Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 1

Shahar Geiger Maor, CISSP Senior Analyst at STKI

shahar@stki.info www.shaharmaor.blogspot.com

Information Security Trendsin Israel

18.11.2010

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 2

Presentation’s Agenda

General Trends

Cloud Security

Data-Centric Security

Mobile Security

Regulations: PCI

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 3

Presentation’s Agenda

General Trends

Cloud Security

Data-Centric Security

Mobile Security

Regulations: PCI

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 4

Information Security: Israeli Market Size (M$)

2009 changes 2010 changes 2011 changes 2012

Security Software 85.0 23.53% 105.0 4.76% 110.0 9.09% 120.0

GRC & BCP

50.0 50.00% 75.0 9.33% 82.0 9.76% 90.0

Security VAS

85.0 11.76% 95.0 8.42% 103.0 6.80% 110.0

totals 25.00% 7.27% 8.47%220.0 275.0 295.0 320.0

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 5

Information Security Spendings

1. Usually very “dynamic”2. Crisis/regulation driven instead of policy driven3. Part of budget may be embedded within other IT

units\ projects

Approximately 5% of IT budget*

* Including manpower

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 6

Security Staffing Ratios

Organization Type Ratios of Security Personnel (Israel)

Average Public Sector 0.15% of Total Users“Sensitive” Public Sector 0.5% of Total Users

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7

Information Security “Threatscape”

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 8

The Web is Dead!

http://www.wired.com/magazine/2010/08/ff_webrip/

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 9

Is Technology Good or Bad?

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 10

Israel: a Security Empire

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 11

Real Empire!!

Source: http://search.dainfo.com/israel_hitech/Template1/Pages/StartSearchPage.aspx

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 12

Local Security Vendors and CISO’s Decision Making

CISO is usually

considering

technology, local support

and price

Is a local soluti

on available?

Most chance it will

be among

last three

bidders

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 13

What’s on the CISO’s Agenda?(STKI Index 2010)

EPS/mobile14%

Market/Trends13%

Access/Au-thentication

12%Network Sec

12%

GW10%

DCS9%

DB/DC SEC9%

Vendor/Product

8%

Regulations7%

SIEM/SOC3%

Miscellaneous2%

Encryption1%

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 14

Presentation’s Agenda

General Trends

Cloud Security

Data-Centric Security

Mobile Security

Regulations: PCI

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 15

Cloud Security

Source: http://csrc.nist.gov/groups/SNS/cloud-computing/

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 16

Is Cloud Security Important??

http://www.thepeople.co.il/Index.asp?CategoryID=82&ArticleID=1281

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 17

How Does Cloud Computing Affect the “Security Triad”?

Confidentiality

IntegrityAvailability

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 18

Cloud Risk Assessment

Probability

Impact

LOSS OF GOVERNANCE COMPLIANCE

CHALLENGESRISK FROM

CHANGES OF JURISDICTION

ISOLATION FAILURE

CLOUD PROVIDER MALICIOUS INSIDER -

ABUSE OF HIGH PRIVILEGE ROLES

MANAGEMENT INTERFACE COMPROMISE (MANIPULATION,

AVAILABILITY OF INFRASTRUCTURE)

INSECURE OR INEFFECTIVE

DELETION OF DATA

NETWORK MANAGEMENT

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 19

Cloud Security: What’s Missing?

Standards & Regulations

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 20

Presentation’s Agenda

General Trends

Cloud Security

Data-Centric Security

Mobile Security

Regulations: PCI

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 21

Data-Centric Security

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 22

Incidents by Vector (2009)

http://datalossdb.org/statistics

DL

PI

RM

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 23

The Relative Seriousness of IT Security Threats

Source: Computer Economics

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 24

DLP Scenario in Israel

No Data Classification

Poor Security Policy

Project is a failure

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 25

What Should be Done in Order to Succeed?

Look for your assets!Classify and label!Discover and protect confidential data wherever it is stored or used

Monitor all data usageAutomate policy enforcementSafeguard employee privacy

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 26

Presentation’s Agenda

General Trends

Cloud Security

Data-Centric Security

Mobile Security

Regulations: PCI

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 27

Y 2010 - Going Mobile!

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 28

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 29

Real Mobility is Coming to the Enterprise

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 30

Mobile Security: What worries CISOs?

Internal users: No central management How to protect corporate data on device? Device’s welfare ???

External users: Sensitive traffic interception Masquerading\ Identity theft

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 31

Mobile Security: What Do CISOs want?

1. Manage SMDs as if they were another

endpoint

2. Protecting business information on your

device

3. Multi-platform support

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 32

Presentation’s Agenda

General Trends

Cloud Security

Data-Centric Security

Mobile Security

Regulations: PCI

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 33

NetworkNetworkDSL Router

POS

Serv

er

POS

Term

inal

s

Requirement 1Requirement 2Requirement 3Requirement 4Requirement 5Requirement 6Requirement 7

Polic

ies

Requirement 8Requirement 9Requirement 10Requirement 11

3rd Party Scan Vendor

Requirement 12

PIN

Pad

s

PCI-DSS -Challenges

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 34

What is the Incentive?

Source: http://datalossdb.org/statistics?timeframe=all_time (2000-2010)

• Data loss incidents2,754

• Credit-card related data loss396 (35%)

• How?Hack (48%)

• CCN compromised297,704,392• …CCNs\Incident 751,779• Actual $$$ loss…?

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 35

Israeli PCI: Market Status (May 2010)

PCI “Newborns”

Gap Analysis

PCI work plan (Prioritized Approach?)

1-4 Milestones4+ Milestones

Financial Sector

Telco\Services Sector

Retail\Whole sale\Manu’ Sector

Healthcare Sector

PCI Compliance

You are here

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 36

PCI Challenges: The “New trend Syndrome”

“Am I the first one to implement this solution?”

“Are there any other references? ”

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 37

PCI Challenges: Customer Experience

System heterogeneity –Sensitive data is scattered

around in all sorts of formats

Main-Frame and other legacy systems –how is it

possible to protect sensitive data without changing

the source code?

What happened to risk management??? (PCI vs. SOX)

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 38

PCI Challenges: Customer Experience 2

“My DB does not support PCI” –the “Upgrade vs. pay the fine” dilemma

“Index token is cheaper than other alternatives” –True or false?

Inadequate knowledge of the QSAs?

Who audit the auditors?

should be

answered by the

PCI Council

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 39

PCI Challenges -The PCI paradox

PCI compliance

1 security patch is missing

A data loss incident occurs…

An investigation

starts

Remember that security

patch?

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 40

Thank You!

Visit my Blog: shaharmaor.blogspot.com