1 / 16

Information Security Challenges and Strategies for 2007+

Information Security Challenges and Strategies for 2007+. Mark Bouchard, CISSP Missing Link Security Services, LLC mark@missinglinksecurity.net. Agenda. data center. B. A. D. Enterprise IT What’s hot, what’s not, and what could be Enterprise Security Threat and Vulnerability Trends

marcia-salas
Download Presentation

Information Security Challenges and Strategies for 2007+

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Challenges and Strategies for 2007+ Mark Bouchard, CISSP Missing Link Security Services, LLC mark@missinglinksecurity.net

  2. Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action

  3. Enterprise IT – Part 1 • Virtualization • Objective: efficient resource utilization • Implication: complicates monitoring • VoIP • Objective: reduced costs • Implication: more stuff to secure • SOA / Web services • Objective: flexible, re-usable modules • Implication: less structured comms • Software-as-a-Service (SaaS) • Objective: faster; lower TCO • Implication: more/bigger Internet connections Executive Concerns 61% security breaches 55% acts of terrorism 40% corp. malfeasance 21% product recalls 19% workforce violence (Source: Harris Interactive, n= 197)

  4. Enterprise IT – Part 2 • What’s Not Hot • Budgets • Flat to slightly positive; but also focusing on cost cutting • RFID • Pockets only • Vista (and Office 2007) • ~64% say “not in 2007” (source: Deutsche Bank Equity Research) • What Could Be Hot • Think consumer/personal crossovers • Video (e.g., in retail banking) • 3D Graphics (e.g., in education) • Intranet blogging, etc • WAN optimization Computerized stereolithograph skull of a 2000 year old Egyptian mummy

  5. Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action

  6. The Threat Landscape Vulnerability to Exploit (avg. in days) 280 300 250 200 2006: <3 days 150 90 100 25 50 10 <5 0 '01 '02 '03 '04 '05 (Approximate. Various sources.) • Greater volume of threats • Change in hacker motivation • Exploit development tools • Modularity of threats • Faster creation of threats • V-to-E window is shrinking • Fast propagation of threats • Stable, but still not great • More elusive than ever! • Blended becoming status quo • Greater variety of threat types • Attacking higher up the stack • Increasingly targeted

  7. The Vulnerability Landscape 70 60 50 40 30 20 10 0 2H04 1H05 2H05 • Greater volume of vulns • 2,249 new vulns in 1H06; up 18% • 80% are “easily exploitable” • Vuln drivers • Expanding/complex tech portfolio • Adoption of mobility solutions • More web applications • Window of exposure • Availability of fuzzing tools • Implications • Better asset management • Greater efficiency in mature areas • More flexible security solutions Average Days From Vulnerability to Patch 64 49 40 (Source: Symantec ISTR Vol. IX)

  8. Communications vs. Content • There are many tools that provide “app layer” protection • Deep inspection firewalls • Intrusion prevention systems • But what does “app layer” really mean? • Layer 7 = application “services” • Layer 7 ≠ utility app logic • Layer 7 ≠ business app logic • Layer 7 ≠ data • Better model/approach • Communications protection • Content protection Additional ‘Real-World’ Layers (i.e., > 7) Data Content & Biz Logic Business App Utility App 7 Application 6 Presentation 5 Comms Services Session 4 Transport 3 Network 2 Data Link 1 Physical OSI Reference Model (Layers 1-7)

  9. Layer 8+ Security Solutions • Web application firewalls • Mostly covering layer 9 • Mostly positive model • Challenging to implement • Do not alleviate need for TVM • PCI DSS v1.1, Requirement 6.6 • Database “firewalls” • Mostly covering layer 10 (?) • SQL injection attacks • Shouldn’t be necessary • Other protection features tip the scale • Examples: • Application Security, Guardium, Imperva

  10. Data (Layer 10) Security Solutions • Information leak prevention • Driven by privacy and compliance • Multi-channel issue • Dubious breakdown/stats • Low effectiveness, very high cost • Disk encryption • Response to laptop loss/theft • Not just file • Intersection of two themes • Mobile/endpoint security • One of the weakest links • Configuration mgmt vs security • Microsoft is rising fast Key ILP Contenders

  11. Not So Hot • Network Admission Control • Cluttered market • Slow roller • Is it what you really want? • Identity Management • Becoming background “noise” • Policy/authorizations bigger deal • Compliance • Fatigue • Foundations are in place • De-perimeterization • Poor term for relatively good ideas • Pervasive perimeterization instead NAC: Network Admission Confusion

  12. Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action

  13. Evolution of Threat & Vuln Mgmt - 1 Before Attack After Attack During Attack • Threat Management • Hot: better visibility • Med: policy enforcement • Cold (still): automated response • Vulnerability Management • Hot: remediation • Med: penetration integration • Cold (still): asset integration • Log management • Why is it so hot? • The emergence of TVM • Lifecycle approach • Systems approach • Services approach Time/Value of Impact • Police • Protect • Detect • Interdict • Analyze • Recover • Respond Must Have Full Coverage

  14. Evolution of Threat & Vuln Mgmt - 2 Vuln. Detection Threat Detection Policy Enforcement Interdiction Remediation Forensics Analyzers Context Identity Threat Knowledge Vuln. Knowledge Pen . Test Signatures Anomalies Heuristics Passive Active Behavior Environment

  15. Agenda data center B A D • Enterprise IT • What’s hot, what’s not, and what could be • Enterprise Security • Threat and Vulnerability Trends • Communications vs. Content • Countermeasures: what’s hot, what’s not • In Focus: Threat & Vulnerability Management • Bits and pieces • The emergence of the Enterprise TVM System • Summary & Conclusions • Call to action

  16. Summary & Conclusions • Call to Action • Be prepared to account for and secure other IT initiatives • Be prepared for threat and vulnerability trends by establishing: • Comprehensive functional coverage • Comprehensive logical coverage • Comprehensive physical coverage • Plan to embrace the most promising countermeasures • Web app firewalls, disk encryption, network behavior analysis • Others: unified threat management, managed security services • Be wary of less mature (/more complex) “solutions” • NAC, information leak prevention, de-perimiterization • Embrace the concept of a TVM System • Components first; integrated system soon

More Related