F A S T | R E S P O N S E

C U S T O M | S O L U T I ON S

F U T U R E | C U R V E

SECURITY

A MULTI-LAYERED APPROACH

Today’s Dilemma

Business Need

• Increase Agility

• Reduce Cost

• Innovate

IT Need

• Reduce Cost

• Achieve Compliance

• Improve Security

Malware and Attack Trending

New attacks on

Adobe vulnerabilities

outnumber those on

Microsoft products

100:1 (Q4 2010, McAfee Labs)

Email is the main carrier

of malware and phishing

scams1

Spam volume down

~50%, but

mobile threats up 46% (Q4 2010, McAfee Labs)

An average of 4 million

new zombies created

per month1

Malware Growth Continues

-

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000Jan 0

9

Feb 0

9

Ma

r 09

Apr

09

Ma

y 0

9

June 0

9

Jul 09

Aug

09

Sep

09

Oct 09

Nov 0

9

Dec 0

9

Jan 1

0

Feb 1

0

Ma

r 10

Apr

10

May 1

0

Jun 1

0

Jul 10

Aug

10

Se

p 1

0

Oct 10

Nov 1

0

Dec 1

0

McAfee Labs identifies approximately 55,000 pieces of new malware each day

Threats

Top Global Threats

Malicious Iframes

Malicious Windows

Shortcut Files

Parasitic File Infector

USB-Based AutoRun

Parasitic Malware

Web-Based File

Infectors

North America

Malicious Iframes

Malicious Windows

Shortcut Files

Parasitic File Infector

Web-Based File

Infectors

USB-Based AutoRun

Parasitic Malware

Data Breaches Do Not Discriminate

“DuPont scientist stole

22,000 sensitive

documents worth $400M

as he got ready to take a

job with a competitor…”

“Medical provider had to

notify over 130,000 people

of a data breach due to the

loss of digital media with

unencrypted patient data.”

“Average organizational

cost of a data breach

was $7.2 million, up 7

percent” “Groupon deal of the

day: 300,000 customer

accounts… FREE!”

“Texas comptroller’s data

breach exposes 3.5

million Social Security

numbers, birth dates.”

Data Breaches - Healthcare

“Information of 20,000

people at healthcare

provider in greater Seattle

accessible online for nine

weeks.”

“Medical provider had to

notify over 130,000 people

of a data breach due to the

loss of digital media with

unencrypted patient data.”

“Data breaches cost US

Healthcare an average

of $6.5 billion –

enough to hire more

then 81,000 RNs.” “Delaware pediatric

health facility loses data

on 1.6 million”

“Patient data for 20,000 at

Stanford Hospital posted

to website by billing

contractor.”

Data Breaches - Education

“PII of 75,000 UWM

students and employees at

risk after server was

infected with malware.”

“Names and Social Security

numbers of 43,000 people

associated with Yale was

publicly searchable by

Google for 10 months”

“Personal information of

7,093 former Purdue

University students was

accessed by hacker.” “VCU server hacked to

compromise personal

data of 175,000”

“Personal information of

18,931 employees at

University of Georgia

accessible online for

several years”

What is another large

burden that is being

placed on organizations

today?

Increasing Global Compliance Burden

Data loss requires

public disclosure

Forcing businesses to

deploy stronger

security to protect

data

Compliance

requirements forcing

IT to consolidate,

automate and

integrate

Datenschutz (Germany)

GISRA (USA)

Data Protection Act (UK)

Government Network

Security Act (USA)

California SB 1386 (USA)

US Senate Bill 1350 Proposed (USA)

HIPAA (USA)

Gramm-Leach-Bliley (USA)

Japan Personal Information

Protection Act (PIPA)

US Government OMG Initiative (USA)

Directive on Protection of Personal Data (EU)

Sarbanes- Oxley (USA)

Payment Card Industry Data Security Standard

The Personal Information

protection and Electronic

Documents Act (Canada)

Federal Desktop Core Configuration (US Civilian)

Government’s Code of Connection (CoCo) (UK)

2004

2009

1996

Who in the organization

is responsible for

security?

Security Responsibility

Security is Everyone's

Responsibility

See Something, Say

Something!

Protection Against all Threats

Host IPS

Last 2 years vulnerabilities

equal the vulnerabilities in the 17 years

before it3

AV/AMalware 34% growth YoY in 2009

AntiSpyware

66%1 PUPs CAGR for the last 5 years

AntiSpam

45%2 annual growth of

spam per email message in the

last 6 years

Data Protection

Over 85% of data breaches are due

to insider negligence, not external attacks

Content Filter

233%4 growth in the number of malicious sites

in 2H09

Sensitive Data

SPAM

Malware/Rootkits

Vulnerabilities

Spyware

Unsafe/Inappropriate Websites

Internet

1 Avert Labs 2 Message Labs 3 National Vulnerability Database http://nvd.nist.gov/statistics.cf 4 http://www.i-policy.org/privacysecurity/

What do we need to

protect?

DATA

and the

END POINT

What to Protect

DATA Data protection is the practice of protecting regulated and

proprietary data from being accessed or shared by

unauthorized individuals with the use of technology (i.e.:

data loss prevention, data encryption and device control

technologies) and operational procedures.

Is your data in the wild?

Survey: Dark Reading/InformationWeek (2009)

Survey: MIS Training Institute at CISO Summit (2009)

McAfee Datagate Report. Produced by DataMonitor (survey of 1400 IT professionals across UK, US, DR, DE, and Australia)

77% unable to audit or quantify

loss after a data breach

73% of data breaches come

from internal sources

80% of CISOs see employees

as the greatest data threat

How does Data Leak?

How Data Leaks

In Use

Data Sources

At Rest

In Motion

COPY TO

DEVICE CUT, COPY,

PASTE PRINT

MOVE

FILES

ACCESS

SHARES

OUTBOUND

EMAIL IM,

BLOGS

WEB-

POSTING

User Actions

The Data Protection Challenge

Data is readily available over many access points

Data moves through the organization quickly

Data access is typically not constrained to need only

Complying with regulations (i.e.: PCI, HIPAA, SOX)

There are high costs associated with audits

Corporate reputation/brand can be destroyed

Large penalties for breaches

Sensitive data & intellectual property can leave the

organization before anyone realizes it is gone

Chain of custody may be broken

Struggling with Data Protection

According to CSO Online

Research:

• “DLP can be very good, but be

prepared for hidden costs and

lots of management effort,

including internal staffing

demands”.

• “Nearly half of those with a

(DLP) solution in place are

planning to replaced that

solution within the next 12

months”.

• “you need to plan accordingly

going into the (DLP) project so

that it doesn’t become a

budget buster in terms of both

hard dollars and internal

resources.”

Sample Data Protection Technology

McAfee DLP Manager

Appliance

Sales

International

Manufacturing

Finance

Switch

or Tap

Email MTA, SSL and Web Proxy

ICAP and SMTP

Databases or Repositories

AD/LDAP SIM

Integration Points

Data-at-Rest

Data-in-Motion

END POINT HOST DLP

Hotspots, Mobile

Data-in-Use PREMISE BASED NETWORK DLP

What are some of the

benefits of Data

protection?

Benefits of Data Protection

Ensures compliance (i.e.: PCI, HIPAA, SOX)

Prevents brand damage

Protects intellectual property

Protects R&D data

Protect sensitive data

Prevents the loss of customers to departing employees

Maintains competitive advantage

Ensures appropriate chain of custody

Supports safe, flexible use of business data

What to Protect

END POINT End Point protection is the practice of proactively stopping

and removing a broad range of threats against endpoints

using technology (i.e.: anti-malware, firewall, intrusion

prevention technologies) and operational procedures.

What is the latest end

point causing issues

for the IT and

Security teams?

Mobile Security and Management

Platform/ Database Management

Files

Directory

Applications

Certificate Services

Messaging

Enterprise Environment

Windows

Mobile

Symbian

Android

webOS

iPhone

iPad

Security

&

Support

Mobile Security

Protect business data no matter where it sits or is accessed

from

Track location of mobile devices based on location history

or in real time

Force alarm sound on device to help track lost device

Lock, wipe and reset lost or stolen devices

Mobile Management

Extend IT systems management polices to mobile devices,

including the iPhone, iPad, Android phone and tablets

Reduce help desk requests such as mobile email

configuration through remote and automatic management

capabilities

Manage all devices from desktops to mobile devices from a

single platform for consistency and transparency

throughout the organization

Automate email configuration and settings to one or many

devices

Provide end-user support

What are some of the

benefits of End Point

protection?

Benefits of End Point Protection

Increased IT asset uptime

Increased end user productivity

Increased end user satisfaction

Increased security

Better deployment of strategic IT resources

Why is security

lacking in most

organizations?

Why is security lacking?

There is a “It will not happen to me” mentality

Leaders do not knowing where to start

Leaders think that network managers/administrators can

ensure security

There is a lack of dedicated security resources

There is a lack of understanding as to what security

encompasses

There is a lack of a budget

Security Lifecycle

Management-level

Security Controls

Operational-level

Security Controls

Technical-level

Security Controls

FISMA Legislation

High Level, Generalized, Information Security Requirements

Federal Information Processing Standards

FIPS 199: Information System Security Categorization

FIPS 200: Minimum Information Security Requirements

Information System Security Configuration Settings

NIST, NSA, DISA, Vendors, Third Parties (e.g., CIS) Checklists and Implementation Guidance

30,000 FT

15,000 FT

5,000 FT

Hands On

FISMA Compliance Model

Security Operations – High Level Controls

Administrative

• Policies and procedures to define and guide actions

(i.e.: NAC – devices that do not meet company security

requirements cannot access the network)

Technical

• Controls used to protect sensitive information (i.e.: AV,

Firewalls, IDS)

Physical

• Used to control physical access to sensitive information

or systems (i.e.: Motion detectors)

Security Operations – Deeper Controls

Management

• Certification, Accreditation, Assessments

• Planning

• Risk Assessments

• System and Services Acquisition

Security Operations - Controls

Operational

• Awareness and Training

• Configuration Management

• Contingency Planning

• Incident Response

• Maintenance

• Media Protection

• Personnel Security

• Physical and Environmental Security

• System and Information Integrity

Security Operations - Controls

Technical

• Access Control

• Audit and Accountability

• Identification and Authentication

• Systems and Communications Protections

Why Security Operations?

The bottom line is…

RISK MANAGEMENT

THROUGH MITIGATION

AND AVOIDANCE

Implementing The CSOC

Define the scope

• Data, End Point, Network

Determine the responsibilities

• Who mitigates the threats

Impart Authority

• Must come CXO

Develop the Business Case

• Risk must be taken into account

Define procedures

• The CSOC is useless if they don’t know what to do

Implementing The CSOC

Staff the CSOC

• The teams must understand security

Organization

• Cores Services, Internal Customers, External Customers

Integration and Cooperation

• CSOC must be integrated into the organization and have

a response team ready

Technology

• These are only tools.

• Technology is not a substitute for process and discipline

Security Operations Challenges

Manual platform-level configuration management across

the enterprise is unwieldy at best

A large amount of time is being spent by internal security

operations personnel demonstrating compliance to a wide

variety of laws and mandates using a configuration that’s

fairly unchanging

Increasing number of laws and mandates

Increasing number of vulnerabilities per annum

Securing funding to properly implement a CSOC

Business specific processes

Security Operations - Options

Obviously building, staffing and operating a CSOC is a far

more complex process than getting some people to watch

the output of IDS sensors.

There are options…

• Do it all yourself

• Do some of it yourself and outsource some

• Outsource your security operations completely

DO NOT SKIMP ON

SECURITY!

Calling the fire department

after your house is on fire is

too late!

A N I N T R O D U C T I O N O N H O W T O P R O T E C T Y O U R B U S I N E S S I N F O R M A T I O N

J A M E S M C F A D D E N

W I L L I A M D E A N

U N I V E R S I T Y O F T A M P A

What is your data worth?

Information Security

The preservation of confidentiality, integrity, and availability of information (ISO 17799, 2005)

“A multidisciplinary approach to information security that involves co-operation and collaboration of managers, users, administrators, application designers, auditors, and security staff, and specialists skills such as insurance and risk management” (ISO 17799, 2000, page 2).

Two useful models for understanding information security threats and solutions CIA Triad

Defense-in-Depth

C-I-A Triad

Well known security model and how threats affect confidentiality, integrity, and availability.

Confidentiality - Keeping info disclosed that should not be in the open.

Integrity - Prevent unauthorized tampering or modification of data and/or info system.

Availability - prevent disruption of service to a system.

All information system security threats will attack at least one of these three areas.

Data + Info Systems

Integrity

Defense in Depth

Architectural Strategy of layering of security systems.

Successive and redundant security measures.

Diversity in Depth

Examples: -Firewalls

-Intrusion Detection systems

-Anti-Virus Software

-Data Encryption

Defense in Depth

Physically Protect Your Data

Multiple layers of security before you can even access a computer -Who you are (Biometrics) -What you know (Password) -What you have (Access Card)

Monitored walls and gates

Underground facilities

Weather resistant

Data and power backups

Defense in Depth