The Changing IT Threat Landscape: Three Steps to a Proactive Security Strategy
The Changing IT Threat Landscape: Three Steps to A Proactive Security Strategy
Khalid KarkVice President, Research Director, Forrester ResearchDwayne Melancon, CISAProducts, Tripwire, Inc.
IT SECURITY & COMPLIANCE AUTOMATION
Today’s Speakers
Khalid Kark
Vice President, Research Director
Forrester Research
Dwayne Melancon, CISA
Products
Tripwire, Inc.
© 2010 Forrester Research, Inc. Reproduction Prohibited4 © 2009 Forrester Research, Inc. Reproduction Prohibited
Changing Threat Landscape
Emerging trends, threats and responses
Khalid Kark, Vice President, Principal Analyst
© 2010 Forrester Research, Inc. Reproduction Prohibited5
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
Agenda
© 2010 Forrester Research, Inc. Reproduction Prohibited6
Security continues to play catch-up
Economics
Regulations
New business models
Consumerization
Business partners
Third-party service
providers
© 2010 Forrester Research, Inc. Reproduction Prohibited7
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
Agenda
© 2010 Forrester Research, Inc. Reproduction Prohibited8
The threat landscape keeps evolving . . .
Motivation
Method
Focus
Tools
Result
Type
Target
Agent
Fame
Audacious
Indiscriminate
Manual
Disruptive
Unique malware
Infrastructure
Insider
Financial gain
“Low and slow”
Targeted
Automated
Disastrous
Variant tool kits
Applications
Third parties
© 2010 Forrester Research, Inc. Reproduction Prohibited9
Method – Low and Slow
Target an individual or a corporation
Take your time to get the information
Can take weeks or months
May need to stop the “attack” for extended
periods
“Trickle” of information over time
Goal – not get detected
Many breaches today are discovered
when something goes horribly wrong
Many don’t even know it exists
© 2010 Forrester Research, Inc. Reproduction Prohibited10
Tools: Automated
Web crawlers
Automated IM conversations
Escalation levels
Publically available information
Archives
Better analytics and predictions
Self learning systems - Artificial
intelligence
© 2010 Forrester Research, Inc. Reproduction Prohibited11
Type: toolkits and variants
90K variants of Zeus malware
Mutation is standard part of writing
malware today
Adaptability to defenses is key
Advanced encryption algorithms
Tool kits and “do it yourself” kits
Botnets for hire – really cheap
Cost and variation is making existing
malware defenses obsolete
© 2010 Forrester Research, Inc. Reproduction Prohibited12
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
Agenda
© 2010 Forrester Research, Inc. Reproduction Prohibited13
Increased concern around empowered technologies
Base: 1,025 North American and European IT Security decision-makers
Source: Forrsights Security Survey, Q3 2010
Smartphones
Cloud computing
Web 2.0 (wikis, blogs, etc.)
54%
42%
40%
© 2010 Forrester Research, Inc. Reproduction Prohibited14
2008 2009 20100%
10%
20%
30%
40%
Daily visit social networking sites (e.g. Facebook, LinkedIn)
Exponential growth in social media adoption
© 2010 Forrester Research, Inc. Reproduction Prohibited15
Mobile subscribers and connections speeds ascend
2008 2009 2010*0
100
200
300
400
Global mobile broadband subscribers (in millions)
Source: GSM Association
© 2010 Forrester Research, Inc. Reproduction Prohibited16
2009 2010* 2011* 2012* 2013*$0
$10
$20
$30
$40
IaaS
SaaS and PaaS
* Forrester forecast
Global IT market(US$ billions)
Rapid growth in cloud services
© 2010 Forrester Research, Inc. Reproduction Prohibited17
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
Agenda
© 2010 Forrester Research, Inc. Reproduction Prohibited18
Fraud management
Physical security
Business continuity/disaster recovery
Third-party security
Privacy and regulations
Application security
Policy and risk management
Identity and access management
Data security
Technical infrastructure security
Threat and vulnerability mgmt.
FullMostHalf
Too many things on the plate – distracted decisions
© 2010 Forrester Research, Inc. Reproduction Prohibited19
Reactive investment for security
Security staffing; 23%
Security outsourcing and MSSP; 12%
Security consultants and integrators; 8%
New security technology; 18%
Upgrades to existing security technology;
17%
Maintenance/licensing of existing security technology; 22%
© 2010 Forrester Research, Inc. Reproduction Prohibited20
Relying on vendors to answer strategic questions
© 2010 Forrester Research, Inc. Reproduction Prohibited21May 2010 “Security Organization 2.0: Building A Robust Security Organization”
Not having a broad scope
© 2010 Forrester Research, Inc. Reproduction Prohibited22
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
Agenda
© 2010 Forrester Research, Inc. Reproduction Prohibited23
Understanding Process Maturity
© 2010 Forrester Research, Inc. Reproduction Prohibited24
0
1
2
3
4
5
Identity and access management
Threat and vulnerability
management
Investigations and
records management
Incident
management
Sourcing and vendor management
Information asset
management
Application systems
development
Business continuity and
disaster recovery
Source: Output from Forrester’s Information Security Maturity Model
Current state versus target
Ideal
Current
Target
© 2010 Forrester Research, Inc. Reproduction Prohibited25
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
Agenda
© 2010 Forrester Research, Inc. Reproduction Prohibited26
Technology
MSSPs can play a huge role helping you here.
You're not just building on reactive controls but preventive ones as well.
– IDS to IPS
– SIEM and Log management
– DLP
– GRC
You're not investing in the best technologies but have a holistic and layered
defense.
– Best of breed to easier integration and management.
– Strategic security partners
– Point solutions to layers of security
© 2010 Forrester Research, Inc. Reproduction Prohibited27
Reactionary spending versus planned allocations
Source: Forrsights Security Survey, Q3 2010
Network Security 25%
Data security, 15 %
Security Ops 14 %Client & threat
mgmt. 10%
Risk & compliance
10 %
Application, 10%
Content7 %
IAM
7%
© 2009 Forrester Research, Inc. Reproduction Prohibited
Thank you
Khalid Kark+1 469.221.5307
www.forrester.com
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
Khalid Kark Forrester Research
E-mail : [email protected]