HP Software Performance Tour 2014 - Guarding against the Data Breach
-
Upload
hp-enterprise-italia -
Category
Technology
-
view
364 -
download
1
description
Transcript of HP Software Performance Tour 2014 - Guarding against the Data Breach
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Guarding against the Breach The 2014 Vulnerability Landscape
Pierpaolo Ali’South Europe Sales Director HP Enterprise Security Products
June 17, 2014
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Discovery
The attack lifecycle
Research
Our enterprise
Their ecosystem
Infiltration
Capture
Exfiltration
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Discovery
How we can disrupt the market
Research
Our enterprise
Their ecosystem
Infiltration
Capture
Exfiltration
Planning damage mitigation
Educating usersCounter intel
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Agenda
2013 Cyber Risk Report key findings
Understanding Exactly how the Attacker Ecosystem Works
HP Security Research
Building Security in Maturity Model
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2013 Cyber Risk Report
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Key Findings
Research gains attention, but vulnerability disclosures stabilize and decrease in severity
80% of applications contain vulnerabilities exposed by incorrect configuration
Differing definitions of “malware” make measuring mobile malware risk extremely difficult
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Key Findings
The attack surface allows for multiple avenues for
compromise
46% of mobile iOS and Android applications use encryption
improperly
Internet Explorer was the software most targeted by Zero Day Initiative
(ZDI) researchers
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Key Findings
SCADA systems are increasingly targeted
Sandbox bypass vulnerabilities are the #1 issue for Java
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Conclusions
Mitigate
Risk
Respond
Appropriately
Reduce
Attack Surface
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Going beyond the basics of best practices
Remember that people are part of your organization’s perimeter too
Don’t rely solely on traditional defensive perimeter security
Expect to be compromised
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Going beyond the basics of best practices
Make security and response a continuous process
Understand that not all information and network assets are equal
Seek out credible and reliable security intelligence
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Understanding exactly how the Attacker Ecosystem Works
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
A recent event
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Repeat attacks
Company A NEW EVENT
Zero Day
Company B
Company CMalicious IP
Address
Malware
Variant
NEW EVENT
NEW EVENT
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Recruiting
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Job offers
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Escrow services
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Training
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Security Research
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
HP Enterprise Security Products
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
HP Security ResearchSANS, CERT, NIST, ReversingLabs, software, and reputation vendors
• ~3000 researchers
• 2000+ customers sharing data
• 7000+ managed networks globally
Ecosystem
partner
ESS
HP Security Research
Innovative research
Thought leadership
• Automatically integrated into HP products
• HP finds more vulnerabilities than the rest of the market combined
• Top security vulnerability research organization for the past three years —Frost & Sullivan
Actionable security intelligence
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
The Value HP TippingPoint DVLabs Provides
Vulnerability Research
Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI)
Original vulnerability research on widely-used software
Targeted research on emerging threat technologies and trends
Malware Research
Reputation feed of malicious hosts and IP addresses
In-depth threat research
Weekly updates for to stay ahead of the threats
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Heartbleed…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, …)
Building Security In: HP SSR
Original Research Malware analysis, access control validation, …Secure Coding Rulepacks (SCA) 563 unique categories of vulnerabilities across
21 languages and over 720,000 individual APIsRuntime Rulepack Kits HP Fortify SecurityScope HP Fortify Runtime Application Logging HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect) Next-generation security testing capabilities
HP
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Building Security in Maturity Model(BSIMM)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Building BSIMM (2009)
Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives
Created a software security framework Interviewed nine firms in-person Discovered 110 activities through observation Organized the activities in 3 levels Built a scorecard
The model has been validated with data from 67 firms
There are no special snowflakes
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
Prescriptive versus Descriptive Models
Prescriptive models describe what you should do (circa 2006)
SAFECode SAMM MS SDL Touchpoints
Every firm has a methodology they follow (often a hybrid)
You need an SSDL!
Descriptive models describe what is actually happening
BSIMM is a descriptive model used to measure multiple prescriptive SSDLs
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
Plus 22 firms that remain anonymous
67 Firms in the BSIMM-V Community
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
Compare yourself with…
•Your peers•Other business units
Track your performance over time…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
BSIMM by the Numbers
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
Conclusion
Don’t rely solely on traditional defensive perimeter security.
Know thy enemy. Expect to be compromised.
Security Research can provide proactive insight into global, vertical-specific, and geographic threats.
BSIMM: Measure how well you’re doing
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Join Our Conversation
We are on your side. Visit our blogs.
HP Security Research: hp.com/go/HPSRblog
HP Security Products: hp.com/go/SecurityProductsBlog
HP Threat Briefings: hp.com/go/ThreatBriefings
BSIMM Information: bsimm.com [email protected]
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You