The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Summit 2011 trends in information security
1. Trends in Information Security
Shahar Geiger Maor
VP & Senior Analyst
www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
2. Agenda
Introduction Cyber-Warfare Data Leakage
Prevention
“Social Mobile Cloud
Security” Computing
Security Market Data
Domains
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
3. Technologies Categorization 20102011
Cyber
“Social” Warfare
Security
Market Curiosity
Mobile
Sec
IT Project
Major
DLP Changes
IRM
Cloud Size of figure =
Application Security complexity/
Security cost of project
Endpoint Security
Security Management
Network
Security
Using Implementing Looking
Market Maturity
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 3
4. STKI Index-20102011
–Top Queries to STKI
SIEM/SOC Miscellaneous Encryption
Regulations 3% 2% 1%
7%
Vendor/Product EPS/mobile
8% 14%
Market/Trends
DB/DC SEC 13%
9%
Access/Authenti
DCS cation
9% 12%
GW Network Sec
10% 12%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 4
5. Risk Management
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
InformationWeek Analytics 2011 5
6. The Value of Secrets
http://www.csoonline.com/documents/whitepapers/rsavalueofcorpsecrets.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
7. Cyber-Warfare
Cyber Warfare
is a
SCATTERED
HLS
TECHNOLOGY
http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
8. Cyber Warfare –Key Takeaways
• Cyber-Warfare is Becoming A Giants’ Playground
• Cyber threats are more sophisticated, targeted and
vast than ever before
• Stuxnet has changed the game
• Countermeasures haven’t changed much:
– Proper security standards
– Technological controls
– Awareness
• “If a rich and equipped bad-guy wants to harm –only
God will help”.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
9. Cyber-Warfare is Becoming A Giants’
Playground
http://www.bbc.co.uk/news/technology-11773146
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
11. Growing Number of Incidents -US
Incidents of Malicious Cyber
Activity Against Department of Defense
Information Systems, 2000–2009, with
Projection for 2010
http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
12. Sources of Attacks on gov.il
Source: CERT.gov.il
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
13. Sources of Attacks on gov.il
Source: CERT.gov.il
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
14. M&As in the Cyber Underground…
SpyEye made headlines this year when
investigators discovered it automatically
searched for and removed ZeuS from infected
PCs before installing itself
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
15. Cybercrime Return on Investment Matrix
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: Cisco http://resources.idgenterprise.com/original/AST-0022126_security_annual_report_2010.pdf 15
16. Underground Economy
Products Price
Credit card details From $2-$90
Physical credit cards From $190 + cost of details
Card cloners From $200-$1000
Fake ATMs Up to $35,000
Bank credentials From $80 to 700$ (with guaranteed balance)
From 10 to 40% of the total
$10 for simple account without guaranteed
Bank transfers and cashing checks balance
Online stores and pay platforms From $80-$1500 with guaranteed balance
Design and publishing of fake online stores According to the project (not specified)
Purchase and forwarding of products From $30-$300 (depending on the project)
Spam rental From $15
SMTP rental From $20 to $40 for three months
http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
17. Common “Positions” in the cyber-crime
business
Organization Leaders
Hosted
Programmers systems Cashiers
providers
Distributors Fraudsters Money mules
Tech experts Crackers Tellers
http://www.fbi.gov/news/speeches/the-cyber-threat-whos-doing-what-to-whom
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
18. Is Technology Good or Bad?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
19. The Social Network (…at work)
http://it.themarker.com/tmit/
article/14567
http://www.ynet.co.il/articles
/0,7340,L-4012562,00.html
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
20. Stuxnet: (THE NEW YORK TIMES, 15/1/11)
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=2&hp
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
21. Stuxnet in Action: “A Game Changer”
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
22. Stuxnet in Action: “A Game Changer”
10-30 developers (!!!)
Stuxnet has some 4,000 functions (software that runs an average
email server has about 2,000 functions)
Exploits a total of four unpatched Microsoft vulnerabilities
compromise two digital certificates
• Self-replicates through removable drives
• Spreads in a LAN through a vulnerability in the Windows Print
Spooler
• Copies and executes itself on remote computers through network
shares
• Updates itself through a peer-to-peer mechanism within a LAN
• Contacts a remote command and control server
• modifies code on the Siemens PLCs
• Hides modified code on PLCs
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
23. Stuxnet Timeline
Eraly 2008: Siemens
cooperated with Idaho
National Laboratory ,
to identify the July 2009:
vulnerabilities of Stuxnet began
computer controllers circulating around the
that the company sells world
2008-2009: July 2010: Stuxnet is
Suspected exploits first discovered by
have been created for VirusBlokAda
Siemens SCADA
systems
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
24. Rootkit.Win32.Stuxnet Geography
Source: http://ebiquity.umbc.edu/blogger/wp-content/uploads/2010/09/stuxnet.gif
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
25. …Lets talk about Patch Management (PM)
• Mostly Microsoft, security-related patches
• “Its not the deployment, but the whole process
evolving” AKA Pizza Night.
• 20%-50% FTE is dedicated for PM
• Common SLAs: 3…6…or sometimes 12 Months!!
• VIP patches: up-to a week
• Hardwarenon-security patches’ SLA: Where
upgradesvendor support is needed
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
26. Data Leakage Prevention (DLP)
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
27. DLP –Key Takeaways
• Thank you, Mr. Assange! Thank you Ms. Kam!
• The human threat has never gone away
• Over-all DLP is still very difficult to implement
• Most organizations will:
– Use awareness and education as their main counter
measure
– First try compensating controls (e.g: device control,
encryption)
– Will prefer GW solutions over endpoint DLP
• IRM is still in the shadows of DLP
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
28. Market Trends: WikiLeaks
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
29. What’s the Incentive?
29
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: http://datalossdb.org/statistics?timeframe=all_time
30. What’s the Incentive?
2,754 • Data loss incidents
396 (35%) • Credit-card related data loss
Hack (48%) • How?
297,704,392 • CCN compromised
751,779 • …CCNsIncident
? • Actual $$$ loss…
Source:Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or (2000-2010) 30
Shahar http://datalossdb.org/statistics?timeframe=all_time portion of graphic
31. Data Loss Analysis –Answering the “How” Q
Hack
Fraud
LostStolen X
Web
General
Unknown CCN
Disposal_Document
Email
Virus
0% 10% 20% 30% 40% 50% 60%
Source: Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Shahar http://datalossdb.org/statistics?timeframe=all_time (2000-2010) 31
32. Internal vs. External Human Threats
From
To
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 32
33. Incidents by Vector
http://datalossdb.org/statistics
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 33
34. Top three most effective Data-Security
controls
http://securosis.com/reports/Securosis_Data_Security_Survey_2010.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 34
35. What will you deploy next?
http://securosis.com/reports/Securosis_Data_Security_Survey_2010.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 35
36. Leakage Mitigation in Israel
+ AwarenessMethodology
-+IRMVaultingMail
Protection
+ GW DLP
+ Encryption
+Device Control
- Endpoint
DLP
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 36
37. DLP Insights
• 2011 -The Year of DLP???
• How to Approach DLP Projects?
• No Complete Leakage Prevention
• ROI? Yes, there is!
• Privacy, Privacy, Privacy!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 37
38. Data Leak/Loss Prevention
- Israeli Market Positioning 1Q11
Solutions to Watch: Estimated Technology
CA Penetration
Using
Fidelis Evaluati
this
technolo
ngNot gy
using 39%
61%
Local Support
DLP Player
Websense
Worldwide
Leader
Symantec
McAfee
RSA
Verdasys
Safend This analysis should be used with its
Checkpoint supporting documents
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 38
39. Information Rights Management
- Israeli Market Positioning 1Q11
Estimated Technology
Solutions to Watch: Penetration
Using this
Confidela technolog
y
Evaluating
Concealium Not using
5%
95%
Local Support
Player
Microsoft (RMS) Worldwide
Secure Islands Leader
Covertix
EMC
Oracle
Checkpoint This analysis should be used with its
supporting documents
Adobe
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 39
40. Database Protection
-Israeli Market Positioning 1Q11
Estimated Technology
Penetration
Evaluating Using this
Not using technology
48% 52%
Local Support
Player
Worldwide
Sentrigo Leader
Imperva
IBM
Oracle
Fortinet This analysis should be used with its
supporting documents
GreenSQL
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 40
41. “Social Security”
“Social
Security”
is a
SCATTERED IT
TECHNOLOGY
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 41
42. “Social Security” –Key Takeaways
• Social media is all around us
• Corporate network is opening up?
• Most employees use social media for leisure time
(Only minority uses it as a business tool)
• CIO: Find the balance between business
necessity, productivity, network considerations
and security
• CISO: Get involved!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 42
43. 10 Steps to Social-Computing
Compliance
Step 3 – Engage Step 4 – Formal
Step 1 – Take Step 2 –Establish
compliance education
ownership policy
function early program
Step 5 – Strong Step 6 – Content Step 8 – Selective
password monitoring and Step 7 – Education blocking of
management logging content
Step 9 – Routine
Step 10 – Regular
audits and review
policy review
of logs
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 43
44. Internet Policy –Allowing Facebook?
Israel: Cross-Sector, March 2011
Limited Yes
27% 38%
No
35%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 44
45. Internet Policy –Allowing Facebook?
Industry Healthcare Finance
Yes
Yes Yes
Limited 12%
37% 33%
38% No
25%
Limited
No 63%
67%
No
25%
Services High-Tech Government
Limited No Limited Yes
14% 17% 23% 15%
No
14%
Yes
72% Yes No
83% 62%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 45
46. Internet Policy –Allowing Skype?
Israel: Cross-Sector, March 2011
Limited
4%
Yes
18%
No
78%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 46
47. Internet Policy –Allowing Skype?
Industry Healthcare Finance
Yes
Yes 12%
37%
No
63% No
No
88%
100%
Services High-Tech Government
Limited
8%
Limited Yes
14% 8%
No Yes
50% 50%
No No
86% 84%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 47
48. Internet Policy –Allowing Gmail?
Israel: Cross-Sector, March 2011
Limited
18%
No
Yes
24%
58%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 48
49. Internet Policy –Allowing Gmail?
Industry Healthcare Finance
Limited No Limited
13% 33% 25%
Yes Yes
50% 50%
No Limited
37% No
67%
25%
Services High-Tech Government
Limited Limited No
29% 17% 23%
No
16%
Yes
No 57% Yes
14% 67% Yes
77%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 49
50. Internet Policy –Allowing P2P?
Israel: Cross-Sector, March 2011
Limited
4%
No
96%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 50
51. Mobile sec
Mobile is a
SCATTERED IT
TECHNOLOGY
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 51
52. Mobile Security –Key Takeaways
• New Wave of Change: “Consumerization of IT”
• 38% (…and rising….) Of mobile devices are
considered “smartphones”
• Take control over mobile devices
• Manage Smartphones as if they were another
endpoint
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 52
53. New Wave of Change: “Consumerization
of IT”
Computing Cycles in Perspective
(from Morgan Stanley)
1,000,000
Mobile
100,000 Internet
Devices/Users (MM in Log Scale)
Desktop
10,000
Internet
10B+
1,000 Units??
PC 1B+ Units/
Users
100
100M Units
Minicomputer
10
“
10M Units
Mainframe
1
1M Units The desktop internet ramp was just a warm-up act for
1960 1980 2000 2020
what we’re seeing happen on the mobile internet. The
pace of mobile innovation is “unprecedented, I think, in
”
world history.
Mary Meeker, Morgan Stanley – April 2010
53
Source: McAfee
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 53 October 17, 2011
54. Mobile Traffic in the Next Years
over 400 million of those devices
may represent the only means of
connecting to the Internet that
some people will have
5 billion
personal
devices
Source: http://www.readwriteweb.com/archives/mobile_data_traffic_surge_40_exabytes_by_2014.php
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 54
55. What’s Going on in Israeli Orgs?
• 38% (…and rising….) Of mobile devices are
considered “smartphones”
• In 26% of the market there is no policy
regarding the allowed brands
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 55
56. What type of smartphone are you considering to
provide your employees?
Israeli Survey 36%
Word Wide Survey
35%
30%
28%
20%
15% 16%
11%
6%
Win iPhone Android
Mobile 7 BlackBerry
Source: STKI Source: InformationWeek
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 56
57. What Kind of Services?
88%
90%
80%
70%
60%
50%
40%
30% 13%
8%
20% 4%
10%
0%
Mail & Calendar Mail, Calendar No Services Don't Know
& Apps
Source: STKI
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 57
58. What About Your Security Policy?
Insufficient
100%
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 58
59. What are You Looking For?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 59
60. Mobile Security: What worries CISOs?
Internal users:
• No central management
• How to protect corporate data on device?
• Device’s welfare ???
External users:
• Sensitive traffic interception
• Masquerading Identity theft
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 60
61. What are You Looking For?
1. Manage Smartphones as if they were another
endpoint
2. Multi-platform support
3. Protecting business information on your device
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 61
62. Solutions (Existing Support in Israel)
Good Juniper
Agat Solutions Checkpoint Fancyfon
Technologies Networks
Junos Pulse Mobile
Product Name AG ActiveSync filter Pointsec Mobile FAMOC Good for Enterprise
Security Suite
MDM and asset Blackberry-like
In a Nut Shell Content filtering Device encryption
management server
Device healthcare
Appliancesoftw Software
software software Software Appliancesoftware
are (SmartCenter™)
Client No yes yes yes yes
One console yes yes yes yes yes
Yes. Detects Yes, including SIM
Remote-wipe No No
unauthorized SIM
yes
removal detection
Device control
(BT, Wi-Fi, GPS, No No yes yes no
camera)
configurations, files,
BackupRecover Password
No applications back No yes
y recovery
up/restore
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 62
63. Solutions (Existing Support in Israel)
McAfee MobileIron Phonaris Sybase Symantec Trend-Micro
Enterprise Virtual
Product Phonaris For Mobile
Mobility Smartphone Afaria Mobile Solutions
Name Enterprise Security
Management Platform
MDM –Android,
Secure access iOS, BB, Win Mobile
MDM and basic
In a Nut Shell and MDM MDM Security – Security
security
management Winmobile,
Symbian
Client Yes Yes Yes yes yes yes
Very nice and Yes, a “Single Plane
Yes:
One console yes Yes friendly web YES of Glass”. neat web
OfficeScan™
console portal
Yes + tracing lost
Remote-wipe yes Yes yes Yes no
devices
Device
control (BT, Yes (not including
yes Yes yes yes no
Wi-Fi, GPS, Symbian)
camera)
BackupReco
no yes no yes no no
very
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 63
64. Mobile security and management capabilities compared
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: InfoWorld, 2010 64
65. MDMSecurity Solutions
-Platform Support
Good
Agat Juniper Mobile- Trend-
Checkpoint Fancyfon Technolog McAfee Phonaris Sybase Symantec
Solutions Networks Iron Micro
ies
iOS Yes No Yes Yes Yes Yes Yes Yes Limited Yes No
Android Yes No Yes Yes Yes Yes Yes Yes Limited Yes No
Symbian Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
BlackBer
Yes No Yes Yes Yes No Yes Yes Yes Yes No
ry
WinMo
Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes
bile
PalmOS Yes Yes Yes Yes No Yes Limited No Yes No No
Java
based
Other Yes No Yes No No No No Yes No No
Feature
Phones
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 65
66. Conclusion
Mobile is IT Another
the new shouldn’t
king of stay Managed
comm. behind endpoint
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 66
67. Cloud Computing
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 67
68. Cloud Security –Key Takeaways
• Cloud Computing is here to stay
• Security is an EASY showstopper
• CISOs will have to be agile and creative in order
to keep up with the trend
• Look for certifications, standards and guidelines
ASAP
• Wait for regulations in the long-term
• (In the meanwhile) Find yourself a solid provider
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 68
69. We Should Know, by now, What Cloud
Means
http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 69
70. Cloud Services Concerns
Security (especially
access issues) is still
considered a top
concern
“We won’t be involving our
security team in this project until
the last possible moment,
because the answer will be ‘no.’”
-VP at one of the largest retailers
in the world
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: InformationWeek, State of Cloud, Jan 2011 70
71. Top Threats To Cloud Computing
Abuse and
Nefarious Use of
Cloud Computing
Unknown Risk Malicious
Profile Insiders
Shared
Account or
Technology
Service Hijacking
Issues
Insecure
Data Loss or
Interfaces and
Leakage
APIs
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 71
72. Top Threats To Cloud Computing
IaaS PaaS SaaS Remediation
Stricter initial registration and validation processes.
√ √ ×
Abuse and
Nefarious Use Enhanced credit card fraud monitoring and coordination.
of Cloud Comprehensive introspection of customer network traffic.
Monitoring public blacklists for one’s own network blocks.
Computing
Malicious Enforce strict supply chain management and conduct a
Insiders √ √ √ comprehensive supplier assessment.
Specify human resource requirements as part of legal contracts.
Require transparency into overall information security and
management practices, as well as compliance reporting.
Determine security breach notification processes.
Implement security best practices for installation/configuration.
√ × ×
Shared
Technology Monitor environment for unauthorized changes/activity.
Issues Promote strong authentication and access control for
administrative access and operations.
Enforce service level agreements for patching and vulnerability
remediation.
Conduct vulnerability scanning and configuration audits.
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 72
73. Top Threats To Cloud Computing -
Continued
IaaS PaaS SaaS Remediation
Insecure Analyze the security model of cloud provider interfaces.
Interfaces and
APIs √ √ √ Ensure strong authentication and access controls are
implemented in concert with encrypted transmission.
Understand the dependency chain associated with the API.
Data Loss or Implement strong API access control.
Leakage √ √ √ Encrypt and protect integrity of data in transit.
Analyzes data protection at both design and run time.
Implement strong key generation, storage and management, and
destruction practices.
Contractually demand providers wipe persistent media before it is
released into the pool.
Contractually specify provider backup and retention strategies.
Account or Prohibit the sharing of account credentials between users and services.
Service
Hijacking
√ √ √ Leverage strong two-factor authentication techniques where possible.
Employ proactive monitoring to detect unauthorized activity.
Understand cloud provider security policies and SLAs.
Unknown Risk Disclosure of applicable logs and data.
Profile √ √ √ Partial/full disclosure of infrastructure details (e.g., patch
levels, firewalls, etc.).
Monitoring and alerting on necessary information.
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 73
74. Top Security and Privacy Issues
Governance Compliance Trust
Identity and
Access Software
Architecture
Isolation
Management
Incident
Data Protection Availability
Response
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 74
75. Security and Privacy Issues and
Precautions
Areas Precautions
Governance Extend organizational practices pertaining to the policies, procedures, and
standards used for application development and service provisioning in the
cloud, as well as the design, implementation, testing, and monitoring of
deployed or engaged services. Put in place audit mechanisms and tools to
ensure organizational practices are followed throughout the system lifecycle.
Compliance Understand the various types of laws and regulations that impose security and
privacy obligations on the organization and potentially impact cloud computing
initiatives, particularly those involving data location, privacy and security
controls, and electronic discovery requirements. Review and assess the cloud
provider’s offerings with respect to the organizational requirements to be met
and ensure that the contract terms adequately meet the requirements.
Trust Incorporate mechanisms into the contract that allow visibility into the security
and privacy controls and processes employed by the cloud provider, and their
performance over time. Institute a risk management program that is flexible
enough to adapt to the continuously evolving and shifting risk landscape.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 75
76. Security and Privacy Issues and
Precautions
Areas Precautions
Architecture Understand the underlying technologies the cloud provider uses to
provision services, including the implications of the technical controls
involved on the security and privacy of the system, with respect to the full
lifecycle of the system and for all system components.
Identity and Access Ensure that adequate safeguards are in place to secure authentication,
Management authorization, and other identity and access management functions.
Software Isolation Understand virtualization and other software isolation techniques that the
cloud provider employs, and assess the risks involved.
Data Protection Evaluate the suitability of the cloud provider’s data management solutions
for the organizational data concerned.
Availability Ensure that during an intermediate or prolonged disruption or a serious
disaster, critical operations can be immediately resumed and that all
operations can be eventually reinstituted in a timely and organized
manner.
Incident Response Understand and negotiate the contract provisions and procedures for
incident response required by the organization.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 76
77. Outsourcing Activities and Precautions
Areas Precautions
Preliminary Activities Identify security, privacy, and other organizational requirements for cloud services
to meet, as a criterion for selecting a cloud provider.
Perform a risk assessment, analyzing the security and privacy controls of a cloud
provider’s environment with respect to the control objectives of the organization.
Evaluate the cloud provider’s ability and commitment to deliver cloud services
over the target timeframe and meet the security and privacy levels stipulated.
Initiating and Ensure that all contractual requirements are explicitly recorded in the SLA,
Coincident Activities including privacy and security provisions, and that they are endorsed by the cloud
provider. Involve a legal advisor in the negotiation and review of the terms of
service of the SLA. Continually assess the performance of the cloud provider and
ensure all contract obligations are being met.
Concluding Activities Alert the cloud provider about any contractual requirements that must be
observed upon termination. Revoke all physical and electronic access rights
assigned to the cloud provider and recover physical tokens and badges in a timely
manner. Ensure that resources made available to the cloud provider under the SLA
are returned in a usable form, and confirm evidence that information has been
properly expunged.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 77
78. Division of Liabilities in the Cloud
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
framework/ 78
79. How to Secure the Cloud?
Technologies believed to be most important in securing the cloud computing
environment
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 79
80. Lack of Confidence in IT?
Who is responsible for ensuring a secure cloud computing environment?
Isn't cloud security an IT
responsibility???
-So why is it 3rd?
Don’t let it scatter
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 80
81. Regulations, Standards and Certifications
Regulations????? Looking for regulations?
…Please wait for the next
-Nothing (so far…)
disaster
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 81
82. Regulations, Standards and Certifications
• Standards:
– AICPA: SAS 70:
• there is no published list of SAS 70 standards (Recommendation:
ask to review your cloud provider’s SAS 70 type Ⅰ/Ⅱ report!!!)
• Certifications:
– NIST (National Institute of Standards and Technology)
• Recommended Security Controls for Federal Information Systems
and Organizations* === > FISMA (Federal Information Security
Management Act) ATO (Authorization to Operate).
– CSA:
• CCSK –Certified Cloud Security Knowledge
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 82
83. Regulations, Standards and Certifications
• Guidelines:
– CSA (Cloud Security Alliance):
• CCM -Cloud Controls Matrix
– NIST (National Institute of Standards and Technology):
• DRAFT Guidelines on Security and Privacy in Public Cloud
Computing
– ENISA (European Network and Information Security
Agency):
• Cloud Security Information Assurance Framework
* Not related directly to cloud security
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 83
84. Addressing Cloud Issues in the Israeli
Government
0102/01 מתוך נייר עמדה בנושא: עקרונות להגנת הפרטיות במידע אישי במיקור חוץ בישראל
http://www.justice.gov.il/NR/rdonlyres/1FB266DE-95A0-4C31-939B-3796DCB0C232/23065/positionmikurhuz.pdf
?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 84
85. Virtualization Security Solution
Existing solutions Threat protection Integrated virtual
certified for protection of delivered in a virtual form- environment-aware threat
virtual workloads factor protection
Firewall +Intrusion Prevention
▪ System auditing Virtual network segment Virtual host protection and
▪ File integrity monitoring protection/policy enforcement network policy enforcement
▪ Anti-malware Network access control
▪ Security configuration Mgmt Virtual infrastructure monitoring
Source: IBM
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 85
86. Cloud Security Solutions
Business
Cloud
Virtual Volumes Databases in the cloud
VPD™ Intrusion Porticor
Web App
detect. & Access Policy
Firewall Site
prevent.
Self-service
Compute Virtual Virtual
Application Database
servers servers Threat
mgmt.
VPD™ Crypto- Data de- Events & Logging &
Key mgmt.
graphy construction Alerts
Distributed Storage Auditing Deployment
Data Operations
Source: Porticor
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 86
87. Cloud Security Solutions
http://www.cloudflare.com/
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 87
88. (Cloud-Based) Cyber-Crime Prevention
Source: Seculert
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 88
89. Cloud Privacy and Security -Navajo
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 89
Source: Navajo
90. Cloud Privacy and Security -Concealium
Source:Concealium
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 90
91. In Short
Security is an …”We put
The cloud is
EASY our money in No rush!
here to stay
showstopper the cloud”
Find yourself
Look for
a solid
standards
partner
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 91
92. Security Domains –Key Takeaways
• Network Security is climbing to the Application
layer
• Application Security is moving on to business
process
• EPS: There is a new approach to fight malware
• Nobody likes IAMIDM but everybody needs it
• Interesting changes in the SIEMSOC arena
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 92
94. Next-Generation Firewall
Identify Categorize Control
Application Chaos Users/Groups Policy
Many on Port 80 Critical Apps: Prioritized Bandwidth
Acceptable Apps: Managed Bandwidth
Re-Assembly Free
Deep Packet
Inspection
Unacceptable Apps: Blocked
Malware Blocked
Cloud-based
Extra-Firewall
Intelligence Visualize &
Manage Policy
9
4 Source: SonicWALL
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 94
95. Enterprise Network Firewall
- Israeli Market Positioning 1Q11
Solutions to Watch: Checkpoint
SonicWall
Local Support
Player
Worldwide
Juniper Leader
PaloAlto
Fortinet
Cisco
Microsoft
This analysis should be used with its
supporting documents
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 95
96. Secure Remote Access
- Israeli Market Positioning 1Q11
Estimated Technology
Penetration
Evaluating
Not using Juniper
13% Using this
technology
Local Support
87%
Player
Worldwide
Leader
Checkpoint
Microsoft
Citrix
Cisco
F5
SonicWall This analysis should be used with its
supporting documents
Array
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 96
97. Intrusion Prevention/Detection Systems -
Israeli Market Positioning 1Q11
Solutions to Watch: Estimated Technology
SonicWall
Penetration
Evaluati Using
ngNot this
using technolo
48% gy
Local Support
52%
McAfee
Player
IBM-ISS
Worldwide
Juniper Leader
Radware
PaloAlto
Checkpoint
HP Look for me
Cisco
Fortinet This analysis should be used with its
Sourcefire supporting documents
(Snort)
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 97
98. Network Access Control
- Israeli Market Positioning 1Q11
Estimated Technology
Penetration
Evaluating Using this
Not using technology
52% 48%
Local Support
Access Layers
Player
Cisco
Worldwide
Symantec Leader
Check Point Juniper
ForeScout
Microsoft Insightix
Enterasys Wise-Mon
This analysis should be used with its
McAfee supporting documents
HP
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 98
99. Secure Web-Gateway
- Israeli Market Positioning 1Q11
Local Support
Websense
Player
BlueCoat
Worldwide
Leader
SafeNet
Cisco Fast
Movement
Microsoft (TMG)
Symantec
Trend Micro
Fortinet
This analysis should be used with its
McAfee supporting documents
Zscaler
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 99
100. Email Security
- Israeli Market Positioning 1Q11
Hosted/Cloud Solutions:
Microsoft (Forefront)
Google (Postini)
Symantec (MessageLabs)
Cisco (Ironport)
Local Support
McAfee (MX Logic)
Player
Cisco
Symantec Worldwide
Leader
Fast
Movement
PineApp
Trend Micro
Microsoft
McAfee This analysis should be used with its
Mirapoint SafeNet supporting documents
Websense
Market Presence
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 100
102. Need for Application Security
Application security flaws jeopardize sensitive business
information, data integrity, availability and company
reputation
Over 97% of applications are vulnerable to attacks
90% of attacks are carried out on Application and Data
layers
Penetration testing is an effective, yet “ad-hoc” solution.
Budgetary constraints do not allow for daily manual
testing
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 102
103. AppSec –Among Top 3 Security Threats
http://www.informationweek.com/news/galleries/security/vulnerabilities/showArticle.jhtml?article
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
ID=226700232&pgno=6&isPrev=
103
104. Web Application Security Risks
OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New)
A2 – Injection Flaws A1 – Injection
A1 – Cross Site Scripting (XSS) A2 – Cross Site Scripting (XSS)
A7 – Broken Authentication and Session Management A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object Reference = A4 – Insecure Direct Object References
A5 – Cross Site Request Forgery (CSRF) = A5 – Cross Site Request Forgery (CSRF)
<was T10 2004 A10 – Insecure Configuration Management> + A6 – Security Misconfiguration (NEW)
A8 – Insecure Cryptographic Storage A7 – Insecure Cryptographic Storage
A10 – Failure to Restrict URL Access A8 – Failure to Restrict URL Access
A9 – Insecure Communications = A9 – Insufficient Transport Layer Protection
<not in T10 2007> + A10 – Unvalidated Redirects and Forwards (NEW)
A3 – Malicious File Execution
- <dropped from T10 2010>
A6 – Information Leakage and Improper Error Handling - <dropped from T10 2010>
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 104