20240508 QFM014 Elixir Reading List April 2024.pdf
Online security (Daniel Beazer)
1. Restricted & Confidential
Daniel Beazer
26th September 2016
Chief Analyst
COMMON SENSE SECURITY
ECOMMERCE FORUM
1Restricted & Confidential
2. Who we are
BUSINESS PLATFORMS
2Restricted & Confidential
Cloud
Solutions
Managed Services
Connectivity
Solutions
Security Solutions
Hosting
Solutions
Colocation
Solutions
3. We need to talk about the security industry
3Restricted & Confidential
Single threaded, deeply conflicted
Too expensive and complex
Doesn’t solve the problem
4. How the Security industry sells pt1
4Restricted & Confidential
Nation State
6. And here’s your expensive solution …try understanding this
6Restricted & Confidential
7. In fact… it’s not as bad as all that
7Restricted & Confidential
OWASP list mostly unchanged in ten years
Ecommerce vastly more secure than offline
Attacks increase as does ecommerce
Roadmap technologies like Blockchain have
massive security potential
8. The result of traditional security sales tactics
8Restricted & Confidential
The industry remains small at $76bn a year, with low growth, and in a growing threat
landscape
Customers unconvinced deeply sceptical, will only spend money on security if forced
to or if under attack
Compliance widely avoided with major retailers ignoring compliance regulations
Fines are so small as to be a cost of business (£250k for Sony after breach involving
millions of UK gamers)
Most ICO punishments are for the public sector pointlessly robbing Peter to pay Paul
Meanwhile IT is being shaken up from top to bottom
9. Customer data is now the most valuable prize for hackers
9Restricted & Confidential
Most security products defend the perimeter
What is the target in 2016?
Customer data has emerged as the hackers’ trophy
CMS, databases are often poorly defended
– TalkTalk
Social engineering using Facebook profiles
… and the traditional IT model is being upended
‘Fixed fortifications are monuments to
man’s stupidity’ General Paton
10. What we want: common sense security
10Restricted & Confidential
Don’t want to be patronized or scared
We don’t to drown in data
We want something easy to use, easy to set up and
easy to set up
It needs to be affordable
14. Data breaches come from attacks on Web Apps
14Restricted & Confidential
Web app attacks are
the most successful
attack campaigns (in
number of breaches)
Verizon DBIR 2016: Incidents
15. Undetected cyber attacks
15Restricted & Confidential
days taken to detect advanced
cyberthreats in Financial Services
days taken to detect advanced cyber
threats in Retail
98
197
Source: Ponemon Institure 2015
16. Criminals are the main culprits
16Restricted & Confidential
Source: Ponemon Institure 2015
Source: Hackmageddon 2015
18. DDOS trends
18Restricted & Confidential Source: Hackmageddon 2015
Most attacks are diversions
– Real prize is customer data
– Often poorly protected in CMS
Application layer attacks increasing
– Hard to detect and mitigate
– Layer 7
Botnets as a service
Regulatory burden is growing
– Financial institutions in the US
– Proactive breach notification GDPR
21. Appliance challenges
21Restricted & Confidential
Large up-front capital investment, need 2 units for HA
Months to acquire, install, test & tune before operational
Difficult to learn, expensive skillsets to bring in-house
Completely ineffective when network bandwidth is
saturated
Incomplete without a Cloud-based mitigation component
No sharing of threat intelligence
22. Why do we need hardware at all?
22Restricted & Confidential
23. Cloud challenges
23Restricted & Confidential
• Traversing public networks to and from cleansing POP drastically slows
down page loads
• Basic shared rule set, vulnerable to many types of attacks
• Better than basic is expensive
• The same bowl (IP space) with other customers
• The same low security posture and aggregated risk