Information security stki summit 2012-shahar geiger maor

6,783 views
6,684 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,783
On SlideShare
0
From Embeds
0
Number of Embeds
4,119
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Information security stki summit 2012-shahar geiger maor

  1. 1. Trends InInformation Security Tell me and I’ll forget STKI Summit 2012Show me and I may remember Shahar Geiger Maor,Involve me and I’ll understand VP & Senior Analyst
  2. 2. AgendaEndpoints Networking Security DC Cloud Post Voice MDM PC Video Cyber 2 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  3. 3. Presentation Visualization MDMNetworking Security ollaboration 3 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  4. 4. End-To-End Security Project Web Security Secure WAF Browsing GatewayApplicationSecurity Information DLP LaunderingDataSecurity Firewalls IPS NACNetworkSecurity Source: Taldor 4 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  5. 5. TEAMS Project (A3) Source: Malam-Team 5Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  6. 6. The New Training Center-IDF Source: Bynet 6Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  7. 7. Presentation Visualization -Security MDMNetworking Security ollaboration 7 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  8. 8. STKI Index-2011 –Top Security Queries Mobile Sec., 25% Access/Authentication, 13% DB/DC Sec., 11% GRC, 9% Network Sec., 8% Sec. Policy, 6% Data Sec., 6%SIEM/SOC, 4% SIs/Vendors/Products, 4% Endpoint Sec., 4% Fraud, 3% “Cyber”, 2% Market/Trends, 2% Application Sec., 2% Miscellaneous, 1% 8 GW Sec., 1% Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  9. 9. Presentation Visualization-Cyber MDMNetworking Security ollaboration 9 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  10. 10. New Buzz….. 10Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  11. 11. Your Text here Your Text here Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 11
  12. 12. The Cyber Triangle Cyber Warfare Cyber Terror Cyber CrimePrivate Information Command & Control Business Information Systems Source: ILITA. STKI modifications 12 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  13. 13. The Cyber Triangle–Regulations Director of Security SOX of the Defense Establishment NationalISOIEC Information 27001 Security Authority Israeli Law,PCI-DSS Information and Technology Authority Bank of Israel Ministry of Finance ISOIEC ISOIEC ISOIEC ISOIEC PCI-DSS SOX PCI-DSS SOX SOX Private Information Command & Control Business Information Systems Source: ILITA. STKI modifications 13 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  14. 14. Generic Cyber Attacks 1. IndividualsGroups 2. CriminalNationalistic background 3. Lots of intervals 4. Lots of targets 5. Common tools 14Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  15. 15. Distributed Denial Of Service (DDOS) 1. Targets websites, internet lines etc. 2. Legitimate traffic 3. Many different sources 4. From all over the world 5. Perfect timing 15Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  16. 16. DDOS Mitigation- Israeli Market Positioning 1Q12 Vendors to watch:Andrisoft, Cloudshield, Correro,GenieNRM, IntruGuard, Narus, RioRey, Prolexic Local Support Player Radware Worldwide Leader Arbor F5 Networks Imperva Foresight Akamai Market Presence 16 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  17. 17. Advanced and Persistent Threat (APT) 1. Group/ Org./ State 2. Ideological/ Nationalistic background 3. Multi-layered attack 4. Targeted 5. Variety of tools 6. Impossible to detect in real time(???) 17Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  18. 18. Iranian Intelligence Wants To Be Your Friend on LinkedIn Source: http://www.guym.co.il/ Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  19. 19. Cyber Preparedness??? Country-by-country stress tests4.5 43.5 32.5 21.5 10.5 0 Italy Mexico Spain USA Poland Denmark Estonia India China Sweden Romania Russia France Brazil The Netherlands Austria Japan Germany United Kingdom Israel Finland Australia Canada http://www.securitydefenceagenda.org/ 19 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  20. 20. Your Text here Your Text here Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 20
  21. 21. bureaucracies live forever.... Space US Roman the rearShuttle’s standard war ends ofbooster railroad chariots two warrockets gauge horses 21 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  22. 22. Israeli National Cyber Command (INCC)Established: 07.08.2011Goal:• To lead the nation’s cyber strategy• To establish a cyber defense policy• To promote new initiatives and technologies in regards to cyber security domains.Means:• Government budget• Industryacademic knowledge sharing 22 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  23. 23. On the INCC’s Agenda• Mapping the national critical infrastructure• Gap analysis for national critical infrastructure security controls• Certifications: for vendors, for Sis, for consultants• Authorizations: for businesses, institutes and any other entity who keep privatepublic information• Proactive defense by establishing professional forums• Promotion of academic and industry research• Promotion of specific fields of expertise (e.g: SCADA security)• Establishment of national security lab• Education and public awareness 23 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  24. 24. Five Aspects of Government Intervention1. Multi-system and system complexity: Resource pooling and knowledge sharing2. Joint venture: Cyber defense is a “game for large players”3. National as well as International co-operation4. Governmental incentives and programs (e.g: MAGNET, Yozma initiative)5. Regulation …This is the planned State –Level Cyber Security Approach 24 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  25. 25. An Example fo State-Level Cyber Security –IPv6 http://www.ccdcoe.org/publications/books/Strategic_Cyber_Security_K_Geers.PDF 25 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  26. 26. Your Text here Your Text here Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 26
  27. 27. Your Text here Your Text here Shahar GeigerMaor’s work Copyright 2012 @STKI Do Do not remove source or attribution from any or portion of graphic of graphic Shahar Maor’s work Copyright 2012 @STKI not remove source or attribution from any graphic graphic or portion 27
  28. 28. Spotting the Unknown: Finding the “God Particle” of SecurityOne possible signature of a Higgs boson from Large Hadron Collider (LHC) at CERN http://commons.wikimedia.org/wiki/LHC 28 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  29. 29. Big Data : Information Diet• The modern human animal spends upwards of 11 hours out of every 24 in a state of constant consumption of information from the net: • we have grown obese on sugar, fat, and flour • we become gluttons for texts, instant messages, emails, RSS feeds, downloads, videos, status updates, and tweets.• Just as too much junk food can lead to obesity, too much junk information can lead to cluelessness• Big Data “should” help a company understand this information glut and is essential in order to be smart, productive, and sane. 29 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  30. 30. Spotting the Unknown: Big Data At Your Service SIEM Applications Data Warehouse Business Process Management Business Intelligence Detect, analyze and respond to phenomena based on large volumes of structured and unstructured information Source: IBM30 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  31. 31. Spotting the Unknown: The Sandbox Approach Source: http://www.fireeye.com/ 31 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  32. 32. But…”The Contact Line Will Always be Breached” Maginot Line Bar-Lev Linehttp://en.wikipedia.org/wiki/File:Maginotline_ http://en.wikipedia.org/wiki/File:1973_sinai_worganization.gif ar_maps.jpg 32 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  33. 33. “Real-Time Forensic” -NetWitness http://visualize.netwitness.com/Default.aspx?name=investigationShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 33
  34. 34. “Real-Time Forensic” -HBGary http://hbgary.com/attachments/ad-datasheet.pdf 34Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  35. 35. STKI Cyber Security SurveyThis survey consists of two different parts:• First part –CISOs and Infra managers from dozens leading organizations.• Second part –the insights of 9 leading security consultants who cover most of the IT market in Israel.Important notes:• This survey refers to incidents during 2009-2011.• Unreasonable results were removed.• Results may have been subjected to wrong interpretation by the Respondents and some of the incidents may have been “dropped”. 35 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  36. 36. Thank You Very Much For Your Contribution! 36Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  37. 37. Number Of Security Incidents –Users’ Perspective Average number of significant security incidents* in the past 3 years50% Market 40% Average: 30% 2 20% incidents 10% 0% "Cyber sector"** No 1 "Soft Cyber sector"*** Incidents Incident 2-5 5-10 Incidents More Incidents Than 10 Incidents*"Significant security incident" -One that caused direct loss in working hours andor money**”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense…***”Soft cyber sector” –All the others 37 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  38. 38. Number Of Security Incidents –Consultants’ Perspective Average number of significant security incidents during 2011 80% 60% 40% 20% Defense & Gov. Finanace 0% Infra & Telecom No 1 Rest of Industry Incidents Incident 2-5 5-10 Incidents More Incidents Than 10 Incidents 38 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  39. 39. What Kind Of Incidents? –Users’ Perspective What was the nature of security incidents in the last 3 years? Cyber sector Soft Cyber sector Inside factor (Malicious, accidental, 64% technical error) 20% Known vulnerabilitiesthreats 41% 55% No answer 40% 13%Vulnerabilitiesthreats were unknown at 39% the time 12% We still don’t know 16% 0% ”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense… “Soft cyber sector” –All the others 39 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  40. 40. What Kind Of Incidents? –Consultants’ Perspective What was the nature of security incidents in 2011? 6% 8% 5% Known vulnerabilitiesthreats 29% 36% Vulnerabilitiesthreats 32% 32% 35% 47% were unknown at the time 30% 29% Inside factor (Malicious, accidental, technical error) 15% We still don’t know 21% 34% 26% 15% 40 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  41. 41. Once Again, The Human Factor. DLP Justification? Have you encountered any malicious or non-malicious activity by employees in the last 3 years? Cyber sector Soft Cyber sector 17% No 0% 23% Yes, malicious 33% 70%Yes,non-malicious 88% ”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense… “Soft cyber sector” –All the others 41 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  42. 42. Targeted Attacks –Users’ Perspective Have you witnessed any targeted attacks in the last 3 years? Soft Cyber sector Cyber sector 70% 66% 53% 47% 33%18% 10% 11% 10% 8%DOSDDOS Phishing Appweb attacks Malicious code No ”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense… “Soft cyber sector” –All the others 42 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  43. 43. Targeted Attacks –Consultants’ Perspective Have you witnessed any targeted attacks toward one of your clients in 2011? (Not including Phishing and DOS attacks) 89% 56% 11%Yes, Appweb attacks Yes, malicious code No 43 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  44. 44. Lost of Working HoursApproximately how many working hours did your organization lose due to significant security incidents in the last 3 years? Cyber sector Soft cyber sector Don’t Less than know 50 12% Don’t 20% know More 30% than 51 Less than More than 33% 50 51 55% 50% ”Cyber sector” –large finance orgs., Infra, Telco, Gov, Defense… “Soft cyber sector” –All the others 44 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  45. 45. Impact on RevenueHow much money (% of total revenue, pre org. on average) has been lost due to security incidents in the last three years? Consultants Users 63% 58% 37% 13% 13% 13% 5% 0% 0% 0% Les than 1% 5%-1% 10%-5% More than 10% Don’t know 45 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  46. 46. Evolving to Combat Advanced Persistent ThreatsTotal Visibility Across the Enterprise:• Host-Based Visibility• Network-Based Visibility• Log Aggregation: Internal DNS Server Logs, DHCP Logs, Enhanced Microsoft Windows Event Audit Logs, Border Firewalls Logs with Ingress/Egress TCP Header• Information, External Webmail Access Logs, Internal Web Proxy Logs, VPN Logs, Netflow Logs, Full Packet Capture Logs• HIDS/HIPSActionable Threat Intelligence:• Indicators of Compromise http://www.mandiant.com/news_events/forms/m-trends_tech2011 46 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  47. 47. Security Fundamentals Come First! EstablishingAfter establishing a rigid and Cyber Security A newcontinuous security policy, Policy componentCheck out this diagram: Security Computer Cyber education and Emergency awareness Response Team Command Center? Internet policy Access policy System policy Standards Access configuration Operating System design management management systems Strong Patch SDLC Mobile devices authentication management system Testing Encryption(?) hardening 47 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  48. 48. Introducing: Cyber Command Center Cooperation Research Knowledge with nation and Sharing CC Intelligence MethodologyMission Duties & Tools Reporting responsibilities Key Drill & Legal Success simulation aspects Criteria Source: Sharon Mashhadi 48 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  49. 49. Presentation Visualization-MDM MDMNetworking Security ollaboration 49 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  50. 50. Mobile Device Management… 50 Source: Bent ObjectsShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  51. 51. Critical Capabilities for Mobile Device Management Policy Security andDevice Diversity Containerization Enforcement Compliance Inventory Software Administration IT Service Management Distribution and Reporting Management Network Service Delivery Model Management http://www.gartner.com/technology/streamReprints.do?id=1-16U0UOL&ct=110801&st=sg 51 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  52. 52. The Israeli Point of View In your opinion, what are the Critical Capabilities for a MDM solution?16% 12% 8% 6% 13% Source: STKI Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 52
  53. 53. MailCalendar Sync?Does your organization’s policy allow for mobile devices to be synchronized to mailcalendar? Not yet 13% Of course! 87% Source: STKI 53 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  54. 54. (Don’t) Bring Your Own Device (Not yet)Does your organization’s policy allow for private mobile devices to be synchronized to mailcalendar? Yes (to all...) 13% Yes (Policy) No! 33% 54% Source: STKI 54 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  55. 55. MDM StrategyWhat’s your mobile device management and security strategy? 5% Conducting a POCevaluation 8% of solutions Using an existing (non-specific)13% security methodologysolutions Its considered high priority, 53% but no actions were made yet Already implemanting a specific MDMsecurity solution 21% MDMsecurity is considered low priority at the moment Source: STKI 55 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  56. 56. Data Leakage From Mobile Devices How are you planning to tackle data leakage from mobile devices (multiple answers)? 43% 40% 37% 30% Our MDM Were usingwill Higher security We do not dealsolution shoud be using awareness with itbe the answer compensating security controls Source: STKI 56 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  57. 57. Market Status: Waiting For “Something” To Happen ~17,000 MDM licenses have been sold in the Israeli market so far… (STKI estimation, Feb 2012) 57 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  58. 58. MDM Insights -There is no single end-to-end solution -Decision-maker’s position determines type of solution CxOs / Special Purpose Pure Security MDM Employees 58Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  59. 59. Mobile Security CxOs / Special Purpose • AGAT- Active Sync Protector • Checkpoint - Pointsec Mobile Security Pure • Juniper –Junos Security MDM Pulse Mobile Security Suite • LetMobile • Trend Micro – Mobile Security Employees 59Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  60. 60. Mobile Security Management -Israeli Market Positioning 1Q12 Local Support AGAT Player Checkpoint Worldwide Juniper Leader LetMobile Trend Micro Market Presence 60 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  61. 61. Mobile Device Management CxOs /• AirWatch Special Purpose• BoxTone• FancyFone –FAMOC• Fiberlink-MaaS360• Matrix-MMIS• McAfee -Enterprise Pure Mobility Security Management MDM• MobileIron• Symantec - Mobile Management• ZenPrise –Mobile Manager Employees 61 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  62. 62. Mobile Device Management -Israeli Market Positioning 1Q12 Mobile Iron Local Support Player AirWatch Worldwide FancyFone Leader McAfee Fiberlink Matrix Zenprise Symantec BoxTone Market Presence 62 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  63. 63. Mobile Containerization • DME-Excitor • Good Technologies • Sybase-Afaria CxOs / Special Purpose Pure Security MDM Employees 63Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  64. 64. Mobile Container Management -Israeli Market Positioning 1Q12 Local Support Good Player Technologies Worldwide Leader Excitor Sybase Market Presence 64 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  65. 65. Mobile Remote Control CxOs / Special Purpose• Callup-Xcontrol• Communitake• Pure Mformation Security• SOTI MDM Employees 65 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  66. 66. Mobile Remote Control-Israeli Market Positioning 1Q12 Local Support Player Mformation Communitake Worldwide Leader Xcontrol SOTI Market Presence 66 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  67. 67. Presentation Visualization-Cloud Security MDMNetworking Security ollaboration 67 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  68. 68. Cloud Flavors Source: Changewave, a service of 451 Group 68Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  69. 69. Super Hybrid Clouds : can IT handle it ?IT’s challenge becomes:• integration• identity management• data translation between the core and multitenant public cloud• orchestration for processes connecting private and public clouds 69 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  70. 70. Cloud Security is still A Major Concern Source: Changewave, a service of 451 Group 70Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  71. 71. Cloud Standards and Test Bed Groups• Cloud Security Alliance (CSA)• Distributed Management Task Force (DMTF)• Storage Networking Industry Association (SNIA)• Open Grid Forum (OGF)• Open Cloud Consortium (OCC)• Organization for the Advancement of Structured Information Standards (OASIS)• TM Forum• Internet Engineering Task Force (IETF)• International Telecommunications Union (ITU)• European Telecommunications Standards Institute (ETSI)• Object Management Group (OMG) http://cloud-standards.org/wiki/index.php?title=Main_Page 71 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  72. 72. Cloud Security Standards –Current Status ISO 27001 SSAE 16 FedRAMP (SAS 70) ILITA Cloud IAM(Israel) (access & Security federation) FISMA – CSA ATO FIPS 140- 2 72 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  73. 73. ISO 27001 (2005)There is no particular focus on “cloud computing”.(Reddit, HootSuite, Quora and Foursquare have suffered outageseven though AWS is ISO 27001 certified).ISO 27001 relates to some cloud security issues:• A.6.2.1 -Identification of risks related to external parties• A.6.2.3 -Addressing security in third party agreements• A.10.5.1 -Information back-up• A.11 -Access control• A.7.2.1 -ClassificationSo, what’s the point of being ISO 27001 certified? Lower risk. ISO 27001 certification guarantees that the certified entity has undertaken a comprehensive approach to resolve major risks. 73 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  74. 74. SOC 1/SSAE 16/ISAE 3402 SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization (SAS70). ISAE 3402 SSAE 16 was built upon the ISAE 3402 framework. SOC 1 A SOC 1 Report (Service Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70, complete with a Type I and Type II reports, but falls under the SSAE 16 guidance. http://www.ssae-16.com/ 74Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  75. 75. SOC 1/SSAE 16/ISAE 3402Who Needs an SSAE 16 (SOC 1) Audit? If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.Some example industries include: * Payroll Processing * Loan Servicing * Data Center/Co-Location/Network Monitoring Services * Software as a Service (SaaS) * Medical Claims Processors http://www.ssae-16.com/ 75 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  76. 76. FIPS 140-2 Certification –For CSP Trust1. Federal Information Processing Standard (FIPS) Publication 140-22. Specifies the security requirements of cryptographic modules used to protect sensitive information3. Notice: There are four levels of encryption under FIPS 140-2 http://www.gore.com/en_xx/products/electronic/anti-tamper/security-standards.html 76 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  77. 77. PCI DSS –Vital For Cloud Service ProvidersPCI DSS was set up by the major credit card companies to try and improve the InformationSecurity of financial transactions related to credit and debit cards. It essentially pushes theresponsibility of looking after card data onto merchants who may store, process and transmitthis type of data. Protect Cardholder Data Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Maintain a Vulnerability Management Program http://phoenix-consultancy.com/pci_dss.html 77 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  78. 78. Access Control And Federation http://blogs.forrester.com/eve _maler/12-03-12- a_new_venn_of_access_contr ol_for_the_api_economy 78Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  79. 79. Cloud Security Alliance(Join the Israeli chapter here: http://www.linkedin.com/groups?gid=3050440&trk=hb_side_g)• Security Guidance for Critical Areas of Focus in Cloud Computing (Released November 14, 2011)• Innovation Initiative -created to foster secure innovation in information technology. (Released February 24, 2012)• GRC Stack -a toolkit to assess both private and public clouds against industry established best practices, standards and critical compliance requirements.• Consensus Assessments Initiative -Research tools to perform consistent measurements of cloud providers (Released September 1, 2011)• Cloud Controls Matrix (CCM) -Released August 26, 2011• Cloud Metrics - Metrics designed for Cloud Controls Matrix and CSA Guidance.• CloudTrust Protocol (See next slides…) 79 https://cloudsecurityalliance.org/research/ Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  80. 80. Cloud Trust Protocol (CTP) Transparency as a Service SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, Responding to NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, … all elements of transparency TaaSEnterprise CSC Trusted Community Cloud Cloud Trust CTP Response Manager (CRM) TaaS Dashboard CTP TaaS CTP Private Trusted Cloud CTP CTPCloud Responding toTrust all elements ofAgent transparency CTP Using reclaimed visibility into the cloud •Downstream to confirm security and create digital •compliance trust CTP •processing Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp , & CSA Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  81. 81. Digital Trust and Value Creationhttp://assets1.csc.com/financial_services/downloads/DigitalTrustForLifeReport.pdfShahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 81
  82. 82. Federal Information Security Management Act (FISMA, 2002)FISMA ATO for CSP (Low, Moderate, High)• Part of NIST’s Computer Security Division• Issues an authorization to operate for cloud service providers• It doesn’t require certification of products or services. It sets security requirements for federal IT systems.U.S. Government Cloud Computing Technology Roadmap(http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeI-2.pdf)Its aim is: “…to make it substantially easier to buy, sell, interconnect and use cloud environments in the government”. 82 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  83. 83. Federal Risk and Authorization Management ProgramFedRAMP is the result of close collaboration with cybersecurity and cloud experts from: 83 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  84. 84. Federal Risk and Authorization Management Program (FedRAMP)• established on December 8, 2011• The FedRAMP security controls are based on NIST SP 800-53 R3 / 53 A, controls• Establishes US Federal policy for the protection of Federal information in cloud services• Describes the key components and its operational capabilities• Defines Executive department and agency responsibilities in developing, implementing, operating, and maintaining the program• Defines the requirements for Executive departments and agencies using the program in the acquisition of cloud services 84 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  85. 85. How Will Cloud Services Be Prioritized For FedRAMP Review?• “FedRAMP will prioritize the review of cloud systems withthe objective to assess and authorize cloud systems that canbe leveraged government-wide”.• FedRAMP will prioritize Secure Infrastructure as a Service(IaaS) solutions, contract vehicles for commodity services, andshared services.(1) Cloud systems with existing Federal agency’s authority-to-operates (ATOs) get first priority(2) Cloud systems without an existing Federal agency ATO getsecond priority 85 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  86. 86. FedRAMP – Deliverables For Cloud Computing Service ProvidersA. Develop Plan of Action & Milestones: (POAM)B. Assemble Security authorization Package (SAP)C. Determine RiskD. Determine the Acceptability of RiskE. Obtain Security Authorization Decision (yes/no) 86 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  87. 87. FedRAMP - Third Party Assessment Organizations (3PAOs)• Perform initial and periodic assessment of CSP systems per FedRAMP requirement• provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.• FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.• Independent assessors of whether a cloud service provider has met the 297 agreed upon FedRAMP security controls (604 pages) so they can get an authority to operate (ATO).• Companies cannot be 3PAOs and cloud service providers (CSP) at the same time for same contracts (MOU, etc.,) 87 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  88. 88. Cloud Guidelines in Israel By ILITA (Start: 19.5.2012) • Primal check of outsourcing legitimacy1 • Meticulous definition of purpose and use of outsourced data2 • Alignment of security and privacy controls in accordance to existing regulations and3 standards (ISO 27001, 357, 257) • Transparency and obedience to privacy laws4 • Defining the means of privacy enforcement and monitoring5 • Ensuring data deletion upon ending of contract6 http://www.justice.gov.il/MOJHeb/ILITA/News/mikurhuts.htm 88 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  89. 89. Decrease The Risk Of Cloud Computing• Do a thorough check on the potential provider – not only its performance record, but also the background of its management, have they implemented the information security and business continuity policies and procedures, financial stability, legal risks etc.• Write very specific security clauses in your agreement with the provider, where the biggest emphasis will be on issues that have raised the highest concerns during risk assessment.• Keep a backup copy of your information locally – although a cloud computing provider will (probably) do regular backup, it is always a good idea to have direct control of your information. (e.g. banking regulators in some countries have imposed regulations to local banks to keep the backup copy inside the country specifically because of this risk.)• Develop your strategy on how to return the information processing/archiving back to your company (re-insourcing) in case of problems with your cloud computing provider – you should know exactly which steps are needed, as well as which resources.• An exit strategy might also be to have an alternative cloud computing provider standing by, ready to jump in if your existing partner performs badly.• Perform regular checks of your provider to find out whether they are complying with the security clauses in the agreement Source: http://blog.iso27001standard.com/# 89 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  90. 90. Market Data Source: http://xkcd.com/657/large/ 90Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  91. 91. Information Security Staffing1 Security Personnel 25’th percentile 50’th percentile 75’th percentile Average For how many employees? 500 1167 1600 1582For how many IT staff? 33 42 61 55 For how many desktops? 397 750 1172 951 For how many endpoints? 522 1130 1779 1314 For how many WIN servers? 119 200 270 194 Source: STKI 91 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  92. 92. Security Consultants -Israeli Market View 1Q12 (Partial List) *DataSec, **Oasis-Tech Source: STKI 92 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  93. 93. Security System Integrators -Israeli Market View 1Q12 (Partial List) *Netcom, **Spider, ***We, ^Oasis-Tech, ^^Decimus Source: STKI 93 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  94. 94. Networking Budget ~ 10% of IT OpEx Source: The Corporate Executive Board Company 94Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  95. 95. Constant Staffing Mix Within IT Source: The Corporate Executive Board Company 95Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  96. 96. Positioning Methodology Israeli vendor rating – Market positioning is focused on the enterprise sector (not SMB)  X axis: Market penetration (sales + installed base+ clients perspective)  Y axis: localization, support, Local R&D center, number and quality of SIs, etc.  Worldwide leaders are marked based on global positioningVendors to watch: Israeli market newcomersSTKI positioning represents the current Israeli market and not necessarilywhat we recommend to our clients 96 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  97. 97. xxx- Israeli Market Positioning 1Q12 Vendor B Local Support Player Worldwide Leader Vendor A Market Presence 97Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  98. 98. Data Leakage Prevention -Israeli Market Positioning 1Q12 Websense Local Support Symantec Player Verdasys Worldwide Fidelis Leader GTB McAfee CA Safend Checkpoint EMC Market Presence 98 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  99. 99. Database Protection -Israeli Market Positioning 1Q12 McAfee Local Support Player GreenSQL Imperva Worldwide Brillix Leader Informatica Oracle IBM Safenet SAP Fortinet Market Presence 99 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  100. 100. Network Encryption -Israeli Market Positioning 1Q12 Safenet Local Support Fortinet Player Thales Worldwide Leader Cisco Market Presence 100 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  101. 101. Enterprise Network Firewall -Israeli Market Positioning 1Q12 Checkpoint PaloAlto Fortinet Local Support Juniper Player Microsoft Cisco Worldwide Leader HP McAfee F5 SonicWall Barracuda Market Presence 101 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  102. 102. Secure Remote Access-Israeli Market Positioning 1Q12 Juniper Checkpoint Cisco Local Support Player F5 Worldwide Leader Citrix Microsoft Fortinet SonicWall Market Presence 102 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic
  103. 103. Intrusion Prevention Systems -Israeli Market Positioning 1Q12 McAfee IBM Checkpoint Local Support Juniper Radware Player PaloAlto Worldwide Barracuda Leader Fortinet Cisco HP SourceFire SonicWall Market Presence 103 Shahar Geiger Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic

×