Information Security Information Security Challenges and Strategies for Challenges and Strategies for

2007+2007+

Mark Bouchard, CISSPMissing Link Security Services, LLC

mark@missinglinksecurity.net

Missing Link Security ServicesTM

2

AgendaAgenda

Enterprise IT What’s hot, what’s not, and what could be

Enterprise Security Threat and Vulnerability Trends Communications vs. Content Countermeasures: what’s hot, what’s not

In Focus: Threat & Vulnerability Management Bits and pieces The emergence of the Enterprise TVM System

Summary & Conclusions Call to action

data center

AB D

Missing Link Security ServicesTM

3

Enterprise IT – Part 1Enterprise IT – Part 1

Virtualization Objective: efficient resource

utilization Implication: complicates monitoring

VoIP Objective: reduced costs Implication: more stuff to secure

SOA / Web services Objective: flexible, re-usable

modules Implication: less structured comms

Software-as-a-Service (SaaS) Objective: faster; lower TCO Implication: more/bigger Internet

connections

61% security breaches

55% acts of terrorism

40% corp. malfeasance

21% product recalls

19% workforce violence

Executive Concerns

(Source: Harris Interactive, n= 197)

Missing Link Security ServicesTM

4

Enterprise IT – Part 2Enterprise IT – Part 2

What’s Not Hot Budgets

• Flat to slightly positive; but also focusing on cost cutting

RFID• Pockets only

Vista (and Office 2007)• ~64% say “not in 2007”

(source: Deutsche Bank Equity Research)

What Could Be Hot Think consumer/personal

crossovers• Video (e.g., in retail banking)• 3D Graphics (e.g., in education)• Intranet blogging, etc

WAN optimization

Computerized stereolithograph skull of a

2000 year old Egyptian mummy

Missing Link Security ServicesTM

5

AgendaAgenda

Enterprise IT What’s hot, what’s not, and what could be

Enterprise Security Threat and Vulnerability Trends Communications vs. Content Countermeasures: what’s hot, what’s not

In Focus: Threat & Vulnerability Management Bits and pieces The emergence of the Enterprise TVM System

Summary & Conclusions Call to action

data center

AB D

Missing Link Security ServicesTM

6

The Threat LandscapeThe Threat Landscape

Greater volume of threats Change in hacker motivation Exploit development tools Modularity of threats

Faster creation of threats V-to-E window is shrinking

Fast propagation of threats Stable, but still not great

More elusive than ever! Blended becoming status quo Greater variety of threat types Attacking higher up the stack Increasingly targeted

280

90

25 10 <5

0

50

100

150

200

250

300

'01 '02 '03 '04 '05

(Approximate. Various sources.)

Vulnerability to Exploit (avg. in days)

2006: <3 days

Missing Link Security ServicesTM

7

The Vulnerability LandscapeThe Vulnerability Landscape

Greater volume of vulns 2,249 new vulns in 1H06; up 18% 80% are “easily exploitable”

Vuln drivers Expanding/complex tech portfolio Adoption of mobility solutions More web applications Window of exposure Availability of fuzzing tools

Implications Better asset management Greater efficiency in mature areas More flexible security solutions

Average Days From Vulnerability to Patch

(Source: Symantec ISTR Vol. IX)

0

10

20

30

40

50

60

70

2H04 1H05 2H05

40

64

49

Missing Link Security ServicesTM

8

Communications vs. ContentCommunications vs. Content

OSI Reference Model (Layers 1-

7)

CommsServices

Content & Biz Logic

Physical

Data Link

Network

Transport

Session

Presentation

Application

Utility App

Business App

Data

1

7

6

5

4

3

2

Additional ‘Real-World’

Layers (i.e., > 7)

There are many tools that provide “app layer” protection Deep inspection firewalls Intrusion prevention systems

But what does “app layer” really mean? Layer 7 = application “services” Layer 7 ≠ utility app logic Layer 7 ≠ business app logic Layer 7 ≠ data

Better model/approach Communications protection Content protection

Missing Link Security ServicesTM

9

Layer 8+ Security SolutionsLayer 8+ Security Solutions

Web application firewalls Mostly covering layer 9 Mostly positive model Challenging to implement Do not alleviate need for TVM PCI DSS v1.1, Requirement 6.6

Database “firewalls” Mostly covering layer 10 (?)

• SQL injection attacks

Shouldn’t be necessary• Other protection features tip the

scale

Examples:• Application Security, Guardium,

Imperva

Missing Link Security ServicesTM

10

Data (Layer 10) Security SolutionsData (Layer 10) Security Solutions

Information leak prevention Driven by privacy and

compliance Multi-channel issue

• Dubious breakdown/stats Low effectiveness, very high

cost

Disk encryption Response to laptop loss/theft Not just file Intersection of two themes

Mobile/endpoint security One of the weakest links Configuration mgmt vs security Microsoft is rising fast

Key ILP Contenders

Missing Link Security ServicesTM

11

Not So HotNot So Hot

Network Admission Control Cluttered market Slow roller Is it what you really want?

Identity Management Becoming background “noise” Policy/authorizations bigger deal

Compliance Fatigue Foundations are in place

De-perimeterization Poor term for relatively good ideas Pervasive perimeterization instead

NAC: NetworkAdmission Confusion

Missing Link Security ServicesTM

12

AgendaAgenda

Enterprise IT What’s hot, what’s not, and what could be

Enterprise Security Threat and Vulnerability Trends Communications vs. Content Countermeasures: what’s hot, what’s not

In Focus: Threat & Vulnerability Management Bits and pieces The emergence of the Enterprise TVM System

Summary & Conclusions Call to action

data center

AB D

Missing Link Security ServicesTM

13

Evolution of Threat & Vuln Mgmt - Evolution of Threat & Vuln Mgmt - 11

Threat Management Hot: better visibility Med: policy enforcement Cold (still): automated response

Vulnerability Management Hot: remediation Med: penetration integration Cold (still): asset integration

Log management Why is it so hot?

The emergence of TVM Lifecycle approach Systems approach Services approach

AfterAttack

BeforeAttack

DuringAttack

Time/Value of Impact

•Analyze•Recover•Respond

•Police•Protect

•Detect•Interdict

Must Have Full Coverage

Missing Link Security ServicesTM

14

Evolution of Threat & Vuln Mgmt - Evolution of Threat & Vuln Mgmt - 22

Vuln.Detection Context

ThreatDetection

Analyzers

Vuln. Knowledge

Threat Knowledge

Remediation

Policy Enforcement Interdiction

Forensics

Environment

Behavior

Identity

Act

ive

Pas

sive

Pen

. T

est

Sign

atu

res

Heu

rist

ics

An

omal

ies

Missing Link Security ServicesTM

15

AgendaAgenda

Enterprise IT What’s hot, what’s not, and what could be

Enterprise Security Threat and Vulnerability Trends Communications vs. Content Countermeasures: what’s hot, what’s not

In Focus: Threat & Vulnerability Management Bits and pieces The emergence of the Enterprise TVM System

Summary & Conclusions Call to action

data center

AB D

Missing Link Security ServicesTM

16

Summary & ConclusionsSummary & Conclusions

Call to Action Be prepared to account for and secure other IT initiatives Be prepared for threat and vulnerability trends by

establishing:• Comprehensive functional coverage• Comprehensive logical coverage• Comprehensive physical coverage

Plan to embrace the most promising countermeasures• Web app firewalls, disk encryption, network behavior

analysis• Others: unified threat management, managed security

services Be wary of less mature (/more complex) “solutions”

• NAC, information leak prevention, de-perimiterization Embrace the concept of a TVM System

• Components first; integrated system soon