Rochester Security Event

2013 Information Security Risks Year-End Review Caleb Barlow Director – IBM Application, Data, Mobile, Critical Infrastructure Security

www.facebook.com/barlow.caleb

www.youtube.com/calebbarlow

© 2013 IBM Corporation 2

© 2013 IBM Corporation

Threat landscape is growing fast

3

361 million people using the Internet

5.8%

of the world’s population

In 2000 In 2012

2.67 billion people using the Internet

33%



…. and becoming Mobile

4

In 2000 In 2012

6 billion mobile subscribers worldwide

87% of the world’s population

720 million mobile subscribers worldwide

12%



Innovative technology changes everything

Bring your own IT

Social business Cloud and virtualization

1 billion mobile workers

1 trillion connected objects

5


QR Codes

§  QR Code can contain a URL to download malware

§  The malware can then send SMS messages to a premium rate number (US $6 per message)

•  Samsung Galaxy S3 can be reset from a QR Code wiping all data

•  Google Glass vulnerability identified by Lookout Security

6

http://www.zdnet.com/samsung-galaxy-s3-vulnerable-to-remote-malicious-reset-7000004771/ http://siliconangle.com/blog/2011/10/21/infected-qr-malware-surfaces-on-smartphones-apps/ http://www.forbes.com/sites/andygreenberg/2013/07/17/google-glass-hacked-with-qr-code-photobombs/


How do Mobile Applications treat you?

7



Motivation and sophistication is evolving rapidly M

O T

I V

A T

I O

N

S O P H I S T I C A T I O N

National Security, Economic Espionage

Notoriety, Activism, Defamation

Hacktivists Lulzsec, Anonymous

Monetary Gain

Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack

Nuisance, Curiosity

Insiders, Spammers, Script-kiddies Nigerian 419 Scams, Code Red

Nation-state actors, APTs Stuxnet, Aurora, APT-1

9


Crawler •  Over 1000 CPUs scanning the Internet 24x7 Darknet and Honeypots •  Capturing information from virgin IP addresses SpamTrap •  Obtains Spam IPs and samples Managed Services •  15B security events a day across 133 countries

and over 20,000 devices under contract

X-Force Trend and Risk Report

© 2013 IBM Corporation 11 Source: IBM X-Force® Research 2013 Trend and Risk Report

© 2013 IBM Corporation 12 Source: IBM X-Force® Research 2013 Trend and Risk Report

2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses


Security Incidents in the first half of


Low risk / high reward §  Old CMS installations

§  CMS Plugins

§  Forum software

§  Other popular 3rd party

scripts

of tracked disclosed breaches

still reliable for breaching databases


continue to disrupt businesses

Industries affected: §  Banks

§  Governments

§  DNS Providers

High traffic volume as much as


attacks compromise end user trust

Targeting Savvy Users §  Tech company developers

§  Government Employees

§  Unsuspecting viewers of

trusted sites

Tainting legitimate sites with zero-day exploits


foreign branch or local language sites tarnish brands

Global brands targeted in foreign countries outside of home office

Attackers rely on §  Lower security on local

language sites

§  Temporary micro-sites which gather user data

§  Tarnish brands with path of least resistance


countries most impacted by security incidents

The United States most reported breach target location

Taiwan was targeted in several foreign branch security incidents


has become a new playground for attackers

Social Media top target for attacks and mobile devices are expanding those targets -  Pre-attack intelligence gathering

-  Criminals selling accounts

-  Campaigns enticing user to click on malicious links



Time

Prod

ucts

21


Time

Prod

ucts

Complexity

Cost

Agility

Effectiveness

22


Your security team sees noise

23


Security challenges are a complex, four-dimensional puzzle

…that requires a new approach

Applications Web

Applications Systems

Applications Web 2.0 Mobile Applications

Infrastructure Datacenters PCs Laptops Mobile Cloud Non-traditional

Data At rest In motion Unstructured Structured

People Attackers Suppliers

Consultants Partners

Employees Outsourcers

Customers

Employees

Unstructured

Web 2.0 Systems Applications

Outsourcers

Structured In motion

Customers

Mobile Applications


…that requires a new approach

Collect and Analyze Everything

Data Basic- control

Applications Bolt-on

Infrastructure Thicker walls

Insight

Now

People Administration

Then

Smarter defenses

Built-in

Laser- focused

25


A change in mindset is already happening

26


Monitor Everything 27


Consume Threat Intelligence 28


Integrate Across Domains 29


Security Intelligence 30


Intelligence

Integration

Expertise

IBM Security Framework


A comprehensive portfolio of products and services across all domains

32


With Fiberlink, only IBM will provide the full spectrum of mobile management and security needs

Business Span of Control

High Corporate Owned

Assets Employees w/BYOD Task/Temp Workers Business Partners Consumer Transactions

Mobile Device Management

Containers – App Wrapping and SDKs

Secure Transactions

Low

IBM / Fiberlink Offerings:

Planned Integration Points: •  SDKs will be packaged in Worklight IDE so all apps can be secured (IBM Worklight) •  Security information and events will feed into QRadar for analysis and actions will return to mobile tools

(IBM QRadar) •  Code scans will be integrated into the process before apps are deployed into app store/catalog (IBM AppScan)

Solution Approaches:

Requirements for Mobile Management and Security:

IBM Security Access Manager for Mobile

Secure the Device Enroll w Configurew Monitor

Provision w Wipe w Fingerprint

Secure the Application iOS / Android Static Scanning

Worklight Mobile IDE Experience Management Tamper Proofing *partner

Trusted Transactions Mobile Access Mgmt Identity Federation

Application Level VPN Secure API Connectivity

Malware & Fraud Detection Device & Location Risk

Account Takeover Jailbreak w Device Rooted

Enterprise Applications

Enterprise Container

Personal

Cloud Services

Security Intelligence SIEM

Threat Research

Mobile Security Framework


§  Founded in 1991, Fiberlink has built expertise in delivering mobile management and security services

as a service

§  Headquartered in Blue Bell, PA

Who is Fiberlink?

35

§  Provides Mobile Device Management, Mobile Application Management, Enterprise Container with SDK and App-Wrapping, Secure Document Sharing and Mobile Expense Management as a Service helping enterprises connect, control and secure mobile devices to gain competitive advantage, increase employee productivity, and implement proper security measures

§  Industry leading and award winning

§  Cloud-based mobility management platform

§  Seamless integration with existing enterprise systems

§  Broad range of mobile OS support

§  Robust policies for Bring Your Own Device (BYOD) security and privacy

§  3500+ clients

§  Marquee financial, healthcare, public sector, education, and retail customers

§  Delivering value to enterprises of all sizes: small to large


Industry analysts rank IBM Security as leading the market Domain Market Segment / Report

Security Analyst Report Rankings Gartner Magic

Quadrant Forrester

Wave IDC Market

Share

Security Intelligence Security Information and Event Management (SIEM) Leader 2013

Leader 2011

People

Identity and Access Governance Challenger 2013

Leader 2013

Identity and Access Management Suites Strong Performer 2013

User Provisioning and Administration Leader 2013

Role Management and Access Recertification Contender 2011

Web Access Management (WAM) Leader 2013 MarketScope

Data Database Auditing and Real-Time Protection Leader

2011

Data Masking Leader 2013

Applications Application Security Testing (dynamic and static) Leader 2013

Leader 2013

Infrastructure Network Intrusion Prevention Systems (NIPS) Challenger

2012

EndPoint Protection Platforms (EPP) Visionary 2013

Strong Performer 2013

Services Managed Security Services (MSS) Leader

2012 Leader

2012

Information Security Consulting Services Leader 2013

No report available Note: Rankings compiled from latest available analyst reports as of September, 2013

36


Chief Information Security Officers: 2013 IBM CISO Study

37

“Strategic vision… Global consistency… Lots of communication… speak business value, understand risk… minimize the impact… be on the bleeding edge…”

IBM Confidential

Formalize your role as a CISO

Establish a security strategy

Focus on overall risk

Develop effective business relations - build trust, share information, meet with the C-suite and board

Invest in advanced technology when it meets a business need

Fortify your mobile security

Track risk to brand reputation and customer satisfaction

Integrate metrics


Trusteer Advanced Fraud and Malware Protection Helping to protect against financial fraud and advanced security threats Among the capabilities Trusteer brings to IBMs security portfolio:

Web Fraud Protection Leading web fraud capabilities for financial services and web commerce

Secure Mobile Transactions Embedded security for mobile devices and applications helps enables secure transactions from devices to the back office

Extended Advanced Threat Protection Unique endpoint solution for identifying and protecting against Advanced Persistent Threats

Security-as-a-Service Cloud based deployment enabling rapid and real-time updates

38

© Trusteer 2013

About Trusteer

39

Global

Hundreds of Customers

100,000,000 Endpoints

Solu;ons

Financial Fraud Preven;on

Advanced Threat Protec;on

Leader

Intelligence

Technology

Exper;se

Leading Global Organiza;ons Put Their TRUST In Us

7/10 Top US Banks

9/10 Top UK Banks

4/5 Top Canadian Banks

Major European Banks

© Trusteer 2013

•  Humans will always make mistakes

•  System and application vulnerabilities continue to emerge

•  Malware detection will always lag

Malware and Phishing Common threat to online channels & internal systems

Three Losing Battles

1JPMorgan: 2012 Online Fraud Report , 2Gartner: 2290415, 3Ponemon Institute: 2012 Cost of Cybercrime Report: US

Widespread Fraud •  $3.4B est lost to online fraud in 20121

Advanced Threats and Breaches •  85% of breaches go undetected2 •  $8.9M average cost of cyber-‐aDacks3

Two Major Impacts

Fraud Scheme Execu;on

Money Loss

Data Exfiltra;on Enterprise

Breach

Vulnerability Exploit

Social Engineering (Phishing)

Malware Infec;on

© Trusteer 2013

The Specific Problems Trusteer Solves

WWW

Phishing and Malware Fraud

Advanced Threats (Employees)

Online Banking

Wire, ACH, Internal Apps

Account Takeover, New Account Fraud

Mobile Fraud Risk

© Trusteer 2013

Trusteer Solu;ons

WWW

Phishing and Malware Fraud

Advanced Threats (Employees)

Online Banking

Wire, ACH, Internal Apps

Account Takeover, New Account Fraud

Mobile Fraud Risk

Trusteer Pinpoint Account Takeover (ATO) Detec;on

Trusteer Apex

Trusteer Rapport

Trusteer Pinpoint Malware Detec;on

Trusteer Mobile SDK/

APP

Trusteer Mobile Risk Engine


Your security team sees…


Clarity…


Insights…


Everything


Thank You www.facebook.com/barlow.caleb

www.youtube.com/calebbarlow


Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.