HP Software Performance Tour 2014 - Guarding against the Data Breach

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Guarding against the Breach The 2014 Vulnerability Landscape

Pierpaolo Ali’South Europe Sales Director HP Enterprise Security Products

June 17, 2014

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2

Discovery

The attack lifecycle

Research

Our enterprise

Their ecosystem

Infiltration

Capture

Exfiltration


Discovery

How we can disrupt the market

Research

Our enterprise

Their ecosystem

Infiltration

Capture

Exfiltration

Planning damage mitigation

Educating usersCounter intel


Agenda

2013 Cyber Risk Report key findings

Understanding Exactly how the Attacker Ecosystem Works

HP Security Research

Building Security in Maturity Model


2013 Cyber Risk Report


Key Findings

Research gains attention, but vulnerability disclosures stabilize and decrease in severity

80% of applications contain vulnerabilities exposed by incorrect configuration

Differing definitions of “malware” make measuring mobile malware risk extremely difficult


Key Findings

The attack surface allows for multiple avenues for

compromise

46% of mobile iOS and Android applications use encryption

improperly

Internet Explorer was the software most targeted by Zero Day Initiative

(ZDI) researchers


Key Findings

SCADA systems are increasingly targeted

Sandbox bypass vulnerabilities are the #1 issue for Java


Conclusions

Mitigate

Risk

Respond

Appropriately

Reduce

Attack Surface


Going beyond the basics of best practices

Remember that people are part of your organization’s perimeter too

Don’t rely solely on traditional defensive perimeter security

Expect to be compromised


Going beyond the basics of best practices

Make security and response a continuous process

Understand that not all information and network assets are equal

Seek out credible and reliable security intelligence


Understanding exactly how the Attacker Ecosystem Works


A recent event

Morgan-Fox, Gwen

check not used in other slide decks.....


Repeat attacks

Company A NEW EVENT

Zero Day

Company B

Company CMalicious IP

Address

Malware

Variant

NEW EVENT

NEW EVENT


Recruiting


Job offers


Escrow services


Training


HP Enterprise Security Products


HP Security ResearchSANS, CERT, NIST, ReversingLabs, software, and reputation vendors

• ~3000 researchers

• 2000+ customers sharing data

• 7000+ managed networks globally

Ecosystem

partner

ESS


Innovative research

Thought leadership

• Automatically integrated into HP products

• HP finds more vulnerabilities than the rest of the market combined

• Top security vulnerability research organization for the past three years —Frost & Sullivan

Actionable security intelligence


The Value HP TippingPoint DVLabs Provides

Vulnerability Research

Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI)

Original vulnerability research on widely-used software

Targeted research on emerging threat technologies and trends

Malware Research

Reputation feed of malicious hosts and IP addresses

In-depth threat research

Weekly updates for to stay ahead of the threats


Heartbleed…

Morgan-Fox, Gwen

compare with Heartbleed slide in Stopping the silver bullet


Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, …)

Building Security In: HP SSR

Original Research Malware analysis, access control validation, …Secure Coding Rulepacks (SCA) 563 unique categories of vulnerabilities across

21 languages and over 720,000 individual APIsRuntime Rulepack Kits HP Fortify SecurityScope HP Fortify Runtime Application Logging HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect) Next-generation security testing capabilities

HP


Building Security in Maturity Model(BSIMM)


Building BSIMM (2009)

Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives

Created a software security framework Interviewed nine firms in-person Discovered 110 activities through observation Organized the activities in 3 levels Built a scorecard

The model has been validated with data from 67 firms

There are no special snowflakes


Prescriptive versus Descriptive Models

Prescriptive models describe what you should do (circa 2006)

SAFECode SAMM MS SDL Touchpoints

Every firm has a methodology they follow (often a hybrid)

You need an SSDL!

Descriptive models describe what is actually happening

BSIMM is a descriptive model used to measure multiple prescriptive SSDLs


Plus 22 firms that remain anonymous

67 Firms in the BSIMM-V Community


Compare yourself with…

•Your peers•Other business units

Track your performance over time…


BSIMM by the Numbers


Conclusion

Don’t rely solely on traditional defensive perimeter security.

Know thy enemy. Expect to be compromised.

Security Research can provide proactive insight into global, vertical-specific, and geographic threats.

BSIMM: Measure how well you’re doing


Questions?


Join Our Conversation

We are on your side. Visit our blogs.

HP Security Research: hp.com/go/HPSRblog

HP Security Products: hp.com/go/SecurityProductsBlog

HP Threat Briefings: hp.com/go/ThreatBriefings

BSIMM Information: bsimm.com [email protected]

http://www.hp.com/go/hpsrblog

http://www.hp.com/go/hpsrblog

http://www.hp.com/go/securityproductsblog

http://www.hp.com/go/securityproductsblog

http://www.hp.com/go/threatbriefings

http://www.hp.com/go/threatbriefings


Thank You

HP Software Performance Tour 2014 - Guarding against the Data Breach

Technology

Transcript of HP Software Performance Tour 2014 - Guarding against the Data Breach