SECURITY A MULTI-LAYERED APPROACH
Transcript of SECURITY A MULTI-LAYERED APPROACH
F A S T | R E S P O N S E
C U S T O M | S O L U T I ON S
F U T U R E | C U R V E
SECURITY
A MULTI-LAYERED APPROACH
Today’s Dilemma
Business Need
• Increase Agility
• Reduce Cost
• Innovate
IT Need
• Reduce Cost
• Achieve Compliance
• Improve Security
Malware and Attack Trending
New attacks on
Adobe vulnerabilities
outnumber those on
Microsoft products
100:1 (Q4 2010, McAfee Labs)
Email is the main carrier
of malware and phishing
scams1
Spam volume down
~50%, but
mobile threats up 46% (Q4 2010, McAfee Labs)
An average of 4 million
new zombies created
per month1
Malware Growth Continues
-
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000Jan 0
9
Feb 0
9
Ma
r 09
Apr
09
Ma
y 0
9
June 0
9
Jul 09
Aug
09
Sep
09
Oct 09
Nov 0
9
Dec 0
9
Jan 1
0
Feb 1
0
Ma
r 10
Apr
10
May 1
0
Jun 1
0
Jul 10
Aug
10
Se
p 1
0
Oct 10
Nov 1
0
Dec 1
0
McAfee Labs identifies approximately 55,000 pieces of new malware each day
Threats
Top Global Threats
Malicious Iframes
Malicious Windows
Shortcut Files
Parasitic File Infector
USB-Based AutoRun
Parasitic Malware
Web-Based File
Infectors
North America
Malicious Iframes
Malicious Windows
Shortcut Files
Parasitic File Infector
Web-Based File
Infectors
USB-Based AutoRun
Parasitic Malware
Data Breaches Do Not Discriminate
“DuPont scientist stole
22,000 sensitive
documents worth $400M
as he got ready to take a
job with a competitor…”
“Medical provider had to
notify over 130,000 people
of a data breach due to the
loss of digital media with
unencrypted patient data.”
“Average organizational
cost of a data breach
was $7.2 million, up 7
percent” “Groupon deal of the
day: 300,000 customer
accounts… FREE!”
“Texas comptroller’s data
breach exposes 3.5
million Social Security
numbers, birth dates.”
Data Breaches - Healthcare
“Information of 20,000
people at healthcare
provider in greater Seattle
accessible online for nine
weeks.”
“Medical provider had to
notify over 130,000 people
of a data breach due to the
loss of digital media with
unencrypted patient data.”
“Data breaches cost US
Healthcare an average
of $6.5 billion –
enough to hire more
then 81,000 RNs.” “Delaware pediatric
health facility loses data
on 1.6 million”
“Patient data for 20,000 at
Stanford Hospital posted
to website by billing
contractor.”
Data Breaches - Education
“PII of 75,000 UWM
students and employees at
risk after server was
infected with malware.”
“Names and Social Security
numbers of 43,000 people
associated with Yale was
publicly searchable by
Google for 10 months”
“Personal information of
7,093 former Purdue
University students was
accessed by hacker.” “VCU server hacked to
compromise personal
data of 175,000”
“Personal information of
18,931 employees at
University of Georgia
accessible online for
several years”
What is another large
burden that is being
placed on organizations
today?
Increasing Global Compliance Burden
Data loss requires
public disclosure
Forcing businesses to
deploy stronger
security to protect
data
Compliance
requirements forcing
IT to consolidate,
automate and
integrate
Datenschutz (Germany)
GISRA (USA)
Data Protection Act (UK)
Government Network
Security Act (USA)
California SB 1386 (USA)
US Senate Bill 1350 Proposed (USA)
HIPAA (USA)
Gramm-Leach-Bliley (USA)
Japan Personal Information
Protection Act (PIPA)
US Government OMG Initiative (USA)
Directive on Protection of Personal Data (EU)
Sarbanes- Oxley (USA)
Payment Card Industry Data Security Standard
The Personal Information
protection and Electronic
Documents Act (Canada)
Federal Desktop Core Configuration (US Civilian)
Government’s Code of Connection (CoCo) (UK)
2004
2009
1996
Who in the organization
is responsible for
security?
Security Responsibility
Security is Everyone's
Responsibility
See Something, Say
Something!
Protection Against all Threats
Host IPS
Last 2 years vulnerabilities
equal the vulnerabilities in the 17 years
before it3
AV/AMalware 34% growth YoY in 2009
AntiSpyware
66%1 PUPs CAGR for the last 5 years
AntiSpam
45%2 annual growth of
spam per email message in the
last 6 years
Data Protection
Over 85% of data breaches are due
to insider negligence, not external attacks
Content Filter
233%4 growth in the number of malicious sites
in 2H09
Sensitive Data
SPAM
Malware/Rootkits
Vulnerabilities
Spyware
Unsafe/Inappropriate Websites
Internet
1 Avert Labs 2 Message Labs 3 National Vulnerability Database http://nvd.nist.gov/statistics.cf 4 http://www.i-policy.org/privacysecurity/
What do we need to
protect?
DATA
and the
END POINT
What to Protect
DATA Data protection is the practice of protecting regulated and
proprietary data from being accessed or shared by
unauthorized individuals with the use of technology (i.e.:
data loss prevention, data encryption and device control
technologies) and operational procedures.
Is your data in the wild?
Survey: Dark Reading/InformationWeek (2009)
Survey: MIS Training Institute at CISO Summit (2009)
McAfee Datagate Report. Produced by DataMonitor (survey of 1400 IT professionals across UK, US, DR, DE, and Australia)
77% unable to audit or quantify
loss after a data breach
73% of data breaches come
from internal sources
80% of CISOs see employees
as the greatest data threat
How does Data Leak?
How Data Leaks
In Use
Data Sources
At Rest
In Motion
COPY TO
DEVICE CUT, COPY,
PASTE PRINT
MOVE
FILES
ACCESS
SHARES
OUTBOUND
EMAIL IM,
BLOGS
WEB-
POSTING
User Actions
The Data Protection Challenge
Data is readily available over many access points
Data moves through the organization quickly
Data access is typically not constrained to need only
Complying with regulations (i.e.: PCI, HIPAA, SOX)
There are high costs associated with audits
Corporate reputation/brand can be destroyed
Large penalties for breaches
Sensitive data & intellectual property can leave the
organization before anyone realizes it is gone
Chain of custody may be broken
Struggling with Data Protection
According to CSO Online
Research:
• “DLP can be very good, but be
prepared for hidden costs and
lots of management effort,
including internal staffing
demands”.
• “Nearly half of those with a
(DLP) solution in place are
planning to replaced that
solution within the next 12
months”.
• “you need to plan accordingly
going into the (DLP) project so
that it doesn’t become a
budget buster in terms of both
hard dollars and internal
resources.”
Sample Data Protection Technology
McAfee DLP Manager
Appliance
Sales
International
Manufacturing
Finance
Switch
or Tap
Email MTA, SSL and Web Proxy
ICAP and SMTP
Databases or Repositories
AD/LDAP SIM
Integration Points
Data-at-Rest
Data-in-Motion
END POINT HOST DLP
Hotspots, Mobile
Data-in-Use PREMISE BASED NETWORK DLP
What are some of the
benefits of Data
protection?
Benefits of Data Protection
Ensures compliance (i.e.: PCI, HIPAA, SOX)
Prevents brand damage
Protects intellectual property
Protects R&D data
Protect sensitive data
Prevents the loss of customers to departing employees
Maintains competitive advantage
Ensures appropriate chain of custody
Supports safe, flexible use of business data
What to Protect
END POINT End Point protection is the practice of proactively stopping
and removing a broad range of threats against endpoints
using technology (i.e.: anti-malware, firewall, intrusion
prevention technologies) and operational procedures.
What is the latest end
point causing issues
for the IT and
Security teams?
Mobile Security and Management
Platform/ Database Management
Files
Directory
Applications
Certificate Services
Messaging
Enterprise Environment
Windows
Mobile
Symbian
Android
webOS
iPhone
iPad
Security
&
Support
Mobile Security
Protect business data no matter where it sits or is accessed
from
Track location of mobile devices based on location history
or in real time
Force alarm sound on device to help track lost device
Lock, wipe and reset lost or stolen devices
Mobile Management
Extend IT systems management polices to mobile devices,
including the iPhone, iPad, Android phone and tablets
Reduce help desk requests such as mobile email
configuration through remote and automatic management
capabilities
Manage all devices from desktops to mobile devices from a
single platform for consistency and transparency
throughout the organization
Automate email configuration and settings to one or many
devices
Provide end-user support
What are some of the
benefits of End Point
protection?
Benefits of End Point Protection
Increased IT asset uptime
Increased end user productivity
Increased end user satisfaction
Increased security
Better deployment of strategic IT resources
Why is security
lacking in most
organizations?
Why is security lacking?
There is a “It will not happen to me” mentality
Leaders do not knowing where to start
Leaders think that network managers/administrators can
ensure security
There is a lack of dedicated security resources
There is a lack of understanding as to what security
encompasses
There is a lack of a budget
Security Lifecycle
Management-level
Security Controls
Operational-level
Security Controls
Technical-level
Security Controls
FISMA Legislation
High Level, Generalized, Information Security Requirements
Federal Information Processing Standards
FIPS 199: Information System Security Categorization
FIPS 200: Minimum Information Security Requirements
Information System Security Configuration Settings
NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance
30,000 FT
15,000 FT
5,000 FT
Hands On
FISMA Compliance Model
Security Operations – High Level Controls
Administrative
• Policies and procedures to define and guide actions
(i.e.: NAC – devices that do not meet company security
requirements cannot access the network)
Technical
• Controls used to protect sensitive information (i.e.: AV,
Firewalls, IDS)
Physical
• Used to control physical access to sensitive information
or systems (i.e.: Motion detectors)
Security Operations – Deeper Controls
Management
• Certification, Accreditation, Assessments
• Planning
• Risk Assessments
• System and Services Acquisition
Security Operations - Controls
Operational
• Awareness and Training
• Configuration Management
• Contingency Planning
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical and Environmental Security
• System and Information Integrity
Security Operations - Controls
Technical
• Access Control
• Audit and Accountability
• Identification and Authentication
• Systems and Communications Protections
Why Security Operations?
The bottom line is…
RISK MANAGEMENT
THROUGH MITIGATION
AND AVOIDANCE
Implementing The CSOC
Define the scope
• Data, End Point, Network
Determine the responsibilities
• Who mitigates the threats
Impart Authority
• Must come CXO
Develop the Business Case
• Risk must be taken into account
Define procedures
• The CSOC is useless if they don’t know what to do
Implementing The CSOC
Staff the CSOC
• The teams must understand security
Organization
• Cores Services, Internal Customers, External Customers
Integration and Cooperation
• CSOC must be integrated into the organization and have
a response team ready
Technology
• These are only tools.
• Technology is not a substitute for process and discipline
Security Operations Challenges
Manual platform-level configuration management across
the enterprise is unwieldy at best
A large amount of time is being spent by internal security
operations personnel demonstrating compliance to a wide
variety of laws and mandates using a configuration that’s
fairly unchanging
Increasing number of laws and mandates
Increasing number of vulnerabilities per annum
Securing funding to properly implement a CSOC
Business specific processes
Security Operations - Options
Obviously building, staffing and operating a CSOC is a far
more complex process than getting some people to watch
the output of IDS sensors.
There are options…
• Do it all yourself
• Do some of it yourself and outsource some
• Outsource your security operations completely
DO NOT SKIMP ON
SECURITY!
Calling the fire department
after your house is on fire is
too late!
A N I N T R O D U C T I O N O N H O W T O P R O T E C T Y O U R B U S I N E S S I N F O R M A T I O N
J A M E S M C F A D D E N
W I L L I A M D E A N
U N I V E R S I T Y O F T A M P A
What is your data worth?
Information Security
The preservation of confidentiality, integrity, and availability of information (ISO 17799, 2005)
“A multidisciplinary approach to information security that involves co-operation and collaboration of managers, users, administrators, application designers, auditors, and security staff, and specialists skills such as insurance and risk management” (ISO 17799, 2000, page 2).
Two useful models for understanding information security threats and solutions CIA Triad
Defense-in-Depth
C-I-A Triad
Well known security model and how threats affect confidentiality, integrity, and availability.
Confidentiality - Keeping info disclosed that should not be in the open.
Integrity - Prevent unauthorized tampering or modification of data and/or info system.
Availability - prevent disruption of service to a system.
All information system security threats will attack at least one of these three areas.
Data + Info Systems
Integrity
Defense in Depth
Architectural Strategy of layering of security systems.
Successive and redundant security measures.
Diversity in Depth
Examples: -Firewalls
-Intrusion Detection systems
-Anti-Virus Software
-Data Encryption
Defense in Depth
Physically Protect Your Data
Multiple layers of security before you can even access a computer -Who you are (Biometrics) -What you know (Password) -What you have (Access Card)
Monitored walls and gates
Underground facilities
Weather resistant
Data and power backups
Defense in Depth