Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule

Sreejesh Madonandy
Sreejesh MadonandyCTO at TBC-World Group
Pinpointing Real Attacks in the Sea of Security Sreejesh K M, CTO @ TBC-World Group linkedin.com/in/sreejeshkm sreejesh.km@tbc-world.com
Business On Internet • Small and Big Businesses are leveraging Private/Public/Hybrid cloud, either as IaaS, PaaS or SaaS or a combination of these, than ever before. Even enterprise apps embraced Internet • Man and Machine are generating/consuming more data than ever (1 Billion Smart Phones and counting) • Man: Car/Home and Office/Mobile/Tab/Desktop/Wearable technologies at an unprecedented scale • Machine: Internet of Things, Devices and Tons of sensors interacting with cloud • Handling Sea of Data than ever before in the History of Min-kind, i.e literally tons of Data in Transit and in Storage • And who don’t use Big Data?
Internet - For Secure & Fast Business? • Diversity of Browsers, Protocols, Standards, Devices and Network Types – Already Chaotic Internet Space, now Operating at Unprecedented Scale adding to Additional Security Challenges • Sophisticated Attacks at Cloud Scale – DDOS Attacks – SQLI/XSS, Client-side attacks, ZERO day attacks • We hear this much less now – VM theft/VM escape and Hyper Jacking. – Data Leakage via Multi-tenant Isolation decisions, Via Shared Cache, Cross VM Side Kicks – Attacks across OSI Layers
Changing Attack Landscape • DDOS attacks tripled since 2010 – Attacks at the rate 20Gb/s are now seen – attackers are surely using the cloud as well, to scale! • Rate of increase over years for Web layer attacks is much more than Network Layer attacks • Hacktivism, Government Malware, Black Clouds • CVE even had to change their syntax to include more digits to account for more than 9999 in a year! • Many cases of being unable to keep Assets/Data safe from un-authorized access, modification or destruction during storage and/or transmission or just a Slow Trap
Be Aware – False sense of Security – More Apps being built, faster than ever (Heard of Nightly Builds?)! – Beware of Third-Party » Up to 70% of Internally Developed Code originates outside of the development Team » Pattern of Attackers attacking third party Framework level vulnerabilities – Gap between of IT Operations and Development team w.r.to Security Readiness (e.g. Vulnerable components, potential breaking config changes) – Web Security is complex. Developers have a lot of Catch-up to do! – Attackers are on Steroid!
How to Succeed? • Some are having better success with Cloud Scale Internet than the others – A lot is to do with how smartly you are handling Security risks – A lot is to do with, whether you are focusing on the right areas where there is bigger risk – A lot is to do with, do you know those areas of risk well enough and Budget it Right
IT Spending on Security • Businesses are willing to spend on IT Security, but not enough focus on some areas – 70 to 80% of Security spending is historically on the Network Infra level or Host level security (IDS, Firewall, Appliances) – More Vulnerability at App Layer: More data being transferred, more devices accessing data, more auto-scaled servers serving data • Attackers are quick enough to attack the surface, where there is more vulnerability, – Miniscule Spending at App Layer – where most attacks are now focused • In most Enterprise Projects. Security do find a mention, but it is the first causality in the rat race to lower ‘Time to Market’ and ‘Minimum Viable Product’ scenarios. • We end up spending least of amount of money on most attacked surface
Define and Measure • Define Web Security Priority Areas per projects & system landscape • Calculate Cost of Down-time (with criticality of Operations downtime) • Calculate Cost of Data Loss (lost customers/brand image) • Calculate Cost of Slowness (Cart Abandonment) • Get Executive Buy-in for prioritized areas • Account for appropriate investment for each Risk Area separately, early in the cycle
Few Action Steps • When out-sourcing, Factor Risks in RFQ, and get SLA backed delivery for defined priority Security areas • When building Solutions, Fortify from the ground-up – Hire right team who are Competent in Security as well (How many Resumes and JDs today speak of Security as a skill?) – Via WAST/Code Level/Design Level Automated Security tests – Make independent Vulnerability Testing and Penetration testing a practice • Prepare Effective Counters against DDOS and Unknown attacks – BUILD vs BUY Site Defenders: Weigh the effect of creating DDOS paradox vs investing in Solutions like Akamai Site Defenders – Web Application firewalling
Quick Summary • @Planning Stage : Define Priorities and Budget it Right for Security at Cloud Scale • @Architect: For Volume, Velocity And Variety of Data, and still be Secure and Fault Tolerant • @Dev : Ongoing measures to ensure that critical Security areas are not the causality in the event of mad push for MVP/Time to market • @Deploy: Be aware of widely Attacked ports and Attack types, Spread out to Horizontal Edges, Deep handshake with Dev Architects • @Operations: Constant Monitoring and health checks, Audits, and • Be Alert and Be Ready to Adapt!
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule
1 of 11

Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule

Download to read offline
Internet

Though it is changing for good, IT spending on Web/Cloud security is minuscule. Traditional appliance focused security is not helping the business which is on Internet Cloud IT Security Spending decisions must be based based on the Adaptive mechanisms that review threat landscape periodically.

Sreejesh Madonandy
Sreejesh MadonandyCTO at TBC-World Group

Recommended

2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
182 views24 slides
Qualys user group presentation - vulnerability management - November 2009 v1 3Qualys user group presentation - vulnerability management - November 2009 v1 3
Qualys user group presentation - vulnerability management - November 2009 v1 3Tom King
686 views14 slides
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security ContinuumMartin Hingley
751 views10 slides
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
1.5K views16 slides
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
1.5K views32 slides
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
1.2K views22 slides

More Related Content

What's hot

What's hot(20)

Common WebApp Vulnerabilities and What to Do About ThemCommon WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About Them
Eoin Woods1.4K views
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
Infonaligy185 views
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
Information Security Awareness Group2.3K views
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Ulf Mattsson994 views
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Intergen711 views
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
Denim Group452 views
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB 2.4K views
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
Jane Alexander998 views
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
Nigel Hanson509 views
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark1.2K views
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
Marneil Sanchez129 views
A New Remedy for the Cyber Storm ApproachingA New Remedy for the Cyber Storm Approaching
A New Remedy for the Cyber Storm Approaching
SPI Conference291 views
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired540 views
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0
Rafal Los550 views
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
Rafal Los836 views
Info sec for startupsInfo sec for startups
Info sec for startups
Kesava Reddy638 views
Selling to The IT DepartmentSelling to The IT Department
Selling to The IT Department
3VR Inc.450 views
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016
Scott Carlson209 views
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
PECB 1.1K views
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa858 views

Viewers also liked

Viewers also liked(9)

Eenvoudig geld besparen met de Bespaartips Top 50Eenvoudig geld besparen met de Bespaartips Top 50
Eenvoudig geld besparen met de Bespaartips Top 50
Geldreview.nl1.2K views
Onderzoek geld lenen in Nederland 2014Onderzoek geld lenen in Nederland 2014
Onderzoek geld lenen in Nederland 2014
Geldreview.nl685 views
Productivity Improvement Tips for New age ProfessionalsProductivity Improvement Tips for New age Professionals
Productivity Improvement Tips for New age Professionals
Sreejesh Madonandy524 views
Promoting SSA Tucson's Spring Festival 2013Promoting SSA Tucson's Spring Festival 2013
Promoting SSA Tucson's Spring Festival 2013
Sunrise Sunset415 views
Berbicara soal agamaBerbicara soal agama
Berbicara soal agama
sitirafidahdikon232 views
How to choose a frieght fowarding agentHow to choose a frieght fowarding agent
How to choose a frieght fowarding agent
canada_3pllinks453 views
Inf consultantInf consultant
Inf consultant
Evgeny Baburov343 views
Are you a fool for quizzesAre you a fool for quizzes
Are you a fool for quizzes
Noel Ortega133 views
ZmoviedbZmoviedb
Zmoviedb
zainmdb333 views

Similar to Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule

Similar to Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule(20)

An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi22.5K views
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
CSO_Presentations510 views
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS496 views
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS392 views
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
Soumitra Bhattacharyya64 views
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud1.1K views
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
RedZone Technologies145 views
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP68 views
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Tudor Damian159 views
Boot camp - Migration to AWSBoot camp - Migration to AWS
Boot camp - Migration to AWS
Amazon Web Services8.9K views
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
Quick Heal Technologies Ltd.786 views
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
Tudor Damian127 views
SecurityOperationsSecurityOperations
SecurityOperations
Antonio (Tony) Robinson201 views
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
Forcepoint LLC322 views
Cyber security for businessCyber security for business
Cyber security for business
Daniel Thomas669 views
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann752 views
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
STASH | Datacentric Security 31 views
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann666 views
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network976 views
The Disadvantages Of VirtualizationThe Disadvantages Of Virtualization
The Disadvantages Of Virtualization
Aimee Brown4 views

Recently uploaded

informationinformation
informationkhelgishekhar
6 views4 slides

Recently uploaded(20)

UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity83 views
Pen Testing - Allendevaux.pdfPen Testing - Allendevaux.pdf
Pen Testing - Allendevaux.pdf
SourabhKumar328076 views
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC15 views
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC9 views
informationinformation
information
khelgishekhar6 views
UiPath Document Understanding_Day 2.pptxUiPath Document Understanding_Day 2.pptx
UiPath Document Understanding_Day 2.pptx
RohitRadhakrishnan8250 views
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docx
ssuserc5935b5 views
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC15 views
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docx
MollyBrown8613 views
AI Powered event-driven translation botAI Powered event-driven translation bot
AI Powered event-driven translation bot
Jimmy Dahlqvist15 views
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04106 views
Serverless cloud architecture patternsServerless cloud architecture patterns
Serverless cloud architecture patterns
Jimmy Dahlqvist15 views
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity73 views
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status Update
APNIC399 views
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan10 views
Sustainable MarketingSustainable Marketing
Sustainable Marketing
Theo van der Zee6 views
google forms survey (1).pptxgoogle forms survey (1).pptx
google forms survey (1).pptx
MollyBrown8614 views
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...
Prof. Marcus Renato de Carvalho87 views
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC Services
APNIC405 views
informing ideas.docxinforming ideas.docx
informing ideas.docx
MollyBrown8612 views

Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule

  • 1. Pinpointing Real Attacks in the Sea of Security Sreejesh K M, CTO @ TBC-World Group linkedin.com/in/sreejeshkm sreejesh.km@tbc-world.com
  • 2. Business On Internet • Small and Big Businesses are leveraging Private/Public/Hybrid cloud, either as IaaS, PaaS or SaaS or a combination of these, than ever before. Even enterprise apps embraced Internet • Man and Machine are generating/consuming more data than ever (1 Billion Smart Phones and counting) • Man: Car/Home and Office/Mobile/Tab/Desktop/Wearable technologies at an unprecedented scale • Machine: Internet of Things, Devices and Tons of sensors interacting with cloud • Handling Sea of Data than ever before in the History of Min-kind, i.e literally tons of Data in Transit and in Storage • And who don’t use Big Data?
  • 3. Internet - For Secure & Fast Business? • Diversity of Browsers, Protocols, Standards, Devices and Network Types – Already Chaotic Internet Space, now Operating at Unprecedented Scale adding to Additional Security Challenges • Sophisticated Attacks at Cloud Scale – DDOS Attacks – SQLI/XSS, Client-side attacks, ZERO day attacks • We hear this much less now – VM theft/VM escape and Hyper Jacking. – Data Leakage via Multi-tenant Isolation decisions, Via Shared Cache, Cross VM Side Kicks – Attacks across OSI Layers
  • 4. Changing Attack Landscape • DDOS attacks tripled since 2010 – Attacks at the rate 20Gb/s are now seen – attackers are surely using the cloud as well, to scale! • Rate of increase over years for Web layer attacks is much more than Network Layer attacks • Hacktivism, Government Malware, Black Clouds • CVE even had to change their syntax to include more digits to account for more than 9999 in a year! • Many cases of being unable to keep Assets/Data safe from un-authorized access, modification or destruction during storage and/or transmission or just a Slow Trap
  • 5. Be Aware – False sense of Security – More Apps being built, faster than ever (Heard of Nightly Builds?)! – Beware of Third-Party » Up to 70% of Internally Developed Code originates outside of the development Team » Pattern of Attackers attacking third party Framework level vulnerabilities – Gap between of IT Operations and Development team w.r.to Security Readiness (e.g. Vulnerable components, potential breaking config changes) – Web Security is complex. Developers have a lot of Catch-up to do! – Attackers are on Steroid!
  • 6. How to Succeed? • Some are having better success with Cloud Scale Internet than the others – A lot is to do with how smartly you are handling Security risks – A lot is to do with, whether you are focusing on the right areas where there is bigger risk – A lot is to do with, do you know those areas of risk well enough and Budget it Right
  • 7. IT Spending on Security • Businesses are willing to spend on IT Security, but not enough focus on some areas – 70 to 80% of Security spending is historically on the Network Infra level or Host level security (IDS, Firewall, Appliances) – More Vulnerability at App Layer: More data being transferred, more devices accessing data, more auto-scaled servers serving data • Attackers are quick enough to attack the surface, where there is more vulnerability, – Miniscule Spending at App Layer – where most attacks are now focused • In most Enterprise Projects. Security do find a mention, but it is the first causality in the rat race to lower ‘Time to Market’ and ‘Minimum Viable Product’ scenarios. • We end up spending least of amount of money on most attacked surface
  • 8. Define and Measure • Define Web Security Priority Areas per projects & system landscape • Calculate Cost of Down-time (with criticality of Operations downtime) • Calculate Cost of Data Loss (lost customers/brand image) • Calculate Cost of Slowness (Cart Abandonment) • Get Executive Buy-in for prioritized areas • Account for appropriate investment for each Risk Area separately, early in the cycle
  • 9. Few Action Steps • When out-sourcing, Factor Risks in RFQ, and get SLA backed delivery for defined priority Security areas • When building Solutions, Fortify from the ground-up – Hire right team who are Competent in Security as well (How many Resumes and JDs today speak of Security as a skill?) – Via WAST/Code Level/Design Level Automated Security tests – Make independent Vulnerability Testing and Penetration testing a practice • Prepare Effective Counters against DDOS and Unknown attacks – BUILD vs BUY Site Defenders: Weigh the effect of creating DDOS paradox vs investing in Solutions like Akamai Site Defenders – Web Application firewalling
  • 10. Quick Summary • @Planning Stage : Define Priorities and Budget it Right for Security at Cloud Scale • @Architect: For Volume, Velocity And Variety of Data, and still be Secure and Fault Tolerant • @Dev : Ongoing measures to ensure that critical Security areas are not the causality in the event of mad push for MVP/Time to market • @Deploy: Be aware of widely Attacked ports and Attack types, Spread out to Horizontal Edges, Deep handshake with Dev Architects • @Operations: Constant Monitoring and health checks, Audits, and • Be Alert and Be Ready to Adapt!