reconnaissance Beachhead Exploration

Compromise Export Cleanup


Pg. 16

Advanced Persistent Threats APT’s, all the time!

• Some clarity is needed on definition • APT’s are people and attack campaigns • APT’s are not technology or tools • An APT attack will span considerable time • Effective protections look to break attack process


Pg. 17

Effective Security in a Changing World There is no single path, but many can be effective

• Enhancing security posture requires enterprise efforts • Many components with shared intelligence

– Complex coordination task

• Much more than anti-malware


Pg. 18

Attitudes Need to Change Presuming that you’ve been compromised

• Best defence is enhanced situational awareness

• Current attack capabilities are overwhelming • Best tools increase visibility while limiting

complexity • Security can’t be the department of “No!”

– Transformation to department of “know!”


Pg. 19

We’re Still Buying Lots of Security Budgets and purchasing expectations are up

Source: 451 Research's Customer Insight, TheInfoPro Information Security 2H 2014


Pg. 20

But We’re Changing What We Buy Chasing effective mitigations

Source: 451 Research's Customer Insight, TheInfoPro Information Security 2H 2014

Q. How will your spending on this technology change in 2015 as compared to 2014? n=210 to 213. Data from respondents not using the technology or that don't know about spending are hidden.

2%

3%

6%

4%

1%

2%

1%

1%

1%

5%

10%

4%

8%

3%

28%

74%

73%

77%

28%

26%

20%

47%

25%

47%

53%

40%

28%

41%

9%

9%

9%

11%

12%

15%

17%

18%

20%

25%

27%

27%

27%

31%

Threat IntelligencePatch Management

Anti-spam/Email SecurityAntivirus/Endpoint Security

Anti-DDoSWeb Application Firewall

Network Data-loss Prevention…IT Sec Training/Edu/AwarenessEndpoint Data-loss Prevention…

Event Log Management SystemNIDS/NIPS

Security Information Event…Application-aware/Next-gen Firewall

Mobile Device Management

Less Spending About the Same More Spending


Pg. 21

Multi-Layered Defence is Needed Sophisticated attacks need sophisticated defence

• No one tool does all tasks • Need visibility across many points • Protection on different platforms • Protection through different means


Pg. 22

The Perimeter is No Longer Enough Bulwarks are important, but not everyone’s within the walls

• No one tool does all tasks • Need visibility across many

points • Protection can’t depend on

location – Refocusing on points of use – Data path awareness


Pg. 23

Internal Segmentation is Critical Protection against the results of compromise


Pg. 24

Understanding Targeted Attacks Acting with an enhanced security posture

• How do you disrupt targeted attacks? – Enhance the targets! – Train teams in attack patterns – Act on your threat intelligence Enabling the “kill chain”

• What do you do when you find them? – Have an incident response plan Make sure that you’ve exercised it regularly!


Pg. 25

Incident Response Planning Follow up is just as important as protection


Pg. 26

The Real Risks of Mobile Technology What threatens mobile technology?


Pg. 27

What’s to be Done About Mobile Security? It’s a balancing act with your users

• Device protections can work – Encryption is effective – MDM and MAM are possible, but fragile Compliance monitoring is necessary

– Device fragmentation varies capabilities

• Users have to participate • It’s all about balancing risk, protection and functionality


Pg. 28

Users, Endpoints, and Passwords Passwords have issues…

From Nok Nok Labs


Pg. 29

Password Alternatives Aren’t Awesome Improvements, but still some limitations


Pg. 30

And It’s Only Getting More Complex As devices and applications proliferate, complexity grows


Pg. 31

The FIDO Alliance Provides an Option Standards for integrating more sophisticated authentication

• Founded in 2013 • iOS and Android support

– KitKat and Lollipop – Samsung S5, Tab S,

Note4 – iOS8 Secure Enclave – iPhone 5S, 6, 6+, Air2,

iPad mini

• Requires integration


Pg. 32

Insider Threats and Preventing Data Leaks Getting the best from your communities

• Authorized users are the greatest risk • People

– Awareness is your greatest tool – Provide tools and capabilities

• Protections – Monitoring to gain understanding

• Policies – Reward reporting – Understand mistakes and errors


Pg. 33

Data Exposure Will Happen Limiting risk and reducing time to detection are critical

• Expect the best, prepare for the worst • Understand your data

– Classification

• Protect – Partition access – Manage identities Privileged user accumulations

• Act – Follow the policies

Slip ups

Snoops

Sneaks


Pg. 34

Social Engineering How Users Get Fooled (And How to Stop It)

• People are human – And we need to understand that – Technology can’t change this

• Social engineering is very effective – 91% of targeted attacks involve spear-phishing emails (1) – Over 95% of state-affiliated espionage breaches involved the use of

phishing emails (2) – Over 95% of information security incidents involve human error(3)

1 Trend Micro 2013 2 Verizon Data Breach Investigations Report 2013 3 IBM 2014


Pg. 35

Mobility Adds Social Engineering Challenges The small screen gets immediate attention

• App downloads 1

– Lack of understanding of permissions – Relying on word of mouth and ratings

• Email Phishing 2

– Worse on mobile phones – Mobile phones first to arrive at phishing websites – 3x more likely to submit credentials

• SMS attacks – Smishing, links, reply to

1 P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall, “A Conundrum of Permissions: Installing Applications on an Android Smartphone”, USEC2012 2 Trusteer, 2011


Pg. 36

Managing Social Engineering Risk People are your greatest asset, too

• Training is key • Real life scenario training • Repeated exposure • Continuous process

– Assess Knowledge tests, mock attacks

– Educate Interactive training

– Reinforce Newsletters and rewards

– Measure Reports and trend analysis


Pg. 37

Reducing Risk In Cloud Computing Environments It’s what you don’t know that will hurt you

• Changes in risk expectations

• Improvements in understanding

2010 2013

Abuse of API Data Breaches

Insecure API Data Loss

Malicious Insiders Account Hijacking

Shared Technology Vulns Insecure APIs

Data Loss/Leakage Denial of Service

Hijack of Acct, Service & Traffic Malicious Insiders

Unknown Risk Profile Abuse of Cloud Services

Insufficient Due Diligence

Shared Technology Issues


Pg. 38

Top Issues With Cloud Usage The “SalesForce Effect” is real and prevalent

• Problem: Limited awareness of cloud use • Mitigation: Engage business managers and monitor

traffic

• Problem: Data disclosure or non-compliant use • Mitigation: Classify data! Encrypt or use replacement

services

• Problem: Inconsistent usage controls • Mitigation: Leverage native encryption and data controls

where available and look to platforms when needed

1

2

3


Pg. 39

Q&A We’ve covered a lot of ground and there is much more to consider

• How will you apply what we’ve discussed?

• Can your organization adapt it security thinking?

• What are your first steps from here?