Best practice security

1. Restricted & Confidential
Daniel Beazer
26th September 2016
Chief Analyst
COMMON SENSE SECURITY
ECOMMERCE FORUM
1Restricted & Confidential

2. Who we are
BUSINESS PLATFORMS
2Restricted & Confidential
Cloud
Solutions
Managed Services
Connectivity
Solutions
Security Solutions
Hosting
Solutions
Colocation
Solutions

3. We need to talk about the security industry
3Restricted & Confidential
 Single threaded, deeply conflicted
 Too expensive and complex
 Doesn’t solve the problem

4. How the Security industry sells pt1
4Restricted & Confidential
Nation State

5. How the security industry sells pt 2
5Restricted & Confidential

6. And here’s your expensive solution …try understanding this
6Restricted & Confidential

7. In fact… it’s not as bad as all that
7Restricted & Confidential
 OWASP list mostly unchanged in ten years
 Ecommerce vastly more secure than offline
 Attacks increase as does ecommerce
 Roadmap technologies like Blockchain have
massive security potential

8. The result of traditional security sales tactics
8Restricted & Confidential
 The industry remains small at $76bn a year, with low growth, and in a growing threat
landscape
 Customers unconvinced deeply sceptical, will only spend money on security if forced
to or if under attack
 Compliance widely avoided with major retailers ignoring compliance regulations
 Fines are so small as to be a cost of business (£250k for Sony after breach involving
millions of UK gamers)
 Most ICO punishments are for the public sector pointlessly robbing Peter to pay Paul
 Meanwhile IT is being shaken up from top to bottom

9. Customer data is now the most valuable prize for hackers
9Restricted & Confidential
 Most security products defend the perimeter
 What is the target in 2016?
 Customer data has emerged as the hackers’ trophy
 CMS, databases are often poorly defended
– TalkTalk
 Social engineering using Facebook profiles
 … and the traditional IT model is being upended
‘Fixed fortifications are monuments to
man’s stupidity’ General Paton

10. What we want: common sense security
10Restricted & Confidential
 Don’t want to be patronized or scared
 We don’t to drown in data
 We want something easy to use, easy to set up and
easy to set up
 It needs to be affordable

11. Common sense security
11Restricted & Confidential
 Passwords
 People
 Patches

12. Security industry in summary
12Restricted & Confidential

13. A closer look at DDOS
13Restricted & Confidential

14. Data breaches come from attacks on Web Apps
14Restricted & Confidential
Web app attacks are
the most successful
attack campaigns (in
number of breaches)
Verizon DBIR 2016: Incidents

15. Undetected cyber attacks
15Restricted & Confidential
days taken to detect advanced
cyberthreats in Financial Services
days taken to detect advanced cyber
threats in Retail
98
197
Source: Ponemon Institure 2015

16. Criminals are the main culprits
16Restricted & Confidential
Source: Ponemon Institure 2015
Source: Hackmageddon 2015

17. 17Restricted & Confidential

18. DDOS trends
18Restricted & Confidential Source: Hackmageddon 2015
 Most attacks are diversions
– Real prize is customer data
– Often poorly protected in CMS
 Application layer attacks increasing
– Hard to detect and mitigate
– Layer 7
 Botnets as a service
 Regulatory burden is growing
– Financial institutions in the US
– Proactive breach notification GDPR

19. The solution: JS challenges
19Restricted & Confidential Source: Hackmageddon 2015

20. Current solutions
20Restricted & Confidential
APPLIANCES CLOUD HYBRID

21. Appliance challenges
21Restricted & Confidential
 Large up-front capital investment, need 2 units for HA
 Months to acquire, install, test & tune before operational
 Difficult to learn, expensive skillsets to bring in-house
 Completely ineffective when network bandwidth is
saturated
 Incomplete without a Cloud-based mitigation component
 No sharing of threat intelligence

22. Why do we need hardware at all?
22Restricted & Confidential

23. Cloud challenges
23Restricted & Confidential
• Traversing public networks to and from cleansing POP drastically slows
down page loads
• Basic shared rule set, vulnerable to many types of attacks
• Better than basic is expensive
• The same bowl (IP space) with other customers
• The same low security posture and aggregated risk

24. Normal traffic flow
24Restricted & Confidential

25. On net DDOS protection
25Restricted & Confidential

26. Common sense security
26Restricted & Confidential
 Passwords
 People
 Patches

27. THANK YOU
COGECOPEER1.COM
27Restricted & Confidential