Your SlideShare is downloading. ×
0
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HP Software Performance Tour 2014 - Guarding against the Data Breach

391

Published on

At the HP Software Performance Tour 2014 Pierpaolo Ali’, South Europe Sales Director - HP Enterprise Security Products, illustrated the 2014 vulnerability landscape in IT security.

At the HP Software Performance Tour 2014 Pierpaolo Ali’, South Europe Sales Director - HP Enterprise Security Products, illustrated the 2014 vulnerability landscape in IT security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
391
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Origin: 2009, explain the idea. What are people really doing? Talked to Microsoft, Google, Adobe, DTCC, Intel, Goldman, JMPC, …
    Gather data
    Discuss data
    Create framework  110 distinct activities. Example: Use a static analysis tool, know your top x vulns, do security training, … In 3 levels: Easy, medium, hard (Rocket science)
    For each of the 9 firms build a scorecard
    Now: 67 firms
    No special snow flakes

  • Most important difference: Perscriptive vs descriptive. Not competing. You need both!
  • 22 anonymous. No need to have your logo here. Look for more participants. Especially in Europe.
  • Transcript

    • 1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Guarding against the Breach The 2014 Vulnerability Landscape Pierpaolo Ali’ South Europe Sales Director HP Enterprise Security Products June 17, 2014
    • 2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 Discover y The attack lifecycle Researc h Our enterprise Their ecosystem Infiltration Capture Exfiltration
    • 3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Discover y How we can disrupt the market Researc h Our enterprise Their ecosystem Infiltration Capture Exfiltration Planning damage mitigation Educating users Counter intel
    • 4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 Agenda 2013 Cyber Risk Report key findings Understanding Exactly how the Attacker Ecosystem Works HP Security Research Building Security in Maturity Model
    • 5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2013 Cyber Risk Report
    • 6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 Key Findings Research gains attention, but vulnerability disclosures stabilize and decrease in severity 80% of applications contain vulnerabilities exposed by incorrect configuration Differing definitions of “malware” make measuring mobile malware risk extremely difficult
    • 7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 Key Findings The attack surface allows for multiple avenues for compromise 46% of mobile iOS and Android applications use encryption improperly Internet Explorer was the software most targeted by Zero Day Initiative (ZDI) researchers
    • 8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 Key Findings SCADA systems are increasingly targeted Sandbox bypass vulnerabilities are the #1 issue for Java
    • 9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 Conclusions Mitigate Risk Respond Appropriately Reduce Attack Surface
    • 10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 Going beyond the basics of best practices Remember that people are part of your organization’s perimeter too Don’t rely solely on traditional defensive perimeter security Expect to be compromised
    • 11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 Going beyond the basics of best practices Make security and response a continuous process Understand that not all information and network assets are equal Seek out credible and reliable security intelligence
    • 12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Understanding exactly how the Attacker Ecosystem Works
    • 13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 A recent event
    • 14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 Repeat attacks Company A NEW EVENT Zero Day Company B Company CMalicious IP Address Malwar e Variant NEW EVENT NEW EVENT
    • 15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 Recruiting
    • 16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 Job offers
    • 17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 Escrow services
    • 18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Training
    • 19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Research
    • 20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 HP Enterprise Security Products
    • 21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 HP Security Research SANS, CERT, NIST, ReversingLabs, software, and reputation vendors • ~3000 researchers • 2000+ customers sharing data • 7000+ managed networks globally Ecosystem partner ESS HP Security Research Innovative research Thought leadership • Automatically integrated into HP products • HP finds more vulnerabilities than the rest of the market combined • Top security vulnerability research organization for the past three years —Frost & Sullivan Actionable security intelligence
    • 22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 The Value HP TippingPoint DVLabs Provides Vulnerability Research  Crowd-sourced 0-day and vulnerability research through the Zero Day Initiative (ZDI)  Original vulnerability research on widely-used software  Targeted research on emerging threat technologies and trends Malware Research  Reputation feed of malicious hosts and IP addresses  In-depth threat research Weekly updates for to stay ahead of the threats
    • 23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Heartbleed…
    • 24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, …) Building Security In: HP SSR Original Research  Malware analysis, access control validation, … Secure Coding Rulepacks (SCA)  563 unique categories of vulnerabilities across 21 languages and over 720,000 individual APIs Runtime Rulepack Kits  HP Fortify SecurityScope  HP Fortify Runtime Application Logging  HP Fortify Runtime Application Protection (RTAP) WebInspect SecureBase (WebInspect)  Next-generation security testing capabilities HP 0 100 200 300 400 500 600 05 Q1 05 Q3 06 Q1 06 Q3 07 Q1 07 Q3 08 Q1 08 Q3 09 Q1 09 Q3 10 Q1 10 Q3 11 Q1 11 Q3 12 Q1 12 Q3 13 Q1
    • 25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Building Security in Maturity Model (BSIMM)
    • 26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Building BSIMM (2009)  Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives  Created a software security framework  Interviewed nine firms in-person  Discovered 110 activities through observation  Organized the activities in 3 levels  Built a scorecard  The model has been validated with data from 67 firms  There are no special snowflakes
    • 27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 Prescriptive versus Descriptive Models  Prescriptive models describe what you should do (circa 2006)  SAFECode  SAMM  MS SDL  Touchpoints  Every firm has a methodology they follow (often a hybrid)  You need an SSDL!  Descriptive models describe what is actually happening  BSIMM is a descriptive model used to measure multiple prescriptive SSDLs
    • 28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 Plus 22 firms that remain anonymous 67 Firms in the BSIMM-V Community
    • 29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 Compare yourself with… •Your peers •Other business units Track your performance over time…
    • 30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 BSIMM by the Numbers
    • 31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 Conclusion Don’t rely solely on traditional defensive perimeter security. Know thy enemy. Expect to be compromised. Security Research can provide proactive insight into global, vertical-specific, and geographic threats. BSIMM: Measure how well you’re doing
    • 32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Questions?
    • 33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 Join Our Conversation We are on your side. Visit our blogs. HP Security Research: hp.com/go/HPSRblog HP Security Products: hp.com/go/SecurityProductsBlog HP Threat Briefings: hp.com/go/ThreatBriefings BSIMM Information: bsimm.com bsimm@hp.com
    • 34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank You

    ×