Upload
atlantic-security-conference
View
22
Download
2
Embed Size (px)
Citation preview
Jonathan Raymond, TELUS Security Solutions
Why a Rotman-TELUS Study?
Why Canada?
Canada has its own security culture. Decisions should be made using our own experiences
Why Rotman?
Security is a business issue; Rotman is a business thought leader
Why TELUS?
We continue in our commitment to security research through TELUS Security Labs
2
Why this study matters
The study answers key questions like:
What’s happening to my peers?
What issues should I be concerned about?
How do I compare to top performers?
What best practices should we adopt?
What does “secure enough” look like?
3
Study enhancements
Focused questions Explored topics that were likely to change year-on-year
Focus on funding and staffing “post recession”
Examined concerns around social media, virtualization, cloud computing and mobile devices
Looked at the impact of outsourcing on security effectiveness
Consolidated questions to improve response rates
4
5
The threat landscape continues to grow
Breaches have grown 29% from 2009
Getting better at keeping out malware
Breach costs are down by 78%
0
4
8
12
16
2010 2009 2008
TELUS Security Labs
www.telussecuritylabs.com
30 researchers, $3M budget
Security threat research and outsourced development for security product vendors
Primary customers are 45 of the world’s leading security product vendors
6
7
$$$: Financial malware have started looking beyond Internet Explorer to steal credentials. Code Reuse: Master Boot Record (MBR) infector rootkits are making a comeback and those already there are also infecting newer architectures such as IA-64. (Zimuse, Alureon/Tidserv, Mebratix, Yonsole) We think with HTML5 exploit attacks will increase in 2011. Look out for PDF attachments to email!
8
Attacks are more focused
Getting better at keeping out malware and common attacks (21% drop)
Breach costs are down by 78%
Attackers are apparently becoming less opportunistic
1. Malware and spam2. Device theft3. Phishing4. Unauthorized access to
information by employees5. Bots within the
organization / Denial of Service attacks
Top Breach Types
Insiders continue to be a problem
1 in 3 breaches originates internally
• Accidental or innocent
• Deliberate and malicious
• Device theft or loss
9
10
Data loss and compliance top of mind
Contracts are an effective mechanism for managing third party security compliance
Publicly traded organizations more concerned about new technology, less concerned about user accountability
1. Loss of sensitive data 2. Compliance with
Regulations 3. Managing security of new
technologies 4. User understanding and
accountability of access 5. Managing business
partner risks
Ranked Concerns
A pattern of under investment
Budgets cut on average by 10% in 2009
Less investment in 2010 with average budgets moving to 6.5% of the IT budget
Use of outsourcing has increased
11
0%
10%
20%
30%
< 1 % 1% - 2% 3% - 4% 5% - 6% 7% - 9% 10% -15% 16% - 25% 25% plus
Government Private Public
Average Optimal
12
Security leadership in demand
$70,000
$90,000
$110,000
$130,000
$150,000
CIO CSO Director
2010 2009
The business is increasingly directing how security risks should be managed
Half of respondents have 10+ years of experience
Most top earners had 6+ years in IT security
13
Watch for security employee satisfaction
Managers and below are seeing slight salary reductions
Individual security professionals are tasked with more
Team sizes have shrunk
As the economy recovers staff retention will be an issue
$70,000
$90,000
$110,000
Manager Security Analyst
System Admin
2010 2009
A note of caution
Reduced budgets and increased security workloads are laying the ground for long
term erosion of our security posture
14
Outsourcing and Security Incidents
Outsourcing appears to have no significant negative impact on an organization’s security incident rate
• Consistent with the 2009 study, no correlation between breach rates and the decision whether or not to outsource could be found.
15
Secure development practices are lagging
No significant increase in the number of companies using secure development practices
1 in 4 respondents just assume secure development will happen
A concern as respondents are reporting more data centric attacks
However, those that are already include security into their development practices are increasing their investment
• Twice as likely to adopt preventative practices
• ~90% test their system security
16
17
The company that owns the Nasdaq Stock Market confirmed over the weekend that its computer network had been broken into, specifically a service that lets leaders of companies, including board members, securely share confidential documents.
Wall St Journal 7 Feb 2011
Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva's Hacker Intelligence Initiative (HII).The list includes defence, state and university sites in Europe and the US that have been hacked exploiting SQL injection vulnerabilities, the researchers said. Administrator access to these sites is being sold at $55 to $499 each, said Noa Bar Yosef, senior security strategist at Imperva.In some cases, hackers are selling personally identifiable information (PII) from infiltrated sites at $20 for 1,000 records.
Computer Weekly 24 Jan 2011
18
Invest in prevention
1. Integration of security into development
2. Business partner security policy compliance
3. Business partner privacy policy compliance
4. Creating a vulnerability management process
5. Developing a security policy
1. SSL VPN 2. Firewalls 3. IPSEC based VPN4. Anti-Virus 5. Email Security (anti-spam,
anti-malware)
Top 5 Initiatives Top 5 Technologies
19
Challenge of new technologies
Organizations that block social media experienced marginally more breaches than those that allow it
The dilemma of smart phones: how to secure them without making them dumb phones
20
Complexity undermines initiatives
Complex technologies, such as encryption, are failing to deliver value
Technology integrators are not addressing requirements management
20. Security Information & Event management (SIEM)
21. Data Leakage Prevention 22. Application Security
Assessment Tools (web/code)
23. Database Encryption 24. Email Encryption
Lowest ranked technologies
21
The obligatory cloud slide
1. Data location2. Outside the business3. Multi-tenancy4. Ability to audit5. Remove data form the
cloud6. Difficult to perform
forensics7. Availability
1. Malicious control of the hypervisor
2. Keeping VM images patched
3. Shared resource dependencies
4. Monitoring inter-VM communications
5. No visibility into host system security
2009 Concerns 2010 Concerns
22
The key concerns of government
1. Disclosure or loss of sensitive information
2. Compliance
3. User accountability
4. Security risks from new technology
5. Managing risks from third parties
NB: these logos do not representresponse rates to this survey
Top performers
Building capabilities to manage the vulnerability lifecycle from start to finish
Investing in senior leadership
Integrating security into their development lifecycle
And our advice from 2008 and 2009 still holds true today
Invest in the right level of staff and give them authority
Focus on training for IT, business and external partners
If you don’t plan on enforcing a security policy be prepared for breaches
23