gartner technologies for infosec 2014-2015

Presentation to

Internal Audit & Compliance department

bySamuel Kamuli

GARTNER | TOP TEN TECHNOLOGIES FOR INFORMATION SECURITY

2014-2015

PRESENTATION OUTLINE1. OBJECTIVES OF THE PRESENTATION

2. WHAT IS INFORMATION SECURITY ?

2. WHAT IS THE GARTNER INSTITUTE ?

3.LIST OF THE TOP TEN INFOSEC TECHNOLOGIES 2014-2015

4.CONCEPTS

I) ENCRYPTION

II) VIRTUALIZATION

5.INFOSEC TECHNOLOGIES FROM 1 TO 10

6. CAVEATS

OBJECTIVES OF THE PRESENTATION

1.The IAC total auditor

Initiative.

2.Explore the 2014-2015 top

ten technologies for

Information security

3.Fall in love !!!

DEFINITION | INFORMATION SECURITY

Information Security refers to the

methodologies processes and which are

designed and implemented to protect print,

electronic, or any other form of

confidential, private and sensitive

information or data from unauthorized

access, use, misuse, disclosure,

destruction, modification, or disruption.

processes

methodologies

unauthorized access, use, misuse, disclosuredestruction, modification, or

disruption

GARTNER INSTITUTE |Gartner, Inc. (NYSE: IT) is the world's leading information

technology research and advisory company. It delivers

the technology-related insight necessary for its various

clients in over 9,000 distinct enterprises worldwide to

make the right decisions, every day.

Its clients include CIOs and senior IT leaders in

corporations and government agencies, to business

leaders in high-tech and telecom enterprises and

professional services firms and technology investors.www.gartner.com

| THE MAGIC QUADRANT

www.gartner.com

TOP TEN TECHNOLOGIES FOR INFORMATION SECURITY

• Endpoint Detection and Response Solutions

• Big Data Security Analytics at the Heart of Next-generation Security Platforms

• Cloud Access Security Brokers

• Adaptive Access Control

• Pervasive Sandboxing (Content Detonation) and IOC Confirmation

• Machine-readable Threat Intelligence, Including Reputation Services

• Containment and Isolation as a Foundational Security Strategy

• Software-defined Security

• Interactive Application Security Testing

• Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

#2 ENCRYPTION | THE NYAKASURA -KYEBAMBE STORY

Bob

Alice

Alice’s teacher

Hello AliceI want to be with you longer than Fortportal has existed!

#2 ENCRYPTION | THE NYAKASURA -KYEBAMBE STORY

Bob

Alice

Alice’s teacher

Hello Alice

I love the history youMentioned about Toro

=

I love you

ENCRYPTION

BobSecurity admin URA

AliceSecurity admin BoU

VIRTUALIZATION |THE DT SECTION ANALOGY

More than 500,000 customers —

including 100% of the Fortune 100 —

trust VMware as their virtualization

infrastructure platform.

VIRTUALIZATION |THE DT SECTION ANALOGY

The IAC I see

DT mgt (RiK and supervisors

DT AUDITOfficers

DT AUDITS

} DT Section

TRIVIA MOMENT: BRAIN VS SUPERCOMPUTER

The Tianhe-2 has been developed by the National University of

Defense Technology in central China's Changsha city and is

capable of 33,860 quadrillion floating-point operations per

second (33.86 petaflops). By comparison, IBM researchers have

determined that the human brain is capable of36.8 petaflops of

data. A calculator needs 10 flops only.

vs

# 1 | ENDPOINT DETECTION AND RESPONSE SOLUTIONS

The endpoint detection and response (EDR) market is an

emerging market created to satisfy the need for continuous

protection from advanced threats at endpoints (desktops,

servers, tablets and laptops) — most notably significantly

improved security monitoring, threat detection and incident

response capabilities. These tools record numerous endpoint

and network events and store this information in a centralized

database. Analytics tools are then used to continually search the

database to identify tasks that can improve the security state to

deflect common attacks, to provide early identification of

ongoing attacks (including insider threats), and to rapidly

respond to those attacks. These tools also help with rapid

continuous protection from advanced threats atendpoints (desktops, servers, tablets

and laptops)

Analytics tools are then used

to provide early identification ofongoing attacks (including insider

threats),

provide remediation capability


End point

Solution

Nexpose and Metasploit


Market stats

http://www.checkpoint.com/testimonials/

Kitabo kya mu

94% of Fortune 100

Market stats

http://www.checkpoint.com/testimonials/

Kitabo kya mu

87% of Fortune 500

en.wikipedia.org/wiki/Five_Eyes

INFO SEC MOMENT | THE FIVE EYES

SIGINTSignal Intelligence

# 2 | SOFTWARE-DEFINED SECURITY

Software defined security is about the capabilities enabled

as we decouple and abstract infrastructure elements that

were previously tightly coupled in our data centers:

servers, storage, networking, security and so on.

Like networking, compute and storage, the impact on

security will be transformational. Software-defined security

doesn’t mean that some dedicated security hardware isn’t

still needed — it is.

However, like software-defined networking, the value and

intelligence moves into software.

capabilities enableddecouple and abstract infrastructure

elements

value and intelligence

moves into

software.


DECOUPLING ANALOGY | Tightly coupled

system

ELECTRIC COOKER

+ POWER = COOKED FOOD

UN


DECOUPLING ANALOGY | Loosely coupled

system

GAS / ELECTRIC COOKER

+ POWER = COOKED FOOD


Unified threat management1.Firewall2.VPN.3.Intrusion Prevention SystemEtc…


Cost is $2 per hour

Per day

2 * 24 = $48

Per year

$48 * 365

= $17,520 Ush 52.5

million

Value proposition$1 = Ushs

3,000

USD 1,460 orUGX 4,380,000 per month


$181,548 Ushs 544,644,000Save 90.3% !!!!!!!!!!!!!!!!!!!!!!!


Network Orchestration

Step 1:

Create Linux server from template


Step 2:

Run Upgrade to install latest updates


Step 3

Register it with the network and start serving it traffic


Info sec moment |The $I bn Cyber heist

www.bbc.com/news/business-31482985http://www.dailymail.co.uk/news/article-2955277/Computer-hacking-gang-ordered-ATM-machines-dispense-money-stole-tens-millions-UK-banks-largest-cyber-crime-detected.html#ixzz3UXLA0hGG

• Up to 100 banks and financial institutions worldwide have been attacked.

• Kaspersky Lab estimates $1bn (£648m) has been stolen in the attacks, which it says started in 2013 and are still ongoing.

• Attacks have taken place in 30 countries including financial firms in Russia, US, Germany, China, Ukraine and Canada.

• They steal money directly from banks and avoid targeting end users.

Info sec moment |The $I bn Cyber heist

www.bbc.com/news/business-31482985http://www.dailymail.co.uk/news/article-2955277/Computer-hacking-gang-ordered-ATM-machines-dispense-money-stole-tens-millions-UK-banks-largest-cyber-crime-detected.html#ixzz3UXLA0hGG

How they did it• They did this by sending authentic-looking emails that unsuspecting recipients then clicked on 'spear phishing’infecting the bank's machines with Carbanak

malware • Hackers were then able to infiltrate the

internal network and track down administrators computers for video surveillance

• Ukrainian ATM was found to be giving out notes at random times. Videos showed they

# 3 | ADAPTIVE ACCESS CONTROL

Adaptive access control is a form of context-aware

access control that acts to balance the level of trust

against risk at the moment of access using some

combination of trust elevation and other dynamic risk

mitigation techniques. Context awareness means that

access decisions reflect current condition, and

dynamic risk mitigation means that access can be

safely allowed where otherwise it would have been

blocked. Use of an adaptive access management

architecture enables an enterprise to allow access

from any device, anywhere, and allows for social ID

context-aware access control

access decisions reflect current condition

enables an enterprise to allow accessfrom any device,

anywhererange of corporate assets with mixed risk

profiles.


URA CUSTOMS ANALOGY

1.TAX PAYER WHO DECLARES GOODS AT CUSTOMS –

SUPPLICANT

2.TAX PAYER WHO DOESN’T KNOW THEY HAVE/HIDES

TAXABLE GOODS- DEVICE WITH OUTDATED ANTI

VIRUS

3.TAX PAYER WHO IS AN AEO – IP-PHONE

PRIVILEDGES

Cisco Identity Services Engine (ISE)

# 3 | ADAPTIVE ACCESS CONTROL ISE ISE BABY!!!

# 3 | ADAPTIVE ACCESS CONTROL - POLICY

# 3 | ADAPTIVE ACCESS CONTROL -PERMISSIONS

#4 | SECURITY GATEWAYS, BROKERS AND FIREWALLS TO DEAL WITH THE INTERNET OF THINGS

Enterprises, especially those in asset-intensive industries like

manufacturing or utilities, have operational technology (OT)

systems provided by equipment manufacturers that are moving

from proprietary communications and networks to standards-

based, IP-based technologies. More enterprise assets are being

automated by OT systems based on commercial software

products. The end result is that these embedded software

assets need to be managed, secured and provisioned

appropriately for enterprise-class use. OT is considered to be

the industrial subset of the "Internet of Things," which will

include billions of interconnected sensors, devices and systems,

many of which will communicate without human involvement

industries like manufacturing utiliti

es

More enterprise assets are beingautomat

ed these embedded software assets need to be managed, secured for enterprise-

class use"Internet of Things,"

TURKISH PIPELINE BURSTS DUE TO CYBER ATTACK

http://arstechnica.com/security/2014/12/hack-said-to-cause-fiery-pipeline-blast-could-rewrite-history-of-cyberwar/

“Attackers gained access to the pipeline's

computerized operational controls and increased the

pressure of the crude oil flowing inside. By hacking

the video and sensors that closely monitored the

1,099-mile Baku-Tbilisi-Ceyhan pipeline, the

attackers were able to prevent operators from

learning of the blast until 40 minutes after it happened”

As investigators followed the trail of the failed alarm system, they

found the hackers’ point of entry was an unexpected one: the

surveillance cameras themselves.

The cameras’ communication software had vulnerabilities the

hackers used to gain entry and move deep into the internal network,

according to the people briefed on the matter.

Once inside, the attackers found a computer running on a Windows

operating system that was in charge of the alarm-management

network, and placed a malicious program on it. That gave them the

ability to sneak back in whenever they wanted.

TURKISH PIPELINE BURSTS DUE TO CYBER ATTACK

http://arstechnica.com/security/2014/12/hack-said-to-cause-fiery-pipeline-blast-could-rewrite-history-of-cyberwar/

Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The back-up satellite signals failed, which suggested to the investigators that the attackers used sophisticated jamming equipment, according to the people familiar with the

The 2014 Infiniti Q50

• The 2014 Infiniti Q50 would be the easiest of all to hack because

its telematics, Bluetooth, and radio functions all run on the same

network as the car's engine and braking systems, for instance,

making it easier for an attacker to gain control of the car's

computerized physical operations.

• The researchers say the 2014 Dodge Viper, the 2014 Audi A8, and

the 2014 Honda Accord are the least hackable vehicles. They

ranked the Audi A8 as the least hackable overall because its

network-accessible potential attack surfaces are separated from the

car's physical components such as steering, notes Miller. "Each

feature of the car is separated on a different network and

connected by a gateway," he says. "The wirelessly connected

computers are on a separate network than the steering, which

makes us believe that this car is harder to hack to gain control


http://www.conlog.co.za/


Tools

https://www.paloaltonetworks.com/solutions/industry/scada-and-

industrial-control.html

SCADA/ICS-specific signatures for Modbus, DNP3, CIP Ethernet/IP, IEC

60870-5-104, OPC

http://www.iconlabs.com/prod/products/device-protection/floodgate-

defender-appliance


INFOSEC MOMENT | THE EQUATION GROUP

• Discovered by Kaspersky on February 16, 2015

• The group earned its name through its use of complex cryptographic algorithms to compromise targets.

• They have been operating in the shadows for over a decade.

• They compromised Seagate, Western Digital, Maxtor, Samsung hard drives and Toshiba Hard drives

http://www.digitaltrends.com/computing/decrypt-this-the-equation-groups-scalpel-proves-the-sledgehammer-is-unneeded/#ixzz3UXFza65Ghttp://en.wikipedia.org/wiki/Equation_Group

INFOSEC MOMENT | THE EQUATION GROUP

• They developed malware which embeds itself in the firmware that runs the disk and gives command and control servers access to the disk and later computers

• It can transfer data from an air-gapped system through USB flash drives

• One of their biggest exploits is said to be the stuxnet virus that affected Iran’s nuclear power plants.

• Timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday-Friday in what would correspond to a 08:00-17:00 workday in an Eastern United States time zone

http://www.digitaltrends.com/computing/decrypt-this-the-equation-groups-scalpel-proves-the-sledgehammer-is-unneeded/#ixzz3UXFza65Ghttp://en.wikipedia.org/wiki/Equation_Group

#5 | APPLICATION SECURITY TESTING

Interactive application security testing (IAST): combines static application

security testing (SAST) and dynamic application security testing (DAST)

techniques. This aims to provide increased accuracy of application

security testing through the interaction of the SAST and DAST

techniques. IAST brings the best of SAST and DAST into a single solution.

This approach makes it possible to confirm or disprove the exploitability

of the detected vulnerability and determine its point of origin in the

application code.

Static application security Testing (SAST): is a set of technologies

designed to analyze application source code, byte code and binaries for

coding and design conditions that are indicative of security

vulnerabilities. SAST solutions analyze an application from the “inside

out” in a non running state.running

state.

non running state

Both running and non-running state

• Higher Confidence Results: Combine the detection of a potential

vulnerability found through SAST, with verification through a real-

time exploit attempt provided by DAST. IAST determines whether

the vulnerability is real and where in the code is located.

• Comprehensive Analysis: Tune the DAST analysis based on

Coverity’s deep understanding of the application’s entry points and

parameters.

• Improved Efficiency: Address proven vulnerabilities more quickly

and easily from within a unified workflow.

http://www.coverity.com/

Kitabo kya mu

•8 of the 10 top global brands

•7 of the 10 top aerospace and defense

companies

•9 of the 10 top technology hardware companies

•9 of the 10 top software companies

Kitabo kya mu

http://googleprojectzero.blogspot.com/

http://money.cnn.com/2014/07/17/technology/security/google-cyberattacks/

Google project zero

# 6 | MACHINE-READABLE THREAT INTELLIGENCE (MRTI), INCLUDING REPUTATION SERVICES

The ability to integrate with external context and

intelligence feeds is a critical differentiator for next-

generation security platforms. Third-party sources for

machine-readable threat intelligence are growing in

number and include a number of reputation feed

alternatives. Reputation services offer a form of

dynamic, real-time “trustability” rating that can be

factored into security decisions. For example, user and

device reputation as well as URL and IP address

reputation scoring can be used in end-user access

decisions.

external context and intelligence feeds

“trustability” rating that can be factored into security decisions.user and device reputation as well as URL and IP

address end-user access decisions.

http://www.norse-corp.com/darkviking.html

SONY HACK

http://www.geek.com/news/sony-just-got-hacked-doxxed-and-shut-down-1610274/

http://money.cnn.com/2015/02/05/media/amy-pascal-resigns-sony/

Repercussions1.Movies such as Annie leaked.2.Emails released3.Sony Co-chair Amy Pascal resigned after

15 years at Sony4.Financial loss by lost movie revenue and

reputation

#6 | DATA LOSS/LEAKAGE PREVENTION

Data Leakage Prevention identifies,

monitors, and protects data transfer

through deep content inspection and

analysis of transaction parameters

(such as source, destination, data

object, and protocol), with a

centralized management framework.

1. The Data Loss Prevention Software Blade is enabled on a Security Gateway

3. Security mgt server to install the DLP Policy on the DLP gateway. 4. Proxy server through which data leaves organization5. Mail server through which information can leave the organization.6. Active directory to identify internal organization7. Logging analysis through smartview tracker and Smart event


1.Create a policy that blocks

transfer of videos off the

network and to other servers

2. Send the policy out to the

monitoring device.


#7 | BIG DATA SECURITY ANALYTICS AT THE HEART OF NEXT-GENERATION SECURITY PLATFORMS

Going forward, all effective security protection platforms

will include domain-specific embedded analytics as a core

capability. An enterprise's continuous monitoring of all

computing entities and layers will generate a greater

volume, velocity and variety of data than traditional SIEM

systems can effectively analyze. Gartner predicts that by

2020, 40 percent of enterprises will have established a

"security data warehouse" for the storage of this monitoring

data to support retrospective analysis. By storing and

analyzing the data over time, and by incorporating context

and including outside threat and community intelligence,

patterns of "normal" can be established and data analytics

can be used to identify when meaningful deviations from

continuous monitoring

"security data warehouse"support retrospective analysis.

patterns

of "normal" can be established and data analytics can be used deviations from normal have

occurred.

including outside threat and community intelligence

ANALOGY : NETFLIX’S HOUSE OF CARDS


Analysis doneThe same subscribers who loved the original BBC production of House of cards also;

• Watched movies starring Kevin Spacey or

• Watched movies directed by David Fincher

www.salon.com/2013/02/01/how_netflix_is_turning_viewers_into_puppets/



Reaction by Netflix

1. Hired Kevin Spacy as actor and

director David Fincher for the new

Series

2. Spent $100 million for two 13-

episode seasons.



Results;

1. Netflix has already earned its $100 million back with

profit

2. Added more than 2 million U.S. subscribers that

quarter

3. Added another 1 million elsewhere in the world and

surpassed HBO.

4. Netflix has since risen to 50 million subscribers

globally

5. Season 3 is out!



SCENARIOS

1.User cjuuko logged on to E-tax

from separate machines at the

same URA campusReaction: Store as alert


SCENARIOS

2. User jkiiza logged on to E-tax

from separate machines at the

same URA campusReaction: Send SMS and email to members in security and

log as high risk alert for follow up investigation


SCENARIOS

3. User ebichetero logged on to Etax from machine at Nakawa

HQ and Asyworld from machine at Bunagana.

Reaction: Send SMS and email to members in security and log as

high risk alert for follow up investigation


TOOLS OF TRADE

http://www8.hp.com/us/en/software-solutions/siem-security-information-event-management/


TRIVIA MOMENT : SOURCE OF ATTACKS

MURDER IN THE CLOUD

Code Spaces was a company that offered developers source code repositories

and project management services using Git or Subversion, among other

options. It had been going for seven years, and it had no shortage of

customers. But it's all over now -- the company was essentially murdered by

an attacker.

Code Spaces was built mostly on AWS, using storage and server instances to

provide its services. Those server instances weren't hacked, nor was Code

Spaces' database compromised or stolen. According to the message on the

Code Spaces' website, an attacker gained access to the company's AWS control

panel and demanded money in exchange for releasing control back to Code

Spaces. When Code Spaces didn't comply and tried to take back control over

its own services, the attacker began deleting resources. As the message on

the website reads: "We finally managed to get our panel access back but not

before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS

instances, and several machine instances."http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html

#8 | CLOUD ACCESS SECURITY BROKERS

Cloud access security brokers are on-premises

or cloud-based security policy enforcement

points placed between cloud services consumers

and cloud services providers to interject

enterprise security policies as the cloud-based

resources are accessed. In many cases, initial

adoption of cloud-based services has occurred

outside the control of IT, and cloud access

security brokers offer enterprises to gain

visibility and control as its users access cloud

• Spend Optimization

• Cost allocation

• Resource reporting

• Security policy management

• Continuous monitoring


http://www.safenet-inc.com/

Netflix simian army


en.wikipedia.org/wiki/Chaos_Monkey


Info Sec moment |Tailored Access Operations (TAO)

http://en.wikipedia.org/wiki/Tailored_Access_Operationshttps://www.schneier.com/blog/archives/2013/12/more_about_the.htmlhttps://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok

Cyber-warfare intelligence-gathering unit of the National Security Agency (NSA) • They are a last resort for use when other methods

of surveillance fail• Largest and arguably the most important

component of the NSA's huge Signal Intelligence (SIGINT) Directorate, consisting [more than] 1,000 military and civilian computer hackers, intelligence analysts, targeting specialists, computer hardware and software designers, and electrical engineers

Info Sec moment |Tailored Access Operations (TAO)

Operations• Their major tool is called “QUANTUMTHEORY”• It targets Internet service providers including

Facebook, Yahoo, Twitter and YouTube.• They have software templates allowing them to

break into commonly used hardware, including “routers, switches, and firewalls from multiple product vendor lines

• They redirect traffic from these sites to fake servers which have malware that automatically exploits weaknesses on end-user machines e.g. the Belgacom and Huawei incidents. http://en.wikipedia.org/wiki/Tailored_Access_Operationshttps://www.schneier.com/blog/archives/2013/12/more_about_the.htmlhttps://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok

#9 | PERVASIVE SANDBOXING (CONTENT DETONATION) AND INVERSION OF CONTROL (IOC) CONFIRMATION

Some attacks will inevitably bypass traditional blocking and prevention

security protection mechanisms, in which case it is key to detect the

intrusion in as short a time as possible to minimize the hacker's ability

to inflict damage or exfiltrate sensitive information. Many security

platforms now included embedded capabilities to run ("detonate")

executables and content in virtual machines (VMs) and observe the VMs

for indications of compromise. This capability is rapidly becoming a

feature of a more-capable platform, not a stand-alone product or

market. Once a potential incident has been detected, it needs to be

confirmed by correlating indicators of compromise across different

entities — for example, comparing what a network-based threat

detection system sees in a sandboxed environment to what is being

observed on actual endpoints in terms of processes, behaviors, registry

entries and so on.

attacks will inevitably bypass traditional blocking and prevention security

minimize the hacker's ability to inflict damage

("detonate") executables and content in virtual machines (VMs) and observe the VMs forindications of compromise.

Info Sec moment | Hijacking a bank account


1. Receive an email from [email protected]

2.Email is scanned for viruses and malware using known signature threats, none is discovered but unknown program seen in attachment so email put in vm with known baselines for threat analysis

3. Once configuration of the virtual machines changes, email not sent to intended recipient but to threatcloud for analysis. A signature is then developed for it as well as anti-virus signatures developed

#10 | CONTAINMENT AND ISOLATION AS A FOUNDATIONAL SECURITY STRATEGY

In a world where signatures are increasingly ineffective in stopping

attacks, an alternative strategy is to treat everything that is

unknown as untrusted and isolate its handling and as a vector for

attacks on other enterprise systems. Virtualization, isolate

execution so that it cannot cause permanent damage to the system

it is running on and cannot be used action, abstraction and remote

presentation techniques can be used to create this containment so

that, ideally, the end result is similar to using a separate "air-

gapped" system to handle untrusted content and applications.

Virtualization and containment strategies will become a common

element of a defense-in-depth protection strategy for enterprise

systems, reaching 20 percent adoption by 2016 from nearly no

signatures are increasingly ineffective in stopping attacks,treat everything that is unknown as untrusted and

isolate

isolate execution so that it cannot cause permanent damage to the system

Virtualization and containment strategies

20 percent adoption by 2016

SaltChiliOilPotassium

Water

en.wikipedia.org/wiki/Matryoshka_doll

Analogy | Russian / Matryoshka Doll

CHECKPOINT CAPSULE

Check Point Capsule enables organizations to

extend their corporate security policy to mobile

devices, providing real-time protection against

web threats for mobile users outside of the

enterprise security perimeter. Check Point

Capsule offers the protection of the Check Point

Software Blades as a cloud-based service, and

ensures that corporate policy is always enforced

and corporate data and devices are protected.http://www.checkpoint.com/capsule/

Enterprisetrust zone

Personal trust zone

Caveat | The Advanced Persistent Threat

“There is no such thing as cybersecurity. No system can be 100% secure. There is no uncrackable code.”

“The only thing you can do is build the fence higher and higher so that eventually it's not worth it to climb over”

Joshua Shaul, Chief technology officer Application Security | Mc Afee

gartner technologies for infosec 2014-2015

Documents