160 likes | 306 Views
Information Security Challenges and Strategies for 2007+. Mark Bouchard, CISSP Missing Link Security Services, LLC mark@missinglinksecurity.net. Agenda. data center. B. A. D. Enterprise IT What’s hot, what’s not, and what could be Enterprise Security Threat and Vulnerability Trends
E N D
Information Security Challenges and Strategies for 2007+ Mark Bouchard, CISSP Missing Link Security Services, LLC mark@missinglinksecurity.net
Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action
Enterprise IT – Part 1 • Virtualization • Objective: efficient resource utilization • Implication: complicates monitoring • VoIP • Objective: reduced costs • Implication: more stuff to secure • SOA / Web services • Objective: flexible, re-usable modules • Implication: less structured comms • Software-as-a-Service (SaaS) • Objective: faster; lower TCO • Implication: more/bigger Internet connections Executive Concerns 61% security breaches 55% acts of terrorism 40% corp. malfeasance 21% product recalls 19% workforce violence (Source: Harris Interactive, n= 197)
Enterprise IT – Part 2 • What’s Not Hot • Budgets • Flat to slightly positive; but also focusing on cost cutting • RFID • Pockets only • Vista (and Office 2007) • ~64% say “not in 2007” (source: Deutsche Bank Equity Research) • What Could Be Hot • Think consumer/personal crossovers • Video (e.g., in retail banking) • 3D Graphics (e.g., in education) • Intranet blogging, etc • WAN optimization Computerized stereolithograph skull of a 2000 year old Egyptian mummy
Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action
The Threat Landscape Vulnerability to Exploit (avg. in days) 280 300 250 200 2006: <3 days 150 90 100 25 50 10 <5 0 '01 '02 '03 '04 '05 (Approximate. Various sources.) • Greater volume of threats • Change in hacker motivation • Exploit development tools • Modularity of threats • Faster creation of threats • V-to-E window is shrinking • Fast propagation of threats • Stable, but still not great • More elusive than ever! • Blended becoming status quo • Greater variety of threat types • Attacking higher up the stack • Increasingly targeted
The Vulnerability Landscape 70 60 50 40 30 20 10 0 2H04 1H05 2H05 • Greater volume of vulns • 2,249 new vulns in 1H06; up 18% • 80% are “easily exploitable” • Vuln drivers • Expanding/complex tech portfolio • Adoption of mobility solutions • More web applications • Window of exposure • Availability of fuzzing tools • Implications • Better asset management • Greater efficiency in mature areas • More flexible security solutions Average Days From Vulnerability to Patch 64 49 40 (Source: Symantec ISTR Vol. IX)
Communications vs. Content • There are many tools that provide “app layer” protection • Deep inspection firewalls • Intrusion prevention systems • But what does “app layer” really mean? • Layer 7 = application “services” • Layer 7 ≠ utility app logic • Layer 7 ≠ business app logic • Layer 7 ≠ data • Better model/approach • Communications protection • Content protection Additional ‘Real-World’ Layers (i.e., > 7) Data Content & Biz Logic Business App Utility App 7 Application 6 Presentation 5 Comms Services Session 4 Transport 3 Network 2 Data Link 1 Physical OSI Reference Model (Layers 1-7)
Layer 8+ Security Solutions • Web application firewalls • Mostly covering layer 9 • Mostly positive model • Challenging to implement • Do not alleviate need for TVM • PCI DSS v1.1, Requirement 6.6 • Database “firewalls” • Mostly covering layer 10 (?) • SQL injection attacks • Shouldn’t be necessary • Other protection features tip the scale • Examples: • Application Security, Guardium, Imperva
Data (Layer 10) Security Solutions • Information leak prevention • Driven by privacy and compliance • Multi-channel issue • Dubious breakdown/stats • Low effectiveness, very high cost • Disk encryption • Response to laptop loss/theft • Not just file • Intersection of two themes • Mobile/endpoint security • One of the weakest links • Configuration mgmt vs security • Microsoft is rising fast Key ILP Contenders
Not So Hot • Network Admission Control • Cluttered market • Slow roller • Is it what you really want? • Identity Management • Becoming background “noise” • Policy/authorizations bigger deal • Compliance • Fatigue • Foundations are in place • De-perimeterization • Poor term for relatively good ideas • Pervasive perimeterization instead NAC: Network Admission Confusion
Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action
Evolution of Threat & Vuln Mgmt - 1 Before Attack After Attack During Attack • Threat Management • Hot: better visibility • Med: policy enforcement • Cold (still): automated response • Vulnerability Management • Hot: remediation • Med: penetration integration • Cold (still): asset integration • Log management • Why is it so hot? • The emergence of TVM • Lifecycle approach • Systems approach • Services approach Time/Value of Impact • Police • Protect • Detect • Interdict • Analyze • Recover • Respond Must Have Full Coverage
Evolution of Threat & Vuln Mgmt - 2 Vuln. Detection Threat Detection Policy Enforcement Interdiction Remediation Forensics Analyzers Context Identity Threat Knowledge Vuln. Knowledge Pen . Test Signatures Anomalies Heuristics Passive Active Behavior Environment
Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action
Summary & Conclusions • Call to Action • Be prepared to account for and secure other IT initiatives • Be prepared for threat and vulnerability trends by establishing: • Comprehensive functional coverage • Comprehensive logical coverage • Comprehensive physical coverage • Plan to embrace the most promising countermeasures • Web app firewalls, disk encryption, network behavior analysis • Others: unified threat management, managed security services • Be wary of less mature (/more complex) “solutions” • NAC, information leak prevention, de-perimiterization • Embrace the concept of a TVM System • Components first; integrated system soon