Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule


Published on

Though it is changing for good, IT spending on Web/Cloud security is minuscule. Traditional appliance focused security is not helping the business which is on Internet Cloud
IT Security Spending decisions must be based based on the Adaptive mechanisms that review threat landscape periodically.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web/Cloud security is minuscule

  1. 1. Pinpointing Real Attacks in the Sea of Security Sreejesh K M, CTO @ TBC-World Group
  2. 2. Business On Internet • Small and Big Businesses are leveraging Private/Public/Hybrid cloud, either as IaaS, PaaS or SaaS or a combination of these, than ever before. Even enterprise apps embraced Internet • Man and Machine are generating/consuming more data than ever (1 Billion Smart Phones and counting) • Man: Car/Home and Office/Mobile/Tab/Desktop/Wearable technologies at an unprecedented scale • Machine: Internet of Things, Devices and Tons of sensors interacting with cloud • Handling Sea of Data than ever before in the History of Min-kind, i.e literally tons of Data in Transit and in Storage • And who don’t use Big Data?
  3. 3. Internet - For Secure & Fast Business? • Diversity of Browsers, Protocols, Standards, Devices and Network Types – Already Chaotic Internet Space, now Operating at Unprecedented Scale adding to Additional Security Challenges • Sophisticated Attacks at Cloud Scale – DDOS Attacks – SQLI/XSS, Client-side attacks, ZERO day attacks • We hear this much less now – VM theft/VM escape and Hyper Jacking. – Data Leakage via Multi-tenant Isolation decisions, Via Shared Cache, Cross VM Side Kicks – Attacks across OSI Layers
  4. 4. Changing Attack Landscape • DDOS attacks tripled since 2010 – Attacks at the rate 20Gb/s are now seen – attackers are surely using the cloud as well, to scale! • Rate of increase over years for Web layer attacks is much more than Network Layer attacks • Hacktivism, Government Malware, Black Clouds • CVE even had to change their syntax to include more digits to account for more than 9999 in a year! • Many cases of being unable to keep Assets/Data safe from un-authorized access, modification or destruction during storage and/or transmission or just a Slow Trap
  5. 5. Be Aware – False sense of Security – More Apps being built, faster than ever (Heard of Nightly Builds?)! – Beware of Third-Party » Up to 70% of Internally Developed Code originates outside of the development Team » Pattern of Attackers attacking third party Framework level vulnerabilities – Gap between of IT Operations and Development team Security Readiness (e.g. Vulnerable components, potential breaking config changes) – Web Security is complex. Developers have a lot of Catch-up to do! – Attackers are on Steroid!
  6. 6. How to Succeed? • Some are having better success with Cloud Scale Internet than the others – A lot is to do with how smartly you are handling Security risks – A lot is to do with, whether you are focusing on the right areas where there is bigger risk – A lot is to do with, do you know those areas of risk well enough and Budget it Right
  7. 7. IT Spending on Security • Businesses are willing to spend on IT Security, but not enough focus on some areas – 70 to 80% of Security spending is historically on the Network Infra level or Host level security (IDS, Firewall, Appliances) – More Vulnerability at App Layer: More data being transferred, more devices accessing data, more auto-scaled servers serving data • Attackers are quick enough to attack the surface, where there is more vulnerability, – Miniscule Spending at App Layer – where most attacks are now focused • In most Enterprise Projects. Security do find a mention, but it is the first causality in the rat race to lower ‘Time to Market’ and ‘Minimum Viable Product’ scenarios. • We end up spending least of amount of money on most attacked surface
  8. 8. Define and Measure • Define Web Security Priority Areas per projects & system landscape • Calculate Cost of Down-time (with criticality of Operations downtime) • Calculate Cost of Data Loss (lost customers/brand image) • Calculate Cost of Slowness (Cart Abandonment) • Get Executive Buy-in for prioritized areas • Account for appropriate investment for each Risk Area separately, early in the cycle
  9. 9. Few Action Steps • When out-sourcing, Factor Risks in RFQ, and get SLA backed delivery for defined priority Security areas • When building Solutions, Fortify from the ground-up – Hire right team who are Competent in Security as well (How many Resumes and JDs today speak of Security as a skill?) – Via WAST/Code Level/Design Level Automated Security tests – Make independent Vulnerability Testing and Penetration testing a practice • Prepare Effective Counters against DDOS and Unknown attacks – BUILD vs BUY Site Defenders: Weigh the effect of creating DDOS paradox vs investing in Solutions like Akamai Site Defenders – Web Application firewalling
  10. 10. Quick Summary • @Planning Stage : Define Priorities and Budget it Right for Security at Cloud Scale • @Architect: For Volume, Velocity And Variety of Data, and still be Secure and Fault Tolerant • @Dev : Ongoing measures to ensure that critical Security areas are not the causality in the event of mad push for MVP/Time to market • @Deploy: Be aware of widely Attacked ports and Attack types, Spread out to Horizontal Edges, Deep handshake with Dev Architects • @Operations: Constant Monitoring and health checks, Audits, and • Be Alert and Be Ready to Adapt!