Top 9 Data Security Trends for 2012Amichai ShulmanCTO & Co-Founder
Agenda   Trend selection process   Score card for 2011   Brief overview of 2012 trends   In-depth discussion and mitig...
Today’s PresenterAmichai Shulman – CTO Imperva Speaker at Industry Events   + RSA, Sybase Techwave, Info Security UK, Bla...
Trend Selection Process Collect Information   +   Media reports   +   Analysts   +   Incident reports   +   Customer feed...
Scorecard for 2011 Predictions        Trend                                                 Score   1    Regulatory Conver...
Top Security Trends for 2012: Brief Overview   SSL Gets Caught in the Crossfire   HTML5 Goes Live   DDoS Moves Up the S...
SSL Gets Caught in the Crossfire     The distributed trust model based on SSL and    PKI as currently implemented is going...
Brief Overview of SSL   Trust      Certificate Authority   Proof of Trust       User                           Service
The Demise of the Trusted CA  Trust       Certificate Authority   Proof of Trust      User                            Serv...
Targeting Corporate Certificates   Trust       Certificate Authority         Proof of Trust                               ...
Denial of Service Attacks   Trust       Certificate Authority   Proof of Trust       User                            Service
There’s More   Trust      Certificate Authority   Proof of Trust      User                           Service
SSL Caught in the Crossfire: Mitigation Strategies Invoke a serious discussion about real  alternatives for secure Web co...
SSL Caught in the Crossfire: Summary Attackers are increasingly focusing their attacks against the  various components of...
SSL Caught in the Crossfire: Summary (cont.) Hackers will leverage SSL to carry out their attacks with  increased confide...
Internal Collaboration Meets its Evil                     Twin      We expect to see a growing number of data     breaches...
In the Beginning…        Internal Access
Food Brings Along Appetite                             External Web access        Internal Access      Partner access
Risks Confidential Data Control   + A platform hosting confidential information is exposed externally   + Access control ...
Risks (cont.) Exposure to Search Engines   + Search engines constantly crawl and update their indexing     policies so th...
Risks (cont.) Increased Threat Profile - Hackers   + Advanced technical skills   + Global access and population size   + ...
Internal Collaboration Meets its Evil Twin:Mitigation Strategies Add attack protection solutions around collaboration  su...
Internal Collaboration Meets its Evil Twin: Summary We predict a growing number of data breaches due to  internal collabo...
Internal Collaboration Meets its Evil Twin: Summary(cont.) Risks of extending an internal platform to external use -  con...
NoSQL = No Security?     We expect NoSQL data security to become a      concern for enterprises next year, possibly       ...
BIG Overview of Big Data                    Scalability                    Availability
BIG Overview of Big Data Security                       Scalability                       AvailabilitySecurity has been pu...
RISKS        Model Maturity        Software Maturity        Staff Maturity
Risks (cont.)           Client Software – Re-           inventing the Wheel           Data Redundancy and           Disper...
NoSQL = No Security?: Mitigation Strategy General solutions are not expected before 2013 Carefully choose dev team to in...
NoSQL = No Security?: Summary Model Maturity   + Not enough security built into existing offering   + Desired security mo...
NoSQL = No Security?: Summary (cont.) Client software is rebuilding security   + Since security does not exist on server ...
The Kimono Comes Off of                Consumerized IT     We expect organizations to spend a lot of time,       money and...
IT Consumerization               Enterprise Network
IT Consumerization + Cloud               Enterprise Network
Taking Control Back?               Enterprise Network
Taking Control Back?               Enterprise Network
The Kimono Comes Off of Consumerized IT:Mitigation Strategies Put more control around data store rather than  end-point ...
The Kimono Comes Off of Consumerized IT:Summary Companies are trying to get control back the wrong way  – Restricting the...
The Kimono Comes Off of Consumerized IT:Summary (cont.) Enterprise infrastrcutre is required to provide the same  level o...
Mitigation Strategies for the Other Trends                                        CONFIDENTIAL
Dealing with the Other Trends: MitigationStrategies (1) HTML5 Goes Live   + Assume user devices are compromised   + Learn...
Dealing with the Other Trends: MitigationStrategies (2) Anti-Social Media   + Solutions must be incorporated into existin...
Webinar Materials Get LinkedIn to Imperva Data Security Direct for…                         Answers to        Post-Webinar...
www.imperva.com
Upcoming SlideShare
Loading in …5
×

Top 9 Data Security Trends for 2012

1,403 views

Published on

With the Epsilon mega-breach, malicious mobile apps on the rise, Lulzsec, Anonymous, APT and the collapse of News of the World all within the past 12 months, 2011 was a good year if you were a hacker. This presentation reveals the Imperva Application Defense Center's top nine data security predictions for 2012, as well as key changes in the legal/compliance landscape. Trends include: DDoS, NoSQL, HTML 5, SSL, consumerized IT, internal collaboration platforms, and social media.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,403
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Top 9 Data Security Trends for 2012

  1. 1. Top 9 Data Security Trends for 2012Amichai ShulmanCTO & Co-Founder
  2. 2. Agenda Trend selection process Score card for 2011 Brief overview of 2012 trends In-depth discussion and mitigation techniques: + SSL Gets Hit in the Crossfire + Internal Collaboration Meets Its Evil Twin + NoSQL = No Security? + The Kimono Comes off of Conumerized IT Mitigation strategies for the other trends
  3. 3. Today’s PresenterAmichai Shulman – CTO Imperva Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat Lecturer on Info Security + Technion - Israel Institute of Technology Former security consultant to banks & financial services firms Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
  4. 4. Trend Selection Process Collect Information + Media reports + Analysts + Incident reports + Customer feedback + Vulnerabilities, hacker forums Analyze + Extract the chaff from the wheat Trends are not necessarily technical + Information security is influenced by human nature at least as it is by technology + Business environment and legislative trends have huge impact
  5. 5. Scorecard for 2011 Predictions Trend Score 1 Regulatory Convergence B 2 Information security becomes a business process A 3 Hacker activity consolidation A- 4 Mobile devices impact data and application security B 5 Data and application security in the cloud A- 6 File security takes center stage A 7 Social networks to invest in security A+ 8 Man in the browser attacks A+ 9 Insider threat awareness A+ 10 APT meets industrialized hacking A
  6. 6. Top Security Trends for 2012: Brief Overview SSL Gets Caught in the Crossfire HTML5 Goes Live DDoS Moves Up the Stack Internal Collaboration Meets Its Evil Twin NoSQL = NoSecurity? The Kimono Comes Off of Consumerized IT Anti-Social Media The Rise of the Middle Man Security (Finally) Trumps Compliance
  7. 7. SSL Gets Caught in the Crossfire The distributed trust model based on SSL and PKI as currently implemented is going bankrupt7 CONFIDENTIAL
  8. 8. Brief Overview of SSL Trust Certificate Authority Proof of Trust User Service
  9. 9. The Demise of the Trusted CA Trust Certificate Authority Proof of Trust User Service
  10. 10. Targeting Corporate Certificates Trust Certificate Authority Proof of Trust IDS/IPS Load Balancer CDN WAF User Service
  11. 11. Denial of Service Attacks Trust Certificate Authority Proof of Trust User Service
  12. 12. There’s More  Trust Certificate Authority Proof of Trust User Service
  13. 13. SSL Caught in the Crossfire: Mitigation Strategies Invoke a serious discussion about real alternatives for secure Web communications + Moxie Marlinspike took off the glove in Blackhat 2011 + Requires both industry and academic research Strengthen anti-Dos and anti-DDoS protection
  14. 14. SSL Caught in the Crossfire: Summary Attackers are increasingly focusing their attacks against the various components of SSL Attacks against PKI + Attackers have repeatedly compromised various CA organizations + Any CA can issue a digital certificate for any application + A hacker, who gains control on any CA, can issue forged certificates and impersonate any website The theft of issued certificates + Application certificates are no longer limited to being stored by the application + Proxies, load balancers, content delivery networks, DLP and WAF solutions need to access the certificate’s private key Denial of service attacks + Heavy computational burden by the SSL-handshake process
  15. 15. SSL Caught in the Crossfire: Summary (cont.) Hackers will leverage SSL to carry out their attacks with increased confidentiality + Intermediate proxies cannot add headers to indicate original sender IP address + Loss of information when following a link from an SSL page to a non-SSL page + Security devices lose visibility due to encryption Same PKI infrastructure is used for code signing + OS security + Mobile app market security
  16. 16. Internal Collaboration Meets its Evil Twin We expect to see a growing number of data breaches from internal collaboration platforms used externally16 CONFIDENTIAL
  17. 17. In the Beginning… Internal Access
  18. 18. Food Brings Along Appetite External Web access Internal Access Partner access
  19. 19. Risks Confidential Data Control + A platform hosting confidential information is exposed externally + Access control and governance mechanisms are not necessarily scalable to large crowds + Lack of security and governance expertise around existing capabilities
  20. 20. Risks (cont.) Exposure to Search Engines + Search engines constantly crawl and update their indexing policies so that any breaches or mis-configured entry points are quickly apparent to all. + Google hacking tools. E.g. SharePoint GoogleDiggity, Sharepoint URLBrute
  21. 21. Risks (cont.) Increased Threat Profile - Hackers + Advanced technical skills + Global access and population size + Additional motivation
  22. 22. Internal Collaboration Meets its Evil Twin:Mitigation Strategies Add attack protection solutions around collaboration suites Use strict monitoring and look for increased data governance solutions Introduce scalable user rights management solutions Look for data leakage by integrating classic DLP and Google Hacking services tools
  23. 23. Internal Collaboration Meets its Evil Twin: Summary We predict a growing number of data breaches due to internal collaboration platforms which are used externally. + Platforms such as Microsoft Sharepoint and Jive are used by many organizations to share information and manage content. + Some organizations have also extended the use to partners and even to the public via Websites. Risks of extending an internal platform to external use: + Data segregation. – Ensuring that stored sensitive data does not become accessible through the less restricted interfaces of the platform is not an easy task. – For the entire lifetime of the systems, controls should be put in place to allow collaboration and sharing of sensitive information within the organization while keeping it out of the reach of the general public.
  24. 24. Internal Collaboration Meets its Evil Twin: Summary(cont.) Risks of extending an internal platform to external use - cont: + Threat profile - the difference between the internal and external threat. – The size of potential attacker population increases instantaneously. – Search engines constantly crawl and update their indexing policies so that any breaches or mis-configured entry points are quickly apparent to all. – Google hacking tools. E.g. SharePoint GoogleDiggity, Sharepoint URLBrute
  25. 25. NoSQL = No Security? We expect NoSQL data security to become a concern for enterprises next year, possibly following some actual breaches25 CONFIDENTIAL
  26. 26. BIG Overview of Big Data Scalability Availability
  27. 27. BIG Overview of Big Data Security Scalability AvailabilitySecurity has been pushed out of thesesystems.An innovative idea or a future problem?
  28. 28. RISKS Model Maturity Software Maturity Staff Maturity
  29. 29. Risks (cont.) Client Software – Re- inventing the Wheel Data Redundancy and Dispersion Privacy
  30. 30. NoSQL = No Security?: Mitigation Strategy General solutions are not expected before 2013 Carefully choose dev team to include industry veterans Heavy use of code reviews Reduce direct exposure to end-users through intensive input validation and network segregation
  31. 31. NoSQL = No Security?: Summary Model Maturity + Not enough security built into existing offering + Desired security model is unclear + No guarantee that there is a match between existing capabilities and desired model Software Maturity + Server software is prone to vulnerabilities + Expect 5 years of vulnerability turmoil (based on past experience with SQL technologies) Staff Maturity + Everyone is new to NoSQL + Make it work first, if you’re still standing try to configure security + Staff bound to make configuration mistakes
  32. 32. NoSQL = No Security?: Summary (cont.) Client software is rebuilding security + Since security does not exist on server side it is rebuilt into every application + Adds complexity, lack of security expertise + Always left for last Data redundancy and dispersion + Inherent distribution and replication + Model is non-normalized + Harder to locate sensitive data Privacy concerns + Use cases jeopardize our ability to avoid being tracked by service providers
  33. 33. The Kimono Comes Off of Consumerized IT We expect organizations to spend a lot of time, money and effort on these techniques and technologies next year, with very poor results33 CONFIDENTIAL
  34. 34. IT Consumerization Enterprise Network
  35. 35. IT Consumerization + Cloud Enterprise Network
  36. 36. Taking Control Back? Enterprise Network
  37. 37. Taking Control Back? Enterprise Network
  38. 38. The Kimono Comes Off of Consumerized IT:Mitigation Strategies Put more control around data store rather than end-point Consider structured and unstructured data alike Increase efforts towards detecting abuse of privileges
  39. 39. The Kimono Comes Off of Consumerized IT:Summary Companies are trying to get control back the wrong way – Restricting their users It never worked in the past + Allow no Javascript + Don’t access social network from work Enterprise IT cannot scale to manage and control the amount of devices and its diversity + Track record of enterprise IT in avoiding infections and leakage from internal, enterprise owned machines is not that great
  40. 40. The Kimono Comes Off of Consumerized IT:Summary (cont.) Enterprise infrastrcutre is required to provide the same level of world-wide availability and robustness of all cloud services together + Defeats the purpose of using cloud solutions to begin with Enterprise will need to address concerns regarding personal information controlled by corporate on end-user devices
  41. 41. Mitigation Strategies for the Other Trends CONFIDENTIAL
  42. 42. Dealing with the Other Trends: MitigationStrategies (1) HTML5 Goes Live + Assume user devices are compromised + Learn to interact with infected clients (challenge users, reduce functionality on the fly) DDoS Moves Up the Stack + Look for application layer protection + Visibility into SSL connections + Understand application messages + Differentiate application data from network Gibberish
  43. 43. Dealing with the Other Trends: MitigationStrategies (2) Anti-Social Media + Solutions must be incorporated into existing platforms by enterprises themselves. – Solutions will have to rely on 3rd parties that offer trust and data control services over the social media platform. – No current market solution ready to handle these problems. Security (Finally) Trumps Compliance + Perform wise security decisions based on actual risk management + Implement security and then assess whether they have done enough in the context of each regulation
  44. 44. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Webinar Slides Recording Link
  45. 45. www.imperva.com

×