Securing a Dynamic Infrastructure. Avinash Pandey CISA CISSP ITIL-F PMP IBM Internet Security Systems, ASEAN

Transcription

1 Securing a Dynamic Infrastructure Avinash Pandey CISA CISSP ITIL-F PMP IBM Internet Security Systems, ASEAN avinash@sg.ibm.com

2 AGENDA The Changing World of Security IBM ISS X-Force Trend Report 2008 IBM ISS Protection Platform IBM Security Framework X-Force IBM ISS Security Solutions in Action 2

3 Global market forces are impacting us all Reality of living in a globally integrated world Widespread impact of economic downturn and uncertainty New customer demands and business models Information explosion and risk/opportunity growth Businesses are under increasing pressure to effectively: Manage operational cost and complexity Deliver continuous and high-quality service Address security risks intensified by innovation, emerging technologies and data/information explosion. We have seen more change in the last 10 years than in the previous 90. Ad J. Scheepbouwer, CEO, KPN Telecom The planet is getting instrumented, interconnected and intelligent. 3

4 Welcome to the smart planet and a smarter infrastructure Globalization and Globally Available Resources Billions of mobile devices accessing the Web Access to streams of information in the Real Time New Forms of Collaboration New possibilities. New complexities. New risks. 4

5 The real security problem? Complexity remains the biggest security challenge! InformationWeek 2008 Security Survey Compliance spending: investing in more point products to solve more point problems New methods and motives: adding to the complexity and sheer number of risks We have put so many security products into our systems that the complexity of the sum of those security products has become itself part of the problem. Dan Geer Keynote Speaker Source Boston Conference March 2008 IT Innovation: requiring new ways to secure the new ways we collaborate 5 The global economy: driving new security support requirements Flexibility in business methods: to improve operations and serve customers

6 Not all risks are created equal.. Frequency of Occurrences Per Year frequent infrequent 1, /10 1/100 1/1,000 1/10,000 Virus Worms Data Corruption System Availability Failures Disk Failure Network Problem Data Leakage Application Outage Failure to meet Compliance Mandates Lack of governance Failure to meet Industry standards Workplace inaccessibility Terrorism/Civil Unrest Regional Power Failures Building Fire Natural Disaster Pandemic 1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M low Consequences (Single Occurrence Loss) in Dollars per Occurrence high 6

7 Neither are all Security solutions Find a balance between effective security and cost The axiom never spend $100 dollars on a fence to protect a $10 horse Studies show the Pareto Principle (the rule) applies to IT security* 87% of breaches were considered avoidable through reasonable controls Pressure Cost Complexity Effectiveness Agility Time Small set of security controls provide a disproportionately high amount of coverage Critical controls address risk at every layer of the enterprise and Organizations that use security controls have significantly higher performance* *Sources: W.H. Baker, C.D. Hylender, J.A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008 ITPI: IT Process Institute, EMA December

8 IBM ISS X-Force Trend Report

9 The mission of the IBM Internet Security Systems X-Force research and development team is to: Research and evaluate threat and protection issues Develop new technology for tomorrow s security challenges Deliver security protection for today s security problems Educate the media and user communities 9

10 The Security Landscape of Old Traditional Infrastructure was easier to protect... Concrete entities that were easy to understand Attack surface and vectors were very well-defined Application footprint very static Perimeter defense was king 10

11 The Changing Security Landscape of Today Webification has changed everything... Infrastructure is more abstract and less defined Everything needs a web interface Agents and heavy clients are no longer acceptable Traditional defenses no longer apply 11

12 This infrastructure abstraction has transformed the threat landscape into a parasitic era! The threats of today and tomorrow are acting as parasites Compromises are used as spring boards for further compromises Threats remain hidden and use affected infrastructure to grow and spread Threats depend upon the health and continued operation of the infrastructure they attack rather than being destructive, they feed off the host As computing infrastructure evolves and innovates, threats utilize new features and functions to increase exploitation and leverage new technology 12

13 Vulnerability Highlights Overall number of disclosed vulnerabilities increased in comparison to previous years Percent of high vulnerabilities continued to climb and 39% of all disclosed vulnerabilities are considered high or critical (CVSS ranking) Web-centric technologies have the most focus for vulnerability researchers and attackers alike 13

14 Vulnerability Impact 14

15 Exploitation Realities and Dynamics 15

16 Growth of Web Application Vulnerabilities 16

17 Endpoint Vulnerabilities The availability of public exploits for endpoint-related vulnerabilities is increasing More than 80% of these public exploits released on the same day as the vulnerability 17

18 Primary Exploit Target: Browser Plug-Ins The majority of publicly released exploits are for browser plug-ins The top five most exploited browser vulnerabilities all target plug-ins Although most active exploitation focuses on older vulnerabilities, newer attack tools have automatic methods to incorporate the most recent exploits 18

19 Virtualization Vulnerabilities by Year XFDB Search: VMware, Xen, Virtual PC, QEMU, Parallels, etc

20 VoIP Security Critical and high VOIP vulnerabilities were nearly double the number seen in 2007 Threats to VoIP infrastructure Man in the Middle Attacks Phishing Privacy Spam over VoIP (SPIT) Denial of Service (DoS) VoIP Assets that need protection: Underlying Network Call Servers (OS) Call Gateways Phones/Soft phones 20

21 IBM ISS Protection Platform Among the most advanced and complete security architecture ever developed delivering preemptive security Redefine and Simplify IT Risk Management Establish a Total Security Framework and Solutions Portfolio IBM Security Framework Simplify the Security Risk Lifecycle The X-Force team Drives IBM ISS Security Innovation X-Force R & D 21

22 IBM Security Framework: A comprehensive approach to a complex issue The The IBM IBM Security Security Framework Framework Security Security Governance, Governance, Risk Risk Management Management and and Compliance Compliance People and Identity Data and Information Application and Process Network, Server, and End-point Physical Infrastructure Common Policy, Event Handling and Reporting Common Policy, Event Handling and Reporting Helps you see your whole security landscape Identifies business risks and Shows you where gaps might exist Identifies security postures that help you meet risk levels Identifies activities to close gaps Helps prioritize security initiatives 22

23 PEOPLE AND IDENTITY Manage Identities and Access Issues Understanding the identity risk gap Cost of administering users and identities in-house Privileged user activity unmonitored Dormant IDs or shared identities being used to inappropriately access resources IBM Security Offerings Identity Lifecycle Management High-Assurance Digital Identities Identity Audit Identity & Access Design and Implementation Services ISS Managed Identity Services How can my business benefit from management of digital identity? Values Reduces the cost, increases efficiency and enables audit-ability of managing flow of users entering, using, and leaving the organization Decreases risk of internal fraud, data leak, or operational outage Supports globalization of operations Improves end-user experience with Web-based business applications by enabling such activities such as single sign-on 23

24 DATA AND INFORMATION Issues IBM Security Offerings Protect Data and Information How can I reduce the cost and pain associated with tracking and controlling who touched what data when? Data stored on removable media that can be lost/stolen Data stored or transmitted in the clear is easily accessible Inconsistent data policies and unstructured data Legal, regulatory and ethical exposure for the organization Costs of data breaches, notification, brand value Values ISS Data Security and Data Loss Prevention solutions Network Data Loss Prevention Endpoint Data Loss Prevention Data Encryption Data Classification Unstructured Data Security Data Privacy and Masking Reduces the cost, increases ability to meet audit and compliance mandates Assures data is available to the right people, at the right time Assures data is not deliberately or inadvertently taken, leaked, or damaged Decreases number and complexity of controls integrated within the enterprise 24

25 APPLICATION AND PROCESS Secure Web Applications Issues Web applications #1 target of hackers seeking to exploit vulnerabilities Applications are deployed with vulnerabilities Real and/or private data exposed to anyone with access to development and test environments, including contractors and outsourcers IBM Security Offerings Application Vulnerabilities Assessment Application Access Controls Messaging Security Security for SOA How can my business benefit from management of application security? Values Reduce risk of outage, defacement or data theft associated with web applications Improve compliance with industry standards and regulatory requirements Automated testing and governance throughout the development lifecycle, reducing long-term security costs 25

26 NETWORK, SERVER AND END POINT Issues IBM Security Offerings Manage Infrastructure Security Systems Storage Virtual Network How does my business benefit from infrastructure security protection? Mass commercialization and automation of threats Parasitic, stealthier, more damaging attacks Lack of skills to monitor and manage security inputs Compounding cost of managing an ever increasing array of security technologies Inability to establish forensic evidence or demonstrate compliance Values Threat Mitigation: ISS Network, Server and Endpoint Intrusion Prevention products powered by X-Force, Managed Intrusion Prevention and Detection, Network Mail Security, Managed firewall services, Vulnerability Management and Scanning Services Security Governance: Vulnerability Assessments, Security architecture and policy development Incident Response: Incident Management and Emergency Response services Reduces cost of ongoing management of security operations Improves operational availability and assures performance against SLA, backed by industry s only guaranteed SLA for managed protection services Increases productivity by decreasing risk of virus, worm and malcode infestation Decreases volume of incoming spam Drill down on specific violations to quickly address resolution 26

27 Protection products for the entire enterprise IBM Proventia Management SiteProtector system Unified security console manages all protection products Vulnerability Protection Network Protection Host Protection Data Leakage Prevention IBM Proventia Network Enterprise Scanner IBM Internet Scanner software IBM System Scanner vulnerability assessment application IBM Proventia Network Intrusion Detection System (IDS) IBM Proventia Server IBM Proventia Network IPS Intrusion Prevention System (IPS) IBM Proventia Server IBM Proventia Network Sensor Multi-Function Security (MFS) IBM Proventia Network Mail Security System IBM Extrusion Prevention - Fidelis XPS 27

28 Protection products for the entire enterprise IBM Proventia Management SiteProtector system Unified security console manages all protection products Reduce exposure to threats Block Network Threats Prevent Host Compromise Prevents Data Leakage Vulnerability Protection Network Protection Host Protection Data Leakage Prevention Identify and prioritize risk IBM Provide Proventia remediation Network Enterprise and measure Scanner results IBM Internet Scanner Meet compliance software IBM mandates System Scanner vulnerability assessment application Shield vulnerabilities Prevent host compromise ahead of patching Protect endpoint devices IBM Up Proventia to 10G throughput Network and IBM valuable Proventia data Server stored IPS Intrusion Detection System (IDS) on hosts Backed by leading IBM Proventia Desktop IBM Proventia Network Endpoint Security Intrusion security Prevention researchsystem (IPS) Prevent and identify the IBM Proventia Wireless IBM Proventia Network source Endpoint of insider Security attacks Prevent spam, spyware, Multi-Function Security (MFS) unwanted Web content Prove the security of IBM Proventia Network Mail and Security targeted System attacks sensitive information for IBM Proventia Web Filter technology compliance IBM Proventia Network Access Control Fidelis XPS prevents leakage of sensitive content IBM Extrusion Prevention - Inbound Fidelis XPS and outbound security for enterprise networks Identify and stop policy violations 28

29 IBM experience demonstrates how we help customers cut costs while addressing unique business challenges Industry: Financial Services Industry: Manufacturing Business challenge: Increase security spending preventing critical business investments Business challenge: Excessive mgmt. costs (Resources, and infrastructure), poor security performance Industry: Media and Entertainment Business challenge: Need to cost effectively secure remote locations while maximizing bandwidth Solution: Information Security Assessment Completed effort in 8 weeks Solution: Managed Security Services Reduced on-going mgmt. costs of security infrastructure by 45% Solution: IBM Proventia Multifunction appliances Benefit: Detailed roadmap for streamlining security process and infrastructure saved approx. US$1.5 million in investment costs Benefit: Lowered long-term support and management costs Benefit: Reduced companywide ISP costs by $260K per year 29

30 We also help organizations leverage existing infrastructure to help get more value from their IT investments Industry: Travel and transportation Business challenge: Application performance issues resulting from insufficient security Solution: Application Security Assessment Completed effort in 6 weeks Benefit: US$1.7 million first year savings Industry: Electronics Industry: Healthcare Business challenge: Excessive security management costs, information overload, and remote site security management Business challenge: Managing compliance regulations and evolving threats was placing a burden on the IT staff Solution: Managed Security Services 3 year contract Solution: Managed Security Services 24x7 protection by an army of highly trained engineers Benefit: Leveraged existing security technology investments Allowed for re-deployment of IT resources Total cost savings of 30+% over 3 years Benefit: Confidence of network security protection Reduction of in-house security costs by 55 percent 30

31 Where do You begin? Client Security Readiness Workshop Understand your security readiness, using a capability maturity model, across the IT security domains Balance your security focus and investment Develop a ranked security roadmap 31

32 IBM s security philosophy: Thoughtful balance to increase business value A secure environment is essential for organizations to deliver products and services to customers, and to take advantage of growth opportunities. Security management is integral to business strategy. It s the result of a thoughtful balance between opportunity, exposure and most importantly, Prioritization. 32

33 Why partner with IBM? Zurich, CH Toronto, CA Detroit, US Brussels, BE Almaden, US Boulder, US Atlanta, US TJ Watson, US Haifa,IL Tokyo, JP Tokyo, JP Sao Paulo, Brazil New Delhi, IN Brisbane, AU 8 Security Operations Centers 6 Security Research Centers Monitored Countries 17,000+ managed devices 2,600+ MSS Customers world wide Billion Events per day IBM ISS has the unmatched global and local expertise to deliver complete solutions and manage the cost and complexity of security 33

34 34

35 Avinash Pandey CISA CISSP ITIL-F PMP Security and Privacy Services, ASEAN