gartner technologies for infosec 2014-2015
TRANSCRIPT
Presentation to
Internal Audit & Compliance department
bySamuel Kamuli
GARTNER | TOP TEN TECHNOLOGIES FOR INFORMATION SECURITY
2014-2015
PRESENTATION OUTLINE1. OBJECTIVES OF THE PRESENTATION
2. WHAT IS INFORMATION SECURITY ?
2. WHAT IS THE GARTNER INSTITUTE ?
3.LIST OF THE TOP TEN INFOSEC TECHNOLOGIES 2014-2015
4.CONCEPTS
I) ENCRYPTION
II) VIRTUALIZATION
5.INFOSEC TECHNOLOGIES FROM 1 TO 10
6. CAVEATS
OBJECTIVES OF THE PRESENTATION
1.The IAC total auditor
Initiative.
2.Explore the 2014-2015 top
ten technologies for
Information security
3.Fall in love !!!
DEFINITION | INFORMATION SECURITY
Information Security refers to the
methodologies processes and which are
designed and implemented to protect print,
electronic, or any other form of
confidential, private and sensitive
information or data from unauthorized
access, use, misuse, disclosure,
destruction, modification, or disruption.
processes
methodologies
unauthorized access, use, misuse, disclosuredestruction, modification, or
disruption
GARTNER INSTITUTE |Gartner, Inc. (NYSE: IT) is the world's leading information
technology research and advisory company. It delivers
the technology-related insight necessary for its various
clients in over 9,000 distinct enterprises worldwide to
make the right decisions, every day.
Its clients include CIOs and senior IT leaders in
corporations and government agencies, to business
leaders in high-tech and telecom enterprises and
professional services firms and technology investors.www.gartner.com
| THE MAGIC QUADRANT
www.gartner.com
| THE MAGIC QUADRANT
www.gartner.com
TOP TEN TECHNOLOGIES FOR INFORMATION SECURITY
• Endpoint Detection and Response Solutions
• Big Data Security Analytics at the Heart of Next-generation Security Platforms
• Cloud Access Security Brokers
• Adaptive Access Control
• Pervasive Sandboxing (Content Detonation) and IOC Confirmation
• Machine-readable Threat Intelligence, Including Reputation Services
• Containment and Isolation as a Foundational Security Strategy
• Software-defined Security
• Interactive Application Security Testing
• Security Gateways, Brokers and Firewalls to Deal with the Internet of Things
#2 ENCRYPTION | THE NYAKASURA -KYEBAMBE STORY
Bob
Alice
Alice’s teacher
Hello AliceI want to be with you longer than Fortportal has existed!
#2 ENCRYPTION | THE NYAKASURA -KYEBAMBE STORY
Bob
Alice
Alice’s teacher
Hello Alice
I love the history youMentioned about Toro
=
I love you
ENCRYPTION
BobSecurity admin URA
AliceSecurity admin BoU
VIRTUALIZATION |THE DT SECTION ANALOGY
More than 500,000 customers —
including 100% of the Fortune 100 —
trust VMware as their virtualization
infrastructure platform.
VIRTUALIZATION |THE DT SECTION ANALOGY
The IAC I see
DT mgt (RiK and supervisors
DT AUDITOfficers
DT AUDITS
} DT Section
TRIVIA MOMENT: BRAIN VS SUPERCOMPUTER
The Tianhe-2 has been developed by the National University of
Defense Technology in central China's Changsha city and is
capable of 33,860 quadrillion floating-point operations per
second (33.86 petaflops). By comparison, IBM researchers have
determined that the human brain is capable of36.8 petaflops of
data. A calculator needs 10 flops only.
vs
# 1 | ENDPOINT DETECTION AND RESPONSE SOLUTIONS
The endpoint detection and response (EDR) market is an
emerging market created to satisfy the need for continuous
protection from advanced threats at endpoints (desktops,
servers, tablets and laptops) — most notably significantly
improved security monitoring, threat detection and incident
response capabilities. These tools record numerous endpoint
and network events and store this information in a centralized
database. Analytics tools are then used to continually search the
database to identify tasks that can improve the security state to
deflect common attacks, to provide early identification of
ongoing attacks (including insider threats), and to rapidly
respond to those attacks. These tools also help with rapid
continuous protection from advanced threats atendpoints (desktops, servers, tablets
and laptops)
Analytics tools are then used
to provide early identification ofongoing attacks (including insider
threats),
provide remediation capability
# 1 | ENDPOINT DETECTION AND RESPONSE SOLUTIONS
End point
Solution
Nexpose and Metasploit
# 1 | ENDPOINT DETECTION AND RESPONSE SOLUTIONS
Market stats
http://www.checkpoint.com/testimonials/
Kitabo kya mu
94% of Fortune 100
Market stats
http://www.checkpoint.com/testimonials/
Kitabo kya mu
87% of Fortune 500
en.wikipedia.org/wiki/Five_Eyes
INFO SEC MOMENT | THE FIVE EYES
SIGINTSignal Intelligence
# 2 | SOFTWARE-DEFINED SECURITY
Software defined security is about the capabilities enabled
as we decouple and abstract infrastructure elements that
were previously tightly coupled in our data centers:
servers, storage, networking, security and so on.
Like networking, compute and storage, the impact on
security will be transformational. Software-defined security
doesn’t mean that some dedicated security hardware isn’t
still needed — it is.
However, like software-defined networking, the value and
intelligence moves into software.
capabilities enableddecouple and abstract infrastructure
elements
value and intelligence
moves into
software.
# 2 | SOFTWARE-DEFINED SECURITY
DECOUPLING ANALOGY | Tightly coupled
system
ELECTRIC COOKER
+ POWER = COOKED FOOD
UN
# 2 | SOFTWARE-DEFINED SECURITY
DECOUPLING ANALOGY | Loosely coupled
system
GAS / ELECTRIC COOKER
+ POWER = COOKED FOOD
# 2 | SOFTWARE-DEFINED SECURITY
Unified threat management1.Firewall2.VPN.3.Intrusion Prevention SystemEtc…
# 2 | SOFTWARE-DEFINED SECURITY
# 2 | SOFTWARE-DEFINED SECURITY
Cost is $2 per hour
Per day
2 * 24 = $48
Per year
$48 * 365
= $17,520 Ush 52.5
million
Value proposition$1 = Ushs
3,000
USD 1,460 orUGX 4,380,000 per month
# 2 | SOFTWARE-DEFINED SECURITY
$181,548 Ushs 544,644,000Save 90.3% !!!!!!!!!!!!!!!!!!!!!!!
# 2 | SOFTWARE-DEFINED SECURITY
Network Orchestration
Step 1:
Create Linux server from template
# 2 | SOFTWARE-DEFINED SECURITY
Step 2:
Run Upgrade to install latest updates
# 2 | SOFTWARE-DEFINED SECURITY
Step 3
Register it with the network and start serving it traffic
# 2 | SOFTWARE-DEFINED SECURITY
Info sec moment |The $I bn Cyber heist
www.bbc.com/news/business-31482985http://www.dailymail.co.uk/news/article-2955277/Computer-hacking-gang-ordered-ATM-machines-dispense-money-stole-tens-millions-UK-banks-largest-cyber-crime-detected.html#ixzz3UXLA0hGG
• Up to 100 banks and financial institutions worldwide have been attacked.
• Kaspersky Lab estimates $1bn (£648m) has been stolen in the attacks, which it says started in 2013 and are still ongoing.
• Attacks have taken place in 30 countries including financial firms in Russia, US, Germany, China, Ukraine and Canada.
• They steal money directly from banks and avoid targeting end users.
Info sec moment |The $I bn Cyber heist
www.bbc.com/news/business-31482985http://www.dailymail.co.uk/news/article-2955277/Computer-hacking-gang-ordered-ATM-machines-dispense-money-stole-tens-millions-UK-banks-largest-cyber-crime-detected.html#ixzz3UXLA0hGG
How they did it• They did this by sending authentic-looking emails that unsuspecting recipients then clicked on 'spear phishing’infecting the bank's machines with Carbanak
malware • Hackers were then able to infiltrate the
internal network and track down administrators computers for video surveillance
• Ukrainian ATM was found to be giving out notes at random times. Videos showed they
# 3 | ADAPTIVE ACCESS CONTROL
Adaptive access control is a form of context-aware
access control that acts to balance the level of trust
against risk at the moment of access using some
combination of trust elevation and other dynamic risk
mitigation techniques. Context awareness means that
access decisions reflect current condition, and
dynamic risk mitigation means that access can be
safely allowed where otherwise it would have been
blocked. Use of an adaptive access management
architecture enables an enterprise to allow access
from any device, anywhere, and allows for social ID
context-aware access control
access decisions reflect current condition
enables an enterprise to allow accessfrom any device,
anywhererange of corporate assets with mixed risk
profiles.
# 3 | ADAPTIVE ACCESS CONTROL
URA CUSTOMS ANALOGY
1.TAX PAYER WHO DECLARES GOODS AT CUSTOMS –
SUPPLICANT
2.TAX PAYER WHO DOESN’T KNOW THEY HAVE/HIDES
TAXABLE GOODS- DEVICE WITH OUTDATED ANTI
VIRUS
3.TAX PAYER WHO IS AN AEO – IP-PHONE
PRIVILEDGES
Cisco Identity Services Engine (ISE)
# 3 | ADAPTIVE ACCESS CONTROL ISE ISE BABY!!!
# 3 | ADAPTIVE ACCESS CONTROL - POLICY
# 3 | ADAPTIVE ACCESS CONTROL -PERMISSIONS
# 3 | ADAPTIVE ACCESS CONTROL
#4 | SECURITY GATEWAYS, BROKERS AND FIREWALLS TO DEAL WITH THE INTERNET OF THINGS
Enterprises, especially those in asset-intensive industries like
manufacturing or utilities, have operational technology (OT)
systems provided by equipment manufacturers that are moving
from proprietary communications and networks to standards-
based, IP-based technologies. More enterprise assets are being
automated by OT systems based on commercial software
products. The end result is that these embedded software
assets need to be managed, secured and provisioned
appropriately for enterprise-class use. OT is considered to be
the industrial subset of the "Internet of Things," which will
include billions of interconnected sensors, devices and systems,
many of which will communicate without human involvement
industries like manufacturing utiliti
es
More enterprise assets are beingautomat
ed these embedded software assets need to be managed, secured for enterprise-
class use"Internet of Things,"
TURKISH PIPELINE BURSTS DUE TO CYBER ATTACK
http://arstechnica.com/security/2014/12/hack-said-to-cause-fiery-pipeline-blast-could-rewrite-history-of-cyberwar/
“Attackers gained access to the pipeline's
computerized operational controls and increased the
pressure of the crude oil flowing inside. By hacking
the video and sensors that closely monitored the
1,099-mile Baku-Tbilisi-Ceyhan pipeline, the
attackers were able to prevent operators from
learning of the blast until 40 minutes after it happened”
As investigators followed the trail of the failed alarm system, they
found the hackers’ point of entry was an unexpected one: the
surveillance cameras themselves.
The cameras’ communication software had vulnerabilities the
hackers used to gain entry and move deep into the internal network,
according to the people briefed on the matter.
Once inside, the attackers found a computer running on a Windows
operating system that was in charge of the alarm-management
network, and placed a malicious program on it. That gave them the
ability to sneak back in whenever they wanted.
TURKISH PIPELINE BURSTS DUE TO CYBER ATTACK
http://arstechnica.com/security/2014/12/hack-said-to-cause-fiery-pipeline-blast-could-rewrite-history-of-cyberwar/
Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The back-up satellite signals failed, which suggested to the investigators that the attackers used sophisticated jamming equipment, according to the people familiar with the
The 2014 Infiniti Q50
• The 2014 Infiniti Q50 would be the easiest of all to hack because
its telematics, Bluetooth, and radio functions all run on the same
network as the car's engine and braking systems, for instance,
making it easier for an attacker to gain control of the car's
computerized physical operations.
• The researchers say the 2014 Dodge Viper, the 2014 Audi A8, and
the 2014 Honda Accord are the least hackable vehicles. They
ranked the Audi A8 as the least hackable overall because its
network-accessible potential attack surfaces are separated from the
car's physical components such as steering, notes Miller. "Each
feature of the car is separated on a different network and
connected by a gateway," he says. "The wirelessly connected
computers are on a separate network than the steering, which
makes us believe that this car is harder to hack to gain control
#4 | SECURITY GATEWAYS, BROKERS AND FIREWALLS TO DEAL WITH THE INTERNET OF THINGS
http://www.conlog.co.za/
#4 | SECURITY GATEWAYS, BROKERS AND FIREWALLS TO DEAL WITH THE INTERNET OF THINGS
Tools
https://www.paloaltonetworks.com/solutions/industry/scada-and-
industrial-control.html
SCADA/ICS-specific signatures for Modbus, DNP3, CIP Ethernet/IP, IEC
60870-5-104, OPC
http://www.iconlabs.com/prod/products/device-protection/floodgate-
defender-appliance
#4 | SECURITY GATEWAYS, BROKERS AND FIREWALLS TO DEAL WITH THE INTERNET OF THINGS
INFOSEC MOMENT | THE EQUATION GROUP
• Discovered by Kaspersky on February 16, 2015
• The group earned its name through its use of complex cryptographic algorithms to compromise targets.
• They have been operating in the shadows for over a decade.
• They compromised Seagate, Western Digital, Maxtor, Samsung hard drives and Toshiba Hard drives
http://www.digitaltrends.com/computing/decrypt-this-the-equation-groups-scalpel-proves-the-sledgehammer-is-unneeded/#ixzz3UXFza65Ghttp://en.wikipedia.org/wiki/Equation_Group
INFOSEC MOMENT | THE EQUATION GROUP
• They developed malware which embeds itself in the firmware that runs the disk and gives command and control servers access to the disk and later computers
• It can transfer data from an air-gapped system through USB flash drives
• One of their biggest exploits is said to be the stuxnet virus that affected Iran’s nuclear power plants.
• Timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday-Friday in what would correspond to a 08:00-17:00 workday in an Eastern United States time zone
http://www.digitaltrends.com/computing/decrypt-this-the-equation-groups-scalpel-proves-the-sledgehammer-is-unneeded/#ixzz3UXFza65Ghttp://en.wikipedia.org/wiki/Equation_Group
#5 | APPLICATION SECURITY TESTING
Interactive application security testing (IAST): combines static application
security testing (SAST) and dynamic application security testing (DAST)
techniques. This aims to provide increased accuracy of application
security testing through the interaction of the SAST and DAST
techniques. IAST brings the best of SAST and DAST into a single solution.
This approach makes it possible to confirm or disprove the exploitability
of the detected vulnerability and determine its point of origin in the
application code.
Static application security Testing (SAST): is a set of technologies
designed to analyze application source code, byte code and binaries for
coding and design conditions that are indicative of security
vulnerabilities. SAST solutions analyze an application from the “inside
out” in a non running state.running
state.
non running state
Both running and non-running state
• Higher Confidence Results: Combine the detection of a potential
vulnerability found through SAST, with verification through a real-
time exploit attempt provided by DAST. IAST determines whether
the vulnerability is real and where in the code is located.
• Comprehensive Analysis: Tune the DAST analysis based on
Coverity’s deep understanding of the application’s entry points and
parameters.
• Improved Efficiency: Address proven vulnerabilities more quickly
and easily from within a unified workflow.
http://www.coverity.com/
Kitabo kya mu
•8 of the 10 top global brands
•7 of the 10 top aerospace and defense
companies
•9 of the 10 top technology hardware companies
•9 of the 10 top software companies
Kitabo kya mu
http://googleprojectzero.blogspot.com/
http://money.cnn.com/2014/07/17/technology/security/google-cyberattacks/
Google project zero
# 6 | MACHINE-READABLE THREAT INTELLIGENCE (MRTI), INCLUDING REPUTATION SERVICES
The ability to integrate with external context and
intelligence feeds is a critical differentiator for next-
generation security platforms. Third-party sources for
machine-readable threat intelligence are growing in
number and include a number of reputation feed
alternatives. Reputation services offer a form of
dynamic, real-time “trustability” rating that can be
factored into security decisions. For example, user and
device reputation as well as URL and IP address
reputation scoring can be used in end-user access
decisions.
external context and intelligence feeds
“trustability” rating that can be factored into security decisions.user and device reputation as well as URL and IP
address end-user access decisions.
http://www.norse-corp.com/darkviking.html
SONY HACK
http://www.geek.com/news/sony-just-got-hacked-doxxed-and-shut-down-1610274/
http://money.cnn.com/2015/02/05/media/amy-pascal-resigns-sony/
Repercussions1.Movies such as Annie leaked.2.Emails released3.Sony Co-chair Amy Pascal resigned after
15 years at Sony4.Financial loss by lost movie revenue and
reputation
#6 | DATA LOSS/LEAKAGE PREVENTION
Data Leakage Prevention identifies,
monitors, and protects data transfer
through deep content inspection and
analysis of transaction parameters
(such as source, destination, data
object, and protocol), with a
centralized management framework.
1. The Data Loss Prevention Software Blade is enabled on a Security Gateway
3. Security mgt server to install the DLP Policy on the DLP gateway. 4. Proxy server through which data leaves organization5. Mail server through which information can leave the organization.6. Active directory to identify internal organization7. Logging analysis through smartview tracker and Smart event
#6 | DATA LOSS/LEAKAGE PREVENTION
1.Create a policy that blocks
transfer of videos off the
network and to other servers
2. Send the policy out to the
monitoring device.
#6 | DATA LOSS/LEAKAGE PREVENTION
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
Going forward, all effective security protection platforms
will include domain-specific embedded analytics as a core
capability. An enterprise's continuous monitoring of all
computing entities and layers will generate a greater
volume, velocity and variety of data than traditional SIEM
systems can effectively analyze. Gartner predicts that by
2020, 40 percent of enterprises will have established a
"security data warehouse" for the storage of this monitoring
data to support retrospective analysis. By storing and
analyzing the data over time, and by incorporating context
and including outside threat and community intelligence,
patterns of "normal" can be established and data analytics
can be used to identify when meaningful deviations from
continuous monitoring
"security data warehouse"support retrospective analysis.
patterns
of "normal" can be established and data analytics can be used deviations from normal have
occurred.
including outside threat and community intelligence
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
Analysis doneThe same subscribers who loved the original BBC production of House of cards also;
• Watched movies starring Kevin Spacey or
• Watched movies directed by David Fincher
www.salon.com/2013/02/01/how_netflix_is_turning_viewers_into_puppets/
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
Reaction by Netflix
1. Hired Kevin Spacy as actor and
director David Fincher for the new
Series
2. Spent $100 million for two 13-
episode seasons.
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
Results;
1. Netflix has already earned its $100 million back with
profit
2. Added more than 2 million U.S. subscribers that
quarter
3. Added another 1 million elsewhere in the world and
surpassed HBO.
4. Netflix has since risen to 50 million subscribers
globally
5. Season 3 is out!
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
ANALOGY : NETFLIX’S HOUSE OF CARDS
SCENARIOS
1.User cjuuko logged on to E-tax
from separate machines at the
same URA campusReaction: Store as alert
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
SCENARIOS
2. User jkiiza logged on to E-tax
from separate machines at the
same URA campusReaction: Send SMS and email to members in security and
log as high risk alert for follow up investigation
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
SCENARIOS
3. User ebichetero logged on to Etax from machine at Nakawa
HQ and Asyworld from machine at Bunagana.
Reaction: Send SMS and email to members in security and log as
high risk alert for follow up investigation
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
TOOLS OF TRADE
http://www8.hp.com/us/en/software-solutions/siem-security-information-event-management/
#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS
TRIVIA MOMENT : SOURCE OF ATTACKS
MURDER IN THE CLOUD
Code Spaces was a company that offered developers source code repositories
and project management services using Git or Subversion, among other
options. It had been going for seven years, and it had no shortage of
customers. But it's all over now -- the company was essentially murdered by
an attacker.
Code Spaces was built mostly on AWS, using storage and server instances to
provide its services. Those server instances weren't hacked, nor was Code
Spaces' database compromised or stolen. According to the message on the
Code Spaces' website, an attacker gained access to the company's AWS control
panel and demanded money in exchange for releasing control back to Code
Spaces. When Code Spaces didn't comply and tried to take back control over
its own services, the attacker began deleting resources. As the message on
the website reads: "We finally managed to get our panel access back but not
before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS
instances, and several machine instances."http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
#8 | CLOUD ACCESS SECURITY BROKERS
Cloud access security brokers are on-premises
or cloud-based security policy enforcement
points placed between cloud services consumers
and cloud services providers to interject
enterprise security policies as the cloud-based
resources are accessed. In many cases, initial
adoption of cloud-based services has occurred
outside the control of IT, and cloud access
security brokers offer enterprises to gain
visibility and control as its users access cloud
#8 | CLOUD ACCESS SECURITY BROKERS
• Spend Optimization
• Cost allocation
• Resource reporting
• Security policy management
• Continuous monitoring
#8 | CLOUD ACCESS SECURITY BROKERS
http://www.safenet-inc.com/
Netflix simian army
#8 | CLOUD ACCESS SECURITY BROKERS
en.wikipedia.org/wiki/Chaos_Monkey
#8 | CLOUD ACCESS SECURITY BROKERS
Info Sec moment |Tailored Access Operations (TAO)
http://en.wikipedia.org/wiki/Tailored_Access_Operationshttps://www.schneier.com/blog/archives/2013/12/more_about_the.htmlhttps://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok
Cyber-warfare intelligence-gathering unit of the National Security Agency (NSA) • They are a last resort for use when other methods
of surveillance fail• Largest and arguably the most important
component of the NSA's huge Signal Intelligence (SIGINT) Directorate, consisting [more than] 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers
Info Sec moment |Tailored Access Operations (TAO)
Operations• Their major tool is called “QUANTUMTHEORY”• It targets Internet service providers including
Facebook, Yahoo, Twitter and YouTube.• They have software templates allowing them to
break into commonly used hardware, including “routers, switches, and firewalls from multiple product vendor lines
• They redirect traffic from these sites to fake servers which have malware that automatically exploits weaknesses on end-user machines e.g. the Belgacom and Huawei incidents. http://en.wikipedia.org/wiki/Tailored_Access_Operationshttps://www.schneier.com/blog/archives/2013/12/more_about_the.htmlhttps://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok
#9 | PERVASIVE SANDBOXING (CONTENT DETONATION) AND INVERSION OF CONTROL (IOC) CONFIRMATION
Some attacks will inevitably bypass traditional blocking and prevention
security protection mechanisms, in which case it is key to detect the
intrusion in as short a time as possible to minimize the hacker's ability
to inflict damage or exfiltrate sensitive information. Many security
platforms now included embedded capabilities to run ("detonate")
executables and content in virtual machines (VMs) and observe the VMs
for indications of compromise. This capability is rapidly becoming a
feature of a more-capable platform, not a stand-alone product or
market. Once a potential incident has been detected, it needs to be
confirmed by correlating indicators of compromise across different
entities — for example, comparing what a network-based threat
detection system sees in a sandboxed environment to what is being
observed on actual endpoints in terms of processes, behaviors, registry
entries and so on.
attacks will inevitably bypass traditional blocking and prevention security
minimize the hacker's ability to inflict damage
("detonate") executables and content in virtual machines (VMs) and observe the VMs forindications of compromise.
#9 | PERVASIVE SANDBOXING (CONTENT DETONATION) AND INVERSION OF CONTROL (IOC) CONFIRMATION
Info Sec moment | Hijacking a bank account
#9 | PERVASIVE SANDBOXING (CONTENT DETONATION) AND INVERSION OF CONTROL (IOC) CONFIRMATION
1. Receive an email from [email protected]
2.Email is scanned for viruses and malware using known signature threats, none is discovered but unknown program seen in attachment so email put in vm with known baselines for threat analysis
3. Once configuration of the virtual machines changes, email not sent to intended recipient but to threatcloud for analysis. A signature is then developed for it as well as anti-virus signatures developed
#10 | CONTAINMENT AND ISOLATION AS A FOUNDATIONAL SECURITY STRATEGY
In a world where signatures are increasingly ineffective in stopping
attacks, an alternative strategy is to treat everything that is
unknown as untrusted and isolate its handling and as a vector for
attacks on other enterprise systems. Virtualization, isolate
execution so that it cannot cause permanent damage to the system
it is running on and cannot be used action, abstraction and remote
presentation techniques can be used to create this containment so
that, ideally, the end result is similar to using a separate "air-
gapped" system to handle untrusted content and applications.
Virtualization and containment strategies will become a common
element of a defense-in-depth protection strategy for enterprise
systems, reaching 20 percent adoption by 2016 from nearly no
signatures are increasingly ineffective in stopping attacks,treat everything that is unknown as untrusted and
isolate
isolate execution so that it cannot cause permanent damage to the system
Virtualization and containment strategies
20 percent adoption by 2016
SaltChiliOilPotassium
Water
en.wikipedia.org/wiki/Matryoshka_doll
Analogy | Russian / Matryoshka Doll
CHECKPOINT CAPSULE
Check Point Capsule enables organizations to
extend their corporate security policy to mobile
devices, providing real-time protection against
web threats for mobile users outside of the
enterprise security perimeter. Check Point
Capsule offers the protection of the Check Point
Software Blades as a cloud-based service, and
ensures that corporate policy is always enforced
and corporate data and devices are protected.http://www.checkpoint.com/capsule/
Enterprisetrust zone
Personal trust zone
Caveat | The Advanced Persistent Threat
“There is no such thing as cybersecurity. No system can be 100% secure. There is no uncrackable code.”
“The only thing you can do is build the fence higher and higher so that eventually it's not worth it to climb over”
Joshua Shaul, Chief technology officer Application Security | Mc Afee