2. GARTNER | TOP TEN TECHNOLOGIES FOR
INFORMATION SECURITY
2014-2015
3. PRESENTATION OUTLINE
1. OBJECTIVES OF THE PRESENTATION
2. WHAT IS INFORMATION SECURITY ?
2. WHAT IS THE GARTNER INSTITUTE ?
3.LIST OF THE TOP TEN INFOSEC TECHNOLOGIES 2014-2015
4.CONCEPTS
I) ENCRYPTION
II) VIRTUALIZATION
5.INFOSEC TECHNOLOGIES FROM 1 TO 10
6. CAVEATS
4. OBJECTIVES OF THE PRESENTATION
1.The IAC total auditor
Initiative.
2.Explore the 2014-2015 top
ten technologies for
Information security
5. DEFINITION | INFORMATION
SECURITY
Information Security refers to the
methodologies processes and which are
designed and implemented to protect print,
electronic, or any other form of
confidential, private and sensitive
information or data from unauthorized
access, use, misuse, disclosure,
destruction, modification, or disruption.
process
es
methodologi
es
unauthorized access, use, misuse,
disclosuredestruction, modification, or
disruption
6. GARTNER INSTITUTE |
Gartner, Inc. (NYSE: IT) is the world's leading information
technology research and advisory company. It delivers
the technology-related insight necessary for its various
clients in over 9,000 distinct enterprises worldwide to
make the right decisions, every day.
Its clients include CIOs and senior IT leaders in
corporations and government agencies, to business
leaders in high-tech and telecom enterprises and
professional services firms and technology investors.
www.gartner.c
om
9. TOP TEN TECHNOLOGIES FOR INFORMATION
SECURITY
• Endpoint Detection and Response Solutions
• Big Data Security Analytics at the Heart of Next-generation Security
Platforms
• Cloud Access Security Brokers
• Adaptive Access Control
• Pervasive Sandboxing (Content Detonation) and IOC Confirmation
• Machine-readable Threat Intelligence, Including Reputation Services
• Containment and Isolation as a Foundational Security Strategy
• Software-defined Security
• Interactive Application Security Testing
• Security Gateways, Brokers and Firewalls to Deal with the Internet of
Things
10. #2 ENCRYPTION | THE NYAKASURA -
KYEBAMBE STORY
Bo
b
Alic
e
Alice’s
teacher
Hello
Alice
I want to
be with
you
longer
than
Fortportal
has
existed!
11. #2 ENCRYPTION | THE NYAKASURA -
KYEBAMBE STORY
Bo
b
Alic
e
Alice’s
teacher
Hello Alice
I love the history
you
Mentioned about
Toro
=
I love you
13. VIRTUALIZATION |THE DT SECTION ANALOGY
More than 500,000 customers —
including 100% of the Fortune 100 —
trust VMware as their virtualization
infrastructure platform.
14. VIRTUALIZATION |THE DT SECTION ANALOGY
The
IAC I
DT mgt
(RiK and
supervisors
DT
AUDIT
Officers
DT
AUDITS
} DT
Section
15. TRIVIA MOMENT: BRAIN VS
SUPERCOMPUTER
The Tianhe-2 has been developed by the National University of
Defense Technology in central China's Changsha city and is
capable of 33,860 quadrillion floating-point operations per
second (33.86 petaflops). By comparison, IBM researchers have
determined that the human brain is capable of36.8 petaflops of
data. A calculator needs 10 flops only.
vs
16. # 1 | ENDPOINT DETECTION AND RESPONSE
SOLUTIONS
The endpoint detection and response (EDR) market is an
emerging market created to satisfy the need for continuous
protection from advanced threats at endpoints (desktops,
servers, tablets and laptops) — most notably significantly
improved security monitoring, threat detection and incident
response capabilities. These tools record numerous endpoint
and network events and store this information in a centralized
database. Analytics tools are then used to continually search the
database to identify tasks that can improve the security state to
deflect common attacks, to provide early identification of
ongoing attacks (including insider threats), and to rapidly
continuous protection from advanced
threats atendpoints (desktops, servers, tablets
and laptops)
Analytics tools are then used
to provide early
identification ofongoing attacks (including insider
threats),
provide remediation
17. # 1 | ENDPOINT DETECTION AND RESPONSE
SOLUTIONS
End
point
Solutio
27. # 2 | SOFTWARE-DEFINED SECURITY
Software defined security is about the capabilities enabled
as we decouple and abstract infrastructure elements that
were previously tightly coupled in our data centers:
servers, storage, networking, security and so on.
Like networking, compute and storage, the impact on
security will be transformational. Software-defined security
doesn’t mean that some dedicated security hardware isn’t
still needed — it is.
However, like software-defined networking, the value and
intelligence moves into software.
capabilities
enableddecouple and abstract infrastructure
elements
value and intelligence
moves into
software.
28. # 2 | SOFTWARE-DEFINED SECURITY
DECOUPLING ANALOGY | Tightly coupled
system
ELECTRI
C
COOKE
R
+ POWER = COOKED
FOOD
UN
29. # 2 | SOFTWARE-DEFINED SECURITY
DECOUPLING ANALOGY | Loosely coupled
system
GAS /
ELECTRI
C
COOKE
R
+ POWER = COOKED
FOOD
32. # 2 | SOFTWARE-DEFINED SECURITY
Cost is $2 per
hourPer day
2 * 24 = $48
Per year
$48 *
365
= $17,520
Ush 52.5
Value proposition $1 = Ushs
3,000
USD 1,460 or
UGX
4,380,000
per month
36. Step 2:
Run Upgrade to install latest updates
# 2 | SOFTWARE-DEFINED SECURITY
37. Step 3
Register it with the network and start
serving it traffic
# 2 | SOFTWARE-DEFINED SECURITY
38. Info sec moment |The $I bn Cyber heist
www.bbc.com/news/business-31482985
http://www.dailymail.co.uk/news/article-2955277/Computer-hacking-gang-ordered-ATM-machines-dispense-money-
stole-tens-millions-UK-banks-largest-cyber-crime-detected.html#ixzz3UXLA0hGG
• Up to 100 banks and financial institutions
worldwide have been attacked.
• Kaspersky Lab estimates $1bn (£648m)
has been stolen in the attacks, which it
says started in 2013 and are still
ongoing.
• Attacks have taken place in 30 countries
including financial firms in Russia, US,
Germany, China, Ukraine and Canada.
• They steal money directly from banks and
avoid targeting end users.
39. Info sec moment |The $I bn Cyber heist
www.bbc.com/news/business-31482985
http://www.dailymail.co.uk/news/article-2955277/Computer-hacking-gang-ordered-ATM-machines-dispense-money-
stole-tens-millions-UK-banks-largest-cyber-crime-detected.html#ixzz3UXLA0hGG
How they did it
• They did this by sending authentic-looking
emails that unsuspecting recipients then
clicked on 'spear phishing’
infecting the bank's machines with Carbanak
malware
• Hackers were then able to infiltrate the
internal network and track down
administrators computers for video
surveillance
• Ukrainian ATM was found to be giving out
40. # 3 | ADAPTIVE ACCESS CONTROL
Adaptive access control is a form of context-aware
access control that acts to balance the level of trust
against risk at the moment of access using some
combination of trust elevation and other dynamic risk
mitigation techniques. Context awareness means that
access decisions reflect current condition, and
dynamic risk mitigation means that access can be
safely allowed where otherwise it would have been
blocked. Use of an adaptive access management
architecture enables an enterprise to allow access
context-aware access
control
access decisions reflect current
condition
enables an enterprise to allow
accessfrom any device,
anywhererange of corporate assets with mixed risk
41.
42. # 3 | ADAPTIVE ACCESS CONTROL
URA CUSTOMS ANALOGY
1.TAX PAYER WHO DECLARES GOODS AT CUSTOMS –
SUPPLICANT
2.TAX PAYER WHO DOESN’T KNOW THEY HAVE/HIDES
TAXABLE GOODS- DEVICE WITH OUTDATED ANTI
VIRUS
3.TAX PAYER WHO IS AN AEO – IP-PHONE
PRIVILEDGES
47. #4 | SECURITY GATEWAYS, BROKERS AND
FIREWALLS TO DEAL WITH THE INTERNET OF
THINGS
Enterprises, especially those in asset-intensive industries like
manufacturing or utilities, have operational technology (OT)
systems provided by equipment manufacturers that are moving
from proprietary communications and networks to standards-
based, IP-based technologies. More enterprise assets are being
automated by OT systems based on commercial software
products. The end result is that these embedded software
assets need to be managed, secured and provisioned
appropriately for enterprise-class use. OT is considered to be
the industrial subset of the "Internet of Things," which will
include billions of interconnected sensors, devices and systems,
industries like
manufacturingutiliti
es
More enterprise assets are
beingautomat
ed these embedded software assets need to be managed,
secured for enterprise-
class use"Internet of
Things,"
48. TURKISH PIPELINE BURSTS DUE TO CYBER
ATTACK
http://arstechnica.com/security/2014/12/hack-said-to-cause-fiery-pipeline-blast-could-rewrite-history-of-cyberwar/
“Attackers gained access to the pipeline's
computerized operational controls and increased the
pressure of the crude oil flowing inside. By hacking
the video and sensors that closely monitored the
1,099-mile Baku-Tbilisi-Ceyhan pipeline, the
attackers were able to prevent operators from
learning of the blast until 40 minutes after it
happened”
As investigators followed the trail of the failed alarm system, they
found the hackers’ point of entry was an unexpected one: the
surveillance cameras themselves.
The cameras’ communication software had vulnerabilities the
hackers used to gain entry and move deep into the internal network,
according to the people briefed on the matter.
Once inside, the attackers found a computer running on a Windows
operating system that was in charge of the alarm-management
network, and placed a malicious program on it. That gave them the
ability to sneak back in whenever they wanted.
49. TURKISH PIPELINE BURSTS DUE TO CYBER
ATTACK
http://arstechnica.com/security/2014/12/hack-said-to-cause-fiery-pipeline-blast-could-rewrite-history-of-cyberwar/
Having performed extensive
reconnaissance on the computer
network, the infiltrators tampered with
the units used to send alerts about
malfunctions and leaks back to the
control room. The back-up satellite
signals failed, which suggested to the
investigators that the attackers used
sophisticated jamming equipment,
51. • The 2014 Infiniti Q50 would be the easiest of all to hack because
its telematics, Bluetooth, and radio functions all run on the same
network as the car's engine and braking systems, for instance,
making it easier for an attacker to gain control of the car's
computerized physical operations.
• The researchers say the 2014 Dodge Viper, the 2014 Audi A8, and
the 2014 Honda Accord are the least hackable vehicles. They
ranked the Audi A8 as the least hackable overall because its
network-accessible potential attack surfaces are separated from the
car's physical components such as steering, notes Miller. "Each
feature of the car is separated on a different network and
connected by a gateway," he says. "The wirelessly connected
computers are on a separate network than the steering, which
#4 | SECURITY GATEWAYS, BROKERS AND
FIREWALLS TO DEAL WITH THE INTERNET OF
THINGS
54. INFOSEC MOMENT | THE EQUATION GROUP
• Discovered by Kaspersky on February
16, 2015
• The group earned its name through its
use of complex cryptographic algorithms
to compromise targets.
• They have been operating in the shadows
for over a decade.
• They compromised Seagate, Western
Digital, Maxtor, Samsung hard drives and
Toshiba Hard drives
http://www.digitaltrends.com/computing/decrypt-this-the-equation-groups-scalpel-proves-the-sledgehammer-is-
unneeded/#ixzz3UXFza65G
http://en.wikipedia.org/wiki/Equation_Group
55. INFOSEC MOMENT | THE EQUATION GROUP
• They developed malware which embeds itself in the
firmware that runs the disk and gives command and
control servers access to the disk and later computers
• It can transfer data from an air-gapped system through
USB flash drives
• One of their biggest exploits is said to be the stuxnet virus
that affected Iran’s nuclear power plants.
• Timestamps in the malware seem to indicate that the
programmers worked overwhelmingly Monday-Friday in
what would correspond to a 08:00-17:00 workday in an
Eastern United States time zone
http://www.digitaltrends.com/computing/decrypt-this-the-equation-groups-scalpel-proves-the-sledgehammer-is-
unneeded/#ixzz3UXFza65G
http://en.wikipedia.org/wiki/Equation_Group
56. #5 | APPLICATION SECURITY TESTING
Interactive application security testing (IAST): combines static application
security testing (SAST) and dynamic application security testing (DAST)
techniques. This aims to provide increased accuracy of application
security testing through the interaction of the SAST and DAST
techniques. IAST brings the best of SAST and DAST into a single solution.
This approach makes it possible to confirm or disprove the exploitability
of the detected vulnerability and determine its point of origin in the
application code.
Static application security Testing (SAST): is a set of technologies
designed to analyze application source code, byte code and binaries for
coding and design conditions that are indicative of security
vulnerabilities. SAST solutions analyze an application from the “inside
out” in a non running state.
running
state.
non running
state
Both running and
non-running
state
57. • Higher Confidence Results: Combine the detection of a potential
vulnerability found through SAST, with verification through a real-
time exploit attempt provided by DAST. IAST determines whether
the vulnerability is real and where in the code is located.
• Comprehensive Analysis: Tune the DAST analysis based on
Coverity’s deep understanding of the application’s entry points and
parameters.
• Improved Efficiency: Address proven vulnerabilities more quickly
and easily from within a unified workflow.
http://www.coverity.com/
Kitabo kya
mu
58. •8 of the 10 top global brands
•7 of the 10 top aerospace and defense
companies
•9 of the 10 top technology hardware companies
•9 of the 10 top software companies
Kitabo kya
mu
61. # 6 | MACHINE-READABLE THREAT
INTELLIGENCE (MRTI), INCLUDING
REPUTATION SERVICES
The ability to integrate with external context and
intelligence feeds is a critical differentiator for next-
generation security platforms. Third-party sources for
machine-readable threat intelligence are growing in
number and include a number of reputation feed
alternatives. Reputation services offer a form of
dynamic, real-time “trustability” rating that can be
factored into security decisions. For example, user and
device reputation as well as URL and IP address
reputation scoring can be used in end-user access
external context and intelligence
feeds
“trustability” rating that can be factored into
security decisions.user and device reputation as well as URL and IP
address end-user access decisions.
68. #6 | DATA LOSS/LEAKAGE PREVENTION
Data Leakage Prevention identifies,
monitors, and protects data transfer
through deep content inspection and
analysis of transaction parameters
(such as source, destination, data
object, and protocol), with a
centralized management framework.
69. 1. The Data Loss Prevention
Software Blade is enabled
on a Security Gateway
3. Security mgt server to
install the DLP Policy on the
DLP gateway.
4. Proxy server through
which data leaves
organization
5. Mail server through which
information can leave the
organization.
6. Active directory to
identify internal
organization
7. Logging analysis through
smartview tracker and Smart
event
#6 | DATA LOSS/LEAKAGE PREVENTION
70. 1.Create a policy that blocks
transfer of videos off the
network and to other servers
2. Send the policy out to the
monitoring device.
#6 | DATA LOSS/LEAKAGE PREVENTION
71. #7 | BIG DATA SECURITY ANALYTICS AT THE
HEART OF NEXT-GENERATION SECURITY
PLATFORMS
Going forward, all effective security protection platforms
will include domain-specific embedded analytics as a core
capability. An enterprise's continuous monitoring of all
computing entities and layers will generate a greater
volume, velocity and variety of data than traditional SIEM
systems can effectively analyze. Gartner predicts that by
2020, 40 percent of enterprises will have established a
"security data warehouse" for the storage of this monitoring
data to support retrospective analysis. By storing and
analyzing the data over time, and by incorporating context
and including outside threat and community intelligence,
patterns of "normal" can be established and data analytics
continuous
monitoring
"security data
warehouse"support retrospective analysis.
patterns
of "normal" can be established and data analytics
can be used deviations from normal have
occurred.
including outside threat and community
intelligence
72.
73. #7 | BIG DATA SECURITY ANALYTICS AT THE
HEART OF NEXT-GENERATION SECURITY
PLATFORMS
74. ANALOGY : NETFLIX’S HOUSE OF CARDS
#7 | BIG DATA SECURITY ANALYTICS AT THE
HEART OF NEXT-GENERATION SECURITY
PLATFORMS
75. Analysis done
The same subscribers who loved the original BBC
production of House of cards also;
• Watched movies starring Kevin Spacey or
• Watched movies directed by David
Fincher
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-
GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
76. Reaction by Netflix
1. Hired Kevin Spacy as actor and
director David Fincher for the new
Series
2. Spent $100 million for two 13-
episode seasons.
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-
GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
77. Results;
1. Netflix has already earned its $100 million back with
profit
2. Added more than 2 million U.S. subscribers that
quarter
3. Added another 1 million elsewhere in the world and
surpassed HBO.
4. Netflix has since risen to 50 million subscribers
globally
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-
GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
78. SCENARIOS
1.User cjuuko logged on to E-tax
from separate machines at the
same URA campus
Reaction: Store as alert
#7 | BIG DATA SECURITY ANALYTICS AT THE
HEART OF NEXT-GENERATION SECURITY
PLATFORMS
79. SCENARIOS
2. User jkiiza logged on to E-tax
from separate machines at the
same URA campus
Reaction: Send SMS and email to members in security and
log as high risk alert for follow up investigation
#7 | BIG DATA SECURITY ANALYTICS AT THE
HEART OF NEXT-GENERATION SECURITY
PLATFORMS
80. SCENARIOS
3. User ebichetero logged on to Etax from machine at Nakawa
HQ and Asyworld from machine at Bunagana.
Reaction: Send SMS and email to members in security and log as
high risk alert for follow up investigation
#7 | BIG DATA SECURITY ANALYTICS AT THE
HEART OF NEXT-GENERATION SECURITY
PLATFORMS
83. MURDER IN THE CLOUD
Code Spaces was a company that offered developers source code repositories
and project management services using Git or Subversion, among other
options. It had been going for seven years, and it had no shortage of
customers. But it's all over now -- the company was essentially murdered by
an attacker.
Code Spaces was built mostly on AWS, using storage and server instances to
provide its services. Those server instances weren't hacked, nor was Code
Spaces' database compromised or stolen. According to the message on the
Code Spaces' website, an attacker gained access to the company's AWS control
panel and demanded money in exchange for releasing control back to Code
Spaces. When Code Spaces didn't comply and tried to take back control over
its own services, the attacker began deleting resources. As the message on
the website reads: "We finally managed to get our panel access back but not
before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS
instances, and several machine instances."
http://www.infoworld.com/article/2608076/data-center/murder-
in-the-amazon-cloud.html
84. #8 | CLOUD ACCESS SECURITY BROKERS
Cloud access security brokers are on-premises
or cloud-based security policy enforcement
points placed between cloud services consumers
and cloud services providers to interject
enterprise security policies as the cloud-based
resources are accessed. In many cases, initial
adoption of cloud-based services has occurred
outside the control of IT, and cloud access
security brokers offer enterprises to gain
91. Info Sec moment |Tailored Access Operations
(TAO)
http://en.wikipedia.org/wiki/Tailored_Access_Operations
https://www.schneier.com/blog/archives/2013/12/more_about_the.html
https://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-
Cyber-warfare intelligence-gathering unit of
the National Security Agency (NSA)
• They are a last resort for use when other methods
of surveillance fail
• Largest and arguably the most important
component of the NSA's huge Signal Intelligence
(SIGINT) Directorate, consisting [more than] 1,000
military and civilian computer hackers,
intelligence analysts, targeting specialists,
computer hardware and software designers, and
electrical engineers
92. Info Sec moment |Tailored Access Operations
(TAO)
Operations
• Their major tool is called “QUANTUMTHEORY”
• It targets Internet service providers including
Facebook, Yahoo, Twitter and YouTube.
• They have software templates allowing them to
break into commonly used hardware, including
“routers, switches, and firewalls from multiple
product vendor lines
• They redirect traffic from these sites to fake
servers which have malware that automatically
exploits weaknesses on end-user machines e.g.
the Belgacom and Huawei incidents.
http://en.wikipedia.org/wiki/Tailored_Access_Operations
https://www.schneier.com/blog/archives/2013/12/more_about_the.html
https://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-
93. #9 | PERVASIVE SANDBOXING (CONTENT
DETONATION) AND INVERSION OF CONTROL (IOC)
CONFIRMATION
Some attacks will inevitably bypass traditional blocking and prevention
security protection mechanisms, in which case it is key to detect the
intrusion in as short a time as possible to minimize the hacker's ability
to inflict damage or exfiltrate sensitive information. Many security
platforms now included embedded capabilities to run ("detonate")
executables and content in virtual machines (VMs) and observe the VMs
for indications of compromise. This capability is rapidly becoming a
feature of a more-capable platform, not a stand-alone product or
market. Once a potential incident has been detected, it needs to be
confirmed by correlating indicators of compromise across different
entities — for example, comparing what a network-based threat
detection system sees in a sandboxed environment to what is being
observed on actual endpoints in terms of processes, behaviors, registry
attacks will inevitably bypass traditional blocking and
prevention security
minimize the hacker's ability to
inflict damage
("detonate") executables and content in virtual machines (VMs) and observe
the VMs forindications of
compromise.
94. #9 | PERVASIVE SANDBOXING (CONTENT
DETONATION) AND INVERSION OF CONTROL (IOC)
CONFIRMATION
97. #9 | PERVASIVE SANDBOXING (CONTENT
DETONATION) AND INVERSION OF CONTROL (IOC)
CONFIRMATION
1. Receive an email from
enaturinda@ucc.go.ug
2.Email is scanned for viruses and
malware using known signature
threats, none is discovered but
unknown program seen in
attachment so email put in vm with
3. Once configuration of the virtual
machines changes, email not sent to
intended recipient but to threatcloud for
analysis. A signature is then developed for it
as well as anti-virus signatures developed
98. #10 | CONTAINMENT AND ISOLATION AS A
FOUNDATIONAL SECURITY STRATEGY
In a world where signatures are increasingly ineffective in stopping
attacks, an alternative strategy is to treat everything that is
unknown as untrusted and isolate its handling and as a vector for
attacks on other enterprise systems. Virtualization, isolate
execution so that it cannot cause permanent damage to the system
it is running on and cannot be used action, abstraction and remote
presentation techniques can be used to create this containment so
that, ideally, the end result is similar to using a separate "air-
gapped" system to handle untrusted content and applications.
Virtualization and containment strategies will become a common
element of a defense-in-depth protection strategy for enterprise
systems, reaching 20 percent adoption by 2016 from nearly no
signatures are increasingly ineffective in
stopping attacks,treat everything that is unknown as untrusted and
isolate
isolate execution so that it cannot cause permanent
damage to the system
Virtualization and containment
strategies
20 percent adoption by
2016
100. CHECKPOINT CAPSULE
Check Point Capsule enables organizations to
extend their corporate security policy to mobile
devices, providing real-time protection against
web threats for mobile users outside of the
enterprise security perimeter. Check Point
Capsule offers the protection of the Check Point
Software Blades as a cloud-based service, and
ensures that corporate policy is always enforced
and corporate data and devices are protected.http://www.checkpoint.com/capsule/
104. Caveat | The Advanced Persistent Threat
“There is no such thing as
cybersecurity. No system can be
100% secure. There is no
uncrackable code.”
“The only thing you can do is
build the fence higher and
higher so that eventually it's not
worth it to climb over”
Joshua Shaul, Chief technology officer
Application Security | Mc Afee