Business Strategy Theatre
Security posture in the age of mobile, social and new threats Steve Pao, GM Security Business 01 May 2014
In the midst of chaos, there is also opportunity. - Sun-Tzu
Security: The Present is Not Sustainable OPPOSING FORCES ARE WELL KNOWN New threats New user attacks New infrastructure attacks The Target Limited Staff Limited Budget Limited Expertise
Unique Point of Industry Transition Current death spiral Hacks! New Security Paradigm and Economics New Security Platforms Virtual, Cloud, Public Cloud, Network Virtualization Appliances Opportunity for disruption Both for existing and new and existing security providers
Circa 2003 WE NEED INTRUSION DETECTION WITH DEEP PACKET INSPECTION Of course, IPS and DPI are built into firewalls today
Circa 2006 WE NEED POLICY-BASED EMAIL ENCRYPTION Of course, Email Encryption is built into gateways today
Circa 2010 WE NEED CONTEXT- SENSITIVE DATA LEAKAGE PREVENTION Of course, DLP is bundled with content security today
Today WE NEED SANDBOX PROTECTION AGAINST APT S Of course, sandboxing will be built into malware protection
APT s can exploit all vulnerabilities in the current threat environment not just through malware
Mobility
Mobility Copies of email and other content everywhere Public Wi-Fi Man-in-the-Middle, ARP spoofing Small screens Hard to see phishing attacks
Social Media Hackers go where the eyeballs are Barracuda Labs research agenda is here The hacker can look like your VP of Sales
Botnets & Crimeware
Botnets & Crimeware Targets do not need to have high visibility Infrastructure can being attacked on every vector programmatically Botnets are sold as SaaS ( Crimeware ) attackers do not need to be hackers; they just need financial motivation to pay hackers
New Vulnerabilities
New Vulnerabilities There are dedicated employees whose job is to constantly change the Web applications Software defects (normal) introduce new vulnerabilities Discovering and fixing defects takes time and this opens the window of attack
Overlay on Customer Constraints Gartner budget dollars 5% of revenue on IT 5% of IT budget on security People versus equipment 45% hardware / software The rest is personnel, outsourcing and consulting Budget $50 Million IT $2.5 Million Security $125k HW/SW $60k
Limited Budget Why Best in Class is hard Budget $$$
Failing to Protect a Vector Creates Risk
The Goldilocks Problem
Too Complex: Bag of Parts Build Your Own Solution Email security Ironport Web security Blue Coat WAF Imperva Firewall CheckPoint SSL VPN Juniper
Too Constrained: All In One It s a Floor Wax and a Dessert Topping One product for multiple uses even when: Features are compromised Latency profiles are different
Just Right: Unified Best in Class Enterprise Bag of Parts Best in Class Powerful Scalable Separate Expensive Hard to Use Midmarket SMB All In One Unified Affordable Easy to Use Compromises Lacks Features Constrained
Just Right: Unified Best in Class Enterprise Bag of Parts Best in Class Powerful Scalable Separate Expensive Hard to Use Midmarket Unified SMB All In One Affordable Easy to Use Compromises Lacks Features Constrained
Just Right: Unified Best in Class Enterprise Bag of Parts Powerful Scalable Separate Expensive Hard to Use Midmarket Unified Best In Class SMB All In One Affordable Easy to Use Compromises Lacks Features Constrained
Just Right: Unified Best in Class Enterprise Bag of Parts Separate Expensive Hard to Use Midmarket Unified Best In Class Powerful Scalable SMB All In One Affordable Easy to Use Compromises Lacks Features Constrained
Just Right: Unified Best in Class Enterprise Bag of Parts Separate Expensive Hard to Use Midmarket Unified Best In Class Powerful Scalable Affordable Easy to Use SMB All In One Compromises Lacks Features Constrained
Approach Build to Last Design the architecture to protect the threat vectors Adjust deployment models as attack surfaces change Mitigate individual threats through features Make adopting new technology easy and affordable
Protect All Threat Vectors Security Resources to Protect The Network Itself Email server Web server Internet File Server Network users Mobile
Deploying Unified, Best In Class Cloud-based Central Management Next Generation Firewall Web Security Email Security Application Security SSL VPN Servers Mobile Device Computer Deployment Options: Appliance Cloud Virtual
Start with Next Generation Firewall Next generation firewall requirements High Performance Architecture Granular Application Control User based security policy Bandwidth management Link Aggregation and Failover Intelligent Traffic Optimization IDS/IPS Cloud-based Anti-malware and URL Filtering Integrated site-to-site, client-based and SSL VPN DoS/DDoS protection Built-in wifi (specific models) Central Management
Complete Application Visibility
Dynamic Link Management ISP 1 60% of HTTP ISP 2 20% of HTTP ISP 3 20% of HTTP
Secure Connectivity IPsec Site -to- Site VPN SSL VPN Client-to-Site VPN IPsec, PPTP, SSL Internal Corporate Resources SSL VPN*: BFW X200 and higher
Cloud Scaled Security URL filter, Malware scanning, Reporting Predictable computing on-premises Elastic computing in the cloud Massive scalability Avoid frequent refresh or upgrades
Beyond Firewall Email Security Web Security Data Center Security Secure Remote Access
Unifying Best In Class Virtual Appliance Web Filter Spam Firewall Web App Firewall Load Balancer ADC Consolidat ed Web Filter Spam Firewall Web App Firewall Load Balancer ADC Public Cloud Web App Firewall NG Firewall Hosted Cloud Web Security Service Email Security Service Centralized Management Cloud Control
Demand Consistent Interfaces
Demand Central Management
Extend to Mobile Mobile Device Management Secure Remote Access
Choose Your Providers Carefully Mid-market 100 5000 Users All-in-one Cheap One box Feature Gaps Low performance Best-in-Class Next Generation Easy to use Scalable Unified Affordable Bag-of-parts Multiple vendors Complex Expensive Resource intensive
Use Cases Profile Mid-sized networks, 1-5 locations Requirements Application Control Social Media Regulation SSL inspection Site-to-site VPN Reporting. Decision criteria Support Total cost of ownership Single vendor
Summary Current threat escalation continues Protecting threats in isolation doesn t work Protect all network threat vectors Individual threats are simply features Consider management and costs Choose providers that match your business
Business Strategy Theatre