- security investments - the past 5 years: education & corporate spending
Post on 21-Dec-2015
214 views
TRANSCRIPT
Our History
• EST. 2001
• $25 Million in Pure Security
• 300 Customers
• 10 States
• 70 School Districts
• 30% of our business is K/12 -Higher Ed
K-20 Sampling
• Edutech of ND• Omaha Public• Denver Public Schools• Lincoln Public• Colorado University• Bozeman Schools• Moore Public Schools• Union Public Schools• Academy 20 Public Schools
SPAM
• SMTP Oldest and Easiest Vector
• Still Valid
• Image Spam is latest
• Scam Galore
• Volume based
• Constant Change
The Security Layers
• Email Gateway -AV/SPAM/PolicyControl• Desktop AV• URL Filter• IPS/IDS/HIPS• Proactive Monitoring• Data Encryption- Moving & Stored• Security Testing - VA/PEN/Applications
Email Buying Trends
• K-12 more compliancy aware• Small Encryption Rollouts are happening• Both Inbound and Outbound Inspection • Email Archiving in the works for 2008• VMWare Images available today (ProofPoint)• 1st Step Data Loss Light
Email Case Study
• Large 10,000 Computer School• Adding 15K Student Mailboxes• Moving from Cheap Inbound protection• To -Commercial Inbound/ Outbound email
security gateways on VMWare• Will archive all Email • Will inspect messages for compliancy - HIPA,
Credit Card and Student Information• 500 Seats of Email Encryption of Staff
Email Investment
• Currently Cheap for Simple - $3K
• Move to Inbound / Outbound - About $15K for 10,000 Seats or $1.50 a yr Per Mailbox with Policy Compliance
• Encryption for Administration - $20 a Year
• Email Archiving - $8K for 2 terrabytes
HTTP Summary
• URL Blocking is a must in K12• Protect against the basic threat - Bandwidth,
Wasting time, and Malware• Bonded districts have rolled out IM,Web
Mail ,FTP, P to P, Chat Room monitoring• Higher Ed is pressured to limit music sharing
People/Process
• Do you Policy in place? Other than for a Felony?
• Proactive monitoring -When will it be a requirement?
• Specific case building - Do you want to do it?• Once you have visibility you probably will
have to take action• Can Technology Visibility can mold policy?
Case StudyProactive Monitoring
• Large 20,000 Seat Bonded District• Review all TCP/IP • Focus on Gangs, Weapons, Drugs, Plagiarism• Use for bad apple’s - moving out, or in court
cases with parents, teachers, temp staff• Also review all Credit Card and HIPAA
Violations• After 4 years - Key piece of Security - Has
Molded Policy
ProactiveMonitoring
• Full Monitoring - $35K a Year for 5000 Seats or $7 a seat
• Easier to use today• Lot of bang for the buck• Good Investigation tool• Good Case building tool• Will keep auditors happy for Credit Cards and
HIPPA as well• Keep Stock Holders happy as well
IPS Review
• Why use it?
• How it fits?
• How is it different than IDS?
• K-20 Adoption Rates
• Different than Desktop
IPS /Pro /Con
• Hardware Switches at the Core• The best in Network Security protection today• Fast and Efficient - easy to use• Pricing has come down• Master Console Concept for lots of boxes• Proven in F1000• 10GB Units shipping in 2008
IPS Pricing
• $50K for 1GB Traffic
• Gottcha is - Got to have many in big Network
• Also Need collector console if have multiple
• Small Boxes are as low as $8K to get started in small LAN
IPS Case Study
• Large Colorado Health Care
• IPS at the Core - 2GB + in Speeds
• Monitored for 30 days
• 20% of Network was “dirty”
• Had old school IDS SNORT
• Implemented in 2 weeks, in 4 Core Routes , Network is performing better!
Data at Rest
• Encrypt your Hard Drives• K-20 is doing it• Its Cheap• Over 20 Vendors • USB protection - built in to most as a add on
Security Testing
• Coming along in K20• You will need patience• If you can - do it once a month with VA
software internally on critical systems• Hire a professional testing practice for
Pen Testing, its worth it• Pen Test your Student Info Systems
that are web enabled
Security Testing Trends
• Pricing is at $700 an IP for Outside VA and Penetration
• Internal Testing includes VA Sweep, Data Leakage Review, Data at Rest and in Motion Review
• Social Engineering Drops of USB Keys
• Gap Analysis, Compliancy Alignment
Acquiring Security Testing Skills
• Focus on a Commercial Tool Budget• Focus on Critical Networks,Applications and
Data• Start with Internal Network Vulnerability• Develop baselines for the Schools• Set goals that make sense• Be patient - on the Security People and
Process
Security Investment Costs
K -20 IT Security Investment
Budget Š Per Year
Core Layers Email Policy Protection Gateways AV/SPAM Š Inbound/Outbound
$3 Per Seat
HTTP Š URL Filtering, w/ Laptop
$4 a Seat
Proactive Network Monitoring ŠAll Protocols
$7 a Seat
Intrusion Prevention $5 a Seat Desktop AV $3 a Seat Totals for all Core Layers $22.00 a Seat Moving and Stored Data Hard Drive Encryption $50 a Seat SMTP Encryption $20 a Seat Security Testing Outside Security Testing a Critical IP with Penetration
$700
Vulnerability Testing Software
$6,000 minimum
FTE TBD
Near Perfect World
Security Type
Price per Seat
# of Seats Totals
Core Layers $22.00 5000 $110,000 Data at Rest $50 500 $2,500 Data in Motion
$20 500 $1,000
Security Testing Services
$700 per IP
200 $14,000
Security Testing Software
$10 per IP 1000 $10,000
Totals $19.10
7200 $137,500
Moving Forward
• Be aware
• Be Diligent
• Fight for your Security Budgets
• Stay Paranoid
• Listen to your Security teams
• Listen to the students