SlideShare una empresa de Scribd logo

Segurinfo2014 Santiago Cavanna

Santiago Cavanna
Santiago Cavanna

Presentacion realizada en Argentina y Paraguay Durante Marzo 2014. En Argentina por Faustino Sanchez. En Paraguay por Santiago Cavanna. Trata sobre el problema de la presencia de vulnerabilidades en aplicaciones, el impacto que tiene en las organizaciones y la forma que se encuentra disponible para descubrirlas en forma temprana y facilitar su remediacion Links disponibles en http://www.santiagocavanna.com/segurinfo-2014-el-costo-oculto-de-las-aplicaciones-vulnerables/

Tecnología
1 de 39
Descargar para leer sin conexión
Santiago Cavanna IBM Security Systems Argentina-Uruguay-Paraguay Marzo 2014 cavanna@ar.ibm.com El costo oculto de las aplicaciones … Vulnerables
The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter Trusted  Intranet   Online  Banking   Applica5on   Employee  Applica5on   DMZ   Untrusted  Internet  
…. With Mobile and Cloud There Is No Perimeter Security must be centered on applications and transactions Online  Banking   Applica5on   Investment   API  Services   Employee  Applica5on   Deliver  Mobile  App   Consume  Apps  and  Services   Leverage  Public  Clouds   Trusted  Intranet   DMZ   Untrusted  Internet  
media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents.
Threats increase along with old and new targets ??????????????????????  Web  Apps  Targeted   Mobile  Devices  Targeted   Escala9ng  Threats   ??????????????????????  Mobile  Malware  Increasing   31%     of  new  aAacks  in   1H  2013  targeted     Web  app   vulnerabili9es   50%  +     of  Web  app   vulnerabili9es   are  cross-­‐site   scrip9ng   Mobile  devices  are   twice  as  appealing   hackers  can  obtain   personal  and   business  data   Source: Juniper Networks Third Annual Mobile Threats Report: 3/12 – 3/13 Source:  IBM  X-­‐Force  2013  Mid-­‐Year  Trend  and  Risk  Report    Source:  IBM  X-­‐Force  2013  Mid-­‐Year  Trend  and  Risk  Report    
83% of enterprises have difficulty finding the security skills they need tools from vendors 85 45 IBM client example 70% of security exec’s are concerned about cloud and mobile security Mobile malware grew 614% from March 2012 to March 2013 in one year A New Security Reality Is Here 61% Data theft and cybercrime are the greatest threats to their reputation of organizations say Average U.S. breach cost $7million+ 2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report 2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research
A new security reality is here Sophisticated attackers break through conventional safeguards every day. Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2 Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute <MOUSE CLICK> Cloud, mobile, social and big data drive unprecedented change. Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud and mobile security.3 Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection, an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed. Sources: (3) 2013 CISO Survey, IBM; 2013 Juniper Mobile Threat Report <MOUSE CLICK> Yesterday’s security practices are not sustainable Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty finding the security skills they need.4 And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by an inability to measure the effectiveness of their current security efforts5 and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark. Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM
Agenda •  IBM as Security Solution Provider •  IBM Security Framework •  X-Force, Security Reports and SecurityIntelligence.com •  Standards and regulations (NIST) •  Challenges for Security team at Application Security. •  Application Security Framework. •  Vulnerability at different SDLC Stage. –  Dynamic and static analysis. •  Self-assessment and recommendations.
IBM Security Investment •  6,000+ IBM Security experts worldwide •  3,000+ IBM security patents •  4,000+ IBM managed security services clients worldwide •  25 IBM Security labs worldwide IBM Security: Market-changing milestones Mainframe and Server Security SOA Management and Security Network Intrusion Prevention Database Monitoring Access Management Application Security Compliance Management 1976   Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security 1999   Dascom is acquired for access management capabilities 2006   Internet Security Systems, Inc. is acquired for security research and network protection capabilities 2007   Watchfire is acquired for security and compliance capabilities Consul is acquired for risk management capabilities Princeton Softech is acquired for data management capabilities 2008   Encentuate is acquired for enterprise single-sign-on capabilities 2009   Ounce Labs is acquired for application security capabilities Guardium is acquired for enterprise database monitoring and protection capabilities 2010   Big Fix is acquired for endpoint security management capabilities NISC is acquired for information and analytics management capabilities2005   DataPower is acquired for SOA management and security capabilities 2013   Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection 2002   Access360 is acquired for identity management capabilities MetaMerge is acquired for directory integration capabilities Identity Management Advanced Fraud Protection Security Analytics Security Intelligence IBM Security Systems division is created 2011   Q1 Labs is acquired for security intelligence capabilities 2012  
IBM Security Framework hAp://www.redbooks.ibm.com/abstracts/sg248100.html  
X-Force Threat Intelligence: The IBM Differentiator IBM  Confiden9al   URL/Web  Filtering   •  Provides  access  to  one  of  the  world’s  largest  URL  filter  databases  containing  more  than  20  billion   evaluated  Web  pages  and  images   An5-­‐Spam   •  Detect  spam  using  known  signatures,  discover  new  spam  types  automa9cally,  99.9%  accurate,  near  0%   overblocking   IP  Reputa5on   •  Categorize  malicious  websites  via  their  IP  address  into  different  threat  segments,  including  malware  hosts,   spam  sources,  and  anonymous  proxies Web  Applica5on  Control   •  Iden9fying  and  providing  ac9ons  for  applica9on  traffic,  both  web-­‐based,     such  as  Gmail,  and  client  based,  such  as  Skype The mission of X-Force is to: §  Monitor and evaluate the rapidly changing threat landscape §  Research new attack techniques and develop protection for tomorrow’s security challenges §  Educate our customers and the general public Advanced Security and Threat Research
Security  Intelligence hAp://www-­‐03.ibm.com/security/xforce/   hAp://securityintelligence.com/  
Safeguard  pa9ent  data   Secure  the  credit  card  environment   Protect  self-­‐service  DMV  portal   Protect  cri9cal  infrastructure   for  the  smart  grid   Reduce  online  banking  fraud     Secure  data  exchange  among  insurance  providers   Control  access  to  auto  designs     and  intellectual  property   Security  func9onality  examples  
Standards and Regulations hAp://securityintelligence.com/nist-­‐cybersecurity-­‐framework-­‐applica9on-­‐security-­‐risk-­‐management/   v1.0  of  the  NIST  Framework  for  Improving   Cri9cal  Infrastructure  Cybersecurity.     Execu9ve  Order  13636  from  President  Obama   was  issued  on  February  12th  2014   Sogware  Risk  and  the  Framework     SoRware  security  is  a  cri5cal  component  of   cybersecurity.  If  the  apps  you’re  running  can  be  exploited,  the   services  they’re  running  are  at  risk.  And  though  there  isn’t  a  special   sec9on  devoted  to  applica9ons  or  building  sogware  in  the  NIST   Framework,  sogware  is  men9oned  a  number  of  9mes  and  should  be   addressed  as  part  of  the  broader  cybersecurity  program.  
Security team challenges 16 1000s  of  apps     A  small  team     What  is  our  applica5on  security  status?   Which  are  our  most  important  applica1ons?   How  many    of  them  have  we  assessed?   Which  ones  present  the  highest  risk?   Which  vulnerabili1es  should  we  fix  first?   What  are  the  most  common  mistakes  developers  make?  
Applications Reducing  the  costs  of  developing  secure  applica9ons  and  assuring   the  privacy  and  integrity  of  trusted  informa9on   Portfolio Overview AppScan Enterprise Edition • Enterprise-class solution for implementing and managing an application security program, includes high-level dashboards, test policies, scan templates and issue management capabilities • Multi-user solution providing simultaneous security scanning and centralized reporting AppScan Standard Edition • Desktop solution to automate web application security testing for IT Security, auditors, and penetration testers AppScan Source Edition •  Static application security testing to identify vulnerabilities at the line of code. Enables early detection within the development life cycle.
Application Security Framework Test       Scan    &  Remediate   Security  Intelligence,  Policy  and  Governance   Ac9vity  monitoring,  context,    risk  assessment,  compliance  repor9ng         Development           eLearning   Correla5on   Vuln  Disclosure   Integra5ons   Integra5ons   Deployment           White/Black  Lists   Big  Data  Analy5cs   Procurement   Protect       Block  &  Prevent   Web  Applica9on  Firewall   Intrusion  Preven9on   Database  Ac9vity  Monitoring   Containeriza9on  /  Sandbox     Dynamic  Scanning  (light)     Assure       Rank  &  Validate   Applica9on  Reputa9on   Vendor  Rankings   Compliance  Scanning   Research  Updates…   Sta9c,  Dynamic,  Binary  of  Manifest   tes9ng  based  on  access   Sta9c  Source   Dynamic  Pre-­‐Launch   Sta9c  Binary   Dynamic  Produc9on   Applica9on  Tes9ng  Services  from  the  Cloud   Full  managed  service  –  easy  to  start  and  easy  to  test  third  party  apps   Mobile  Applica9on  Tes9ng   Mobile  Applica9on  Reputa9on  Services                                  Integrated  Solu9ons  –  From  Development  to  Deployment                                Risk  Management  and  Visibility   Key  Trends  
The Old Story – Still Valid But There’s More…. Find  during  Development   $80/defect   Find  during  Build   $240/defect   Find  during  QA/Test   $960/defect   Find  in  Produc9on   $7,600  /  defect   80%  of  development  costs  are   spent  iden4fying  and   correc4ng  defects!*    **  Source:  Ponemon  Ins9tute  2009-­‐10    *  Source:  Na9onal  Ins9tute  of  Standards  and  Technology   Average  Cost  of  a  Data  Breach   $7.2M**  from  law  suits,  loss  of  customer   trust,  damage  to  brand  
Application Security: Helping to protect against the threat of attacks and data breaches
Finding more vulnerabilities using advanced techniques Sta9c  Analysis   -  Analyze  Source  Code   -  Use  during  development   -  Uses  Taint  Analysis  /   PaAern  Matching   Dynamic  Analysis   -  Correlate  Dynamic  and  Sta9c   results   -  Assists  remedia9on  by   iden9fica9on  of  line  of  code   Hybrid  Analysis   21 -  Analyze  Live  Web  Applica9on   -  Use  during  tes9ng   -  Uses  HTTP  tampering   Client-­‐Side  Analysis   -  Analyze  downloaded  Javascript   code  which  runs  in  client   -  Unique  in  the  industry   Run-­‐Time  Analysis   -  Combines  Dynamic  Analysis  with   run-­‐9me  agent   -  More  results,  beAer  accuracy   Total  Poten9al   Security  Issues   Applica9ons  
No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed. To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox). Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability). Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle). Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test. Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market. Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.
Important Questions to Consider Do the applications contain sensitive data? §  Is the data protected? §  How do you know if it’s protected? Do  you  outsource  your   mobile  applica5on   development?   How  do  you  keep  pace   with  the  constant  mobile   updates?   §  How  do  you  determine  risk?   §  Do  you  have  mobile  specific  security   exper9se?   §  Do  you  have  acceptance  criteria?   §  Do  you  check  applica9on  security  every   release?   §  Do  you  have  a  way  to  automate  tes9ng?  
What is application security testing? Just got breached, how do we prevent this? How  do  we   protect  our   mobile   apps?   Application Security Awareness From “Do Nothing” to “Reactive” to Proactive”! Where  are  you  on   this  spectrum?  
www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security
http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0
https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Security Cloud Vs Virtual …
http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security
http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg
Guide to implementing a secure cloud The following security measures represent general best practice implementations for cloud security. •  Implement and maintain a security program. •  Build and maintain a secure cloud infrastructure. •  Ensure confidential data protection. •  Implement strong access and identity management. •  Establish application and environment provisioning. •  Implement a governance and audit management program. •  Implement a vulnerability and intrusion management program. •  Maintain environment testing and validation. Build and maintain a secure cloud infrastructure 4. Protect administrative access. 4.3. Maintain am audit trail of administrative actions. 4.4. The cloud host should develop and publish configuration management guidelines. 4.5. Implement an Asset Discovery Mechanism to identify resources in use in the target environment. 4.6. Regularly review Asset Maps to understand assets in the cloud environment. 4.7. Maintain a Configuration Data Store to enable auditability and general security understanding. 5. Ensure patch management. 5.1. The cloud host should develop and publish a patch and change management program. 5.2. Develop a pre-production patch management system to enable business resiliency. 5.3. Ensure logging is enabled for all patch processes, and develop the appropriate documentation. 5.4. Ensure that all systems, and applications are running the latest vendor supplied patches, and updates within the specified period as specified in the patch and change management program. Ensure that an appropriate time frame is established. 5.5. Establish a process or utilize a third-party vendor to maintain awareness of the latest security vulnerabilities.
http://www.redbooks.ibm.com/abstracts/redp4614.html http://www.redbooks.ibm.com/abstracts/redp4893.html http://publib-b.boulder.ibm.com/abstracts/sg247928.html
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF
www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Slide 04 media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf Slide 05 http://www.slideshare.net/junipernetworks/third-annual-mobile-threats-report http://www.juniper.net/us/en/forms/mobile-threats-report/ http://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html http://www-935.ibm.com/services/us/gbs/bus/html/reputational-risk-resolution-for-2013.html http://www.ibm.com/developerworks/library/se-global/ http://www.ponemon.org/data-security http://www.esg-global.com/blogs/more-on-the-security-skills-shortage-issue/ http://www.esg-global.com/blogs/the-security-skills-shortage-is-worse-than-you-think/ http://www.esg-global.com/blogs/what-cisos-can-do-about-the-cybersecurity-skills-shortage/ http://www.slideshare.net/IBMGovernmentCA/reputational-risk-16787581 Slide 10 http://www.redbooks.ibm.com/abstracts/sg248100.html Slide 12 http://securityintelligence.com/ http://www-03.ibm.com/security/xforce/ Slide 15 http://securityintelligence.com/nist-cybersecurity-framework-application-security-risk-management/
Slide 27 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 28http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0 http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on Slide 29 https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Slide 30 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 31 http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg Slide 35 http://www.redbooks.ibm.com/abstracts/redp4614.html http://publib-b.boulder.ibm.com/abstracts/sg247928.html http://www.redbooks.ibm.com/abstracts/redp4893.html Slide 35 http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https:// downloads.cloudsecurityalliance.org/initiatives/top_threats/ The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

Recomendados

Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?Cognizant
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 

Recomendados

Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemCybersecurity in the Cognitive Era: Priming Your Digital Immune System
Cybersecurity in the Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
The 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyThe 2016 Ponemon Cost of a Data Breach Study
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?Cognizant
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexIBM Security
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data BreachesMatthew Rosenquist
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015ITSM Academy, Inc.
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...Symantec
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Top 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionTop 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionIBM Security
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 

Más contenido relacionado

La actualidad más candente

SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYIJNSA Journal
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityMatthew Rosenquist
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexIBM Security
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityMighty Guides, Inc.
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015ITSM Academy, Inc.
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...Symantec
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Top 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionTop 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionIBM Security
 

La actualidad más candente (20)

SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITYSYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
 
Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014Symantec Intelligence Report - October 2014
Symantec Intelligence Report - October 2014
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
Carbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint SecurityCarbon Black: 32 Security Experts on Changing Endpoint Security
Carbon Black: 32 Security Experts on Changing Endpoint Security
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
What lies ahead? 2016 Cyber Security Predictions from Symantec in the EMEA (E...
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
Top 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS SolutionTop 5 Things to Look for in an IPS Solution
Top 5 Things to Look for in an IPS Solution
 

Similar a Segurinfo2014 Santiago Cavanna

5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM Sverige
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19IBM Sverige
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
kaspersky presentation for palette business solution June 2016 v1.0.
kaspersky presentation for palette business solution June 2016 v1.0.kaspersky presentation for palette business solution June 2016 v1.0.
kaspersky presentation for palette business solution June 2016 v1.0.Onwubiko Emmanuel
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
Cognitive security
Cognitive securityCognitive security
Cognitive securityIqra khalil
 
Just-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdf
Just-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdfJust-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdf
Just-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdfInfinityGroup5
 
What you need to know about cyber security
What you need to know about cyber securityWhat you need to know about cyber security
What you need to know about cyber securityCarol Meng-Shih Wang
 
IBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, ExpertiseIBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, ExpertiseShwetank Jayaswal
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 

Similar a Segurinfo2014 Santiago Cavanna (20)

5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
kaspersky presentation for palette business solution June 2016 v1.0.
kaspersky presentation for palette business solution June 2016 v1.0.kaspersky presentation for palette business solution June 2016 v1.0.
kaspersky presentation for palette business solution June 2016 v1.0.
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Just-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdf
Just-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdfJust-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdf
Just-How-Secure-is-your-Remote-Workforce-Infinity-Group-Ebook.pdf
 
What you need to know about cyber security
What you need to know about cyber securityWhat you need to know about cyber security
What you need to know about cyber security
 
IBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, ExpertiseIBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, Expertise
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 

Más de Santiago Cavanna

Forum 20210824 Suarez-Cavanna Ciberseguridad
Forum 20210824 Suarez-Cavanna CiberseguridadForum 20210824 Suarez-Cavanna Ciberseguridad
Forum 20210824 Suarez-Cavanna CiberseguridadSantiago Cavanna
 
Ser pyme no es excusa, para no ocuparse de la ciberseguridad
Ser pyme no es excusa, para no ocuparse de la ciberseguridadSer pyme no es excusa, para no ocuparse de la ciberseguridad
Ser pyme no es excusa, para no ocuparse de la ciberseguridadSantiago Cavanna
 
IBM Cyber Day Para Chicas - 2019
IBM Cyber Day Para Chicas - 2019IBM Cyber Day Para Chicas - 2019
IBM Cyber Day Para Chicas - 2019Santiago Cavanna
 
Modelado de Amenazas de CiberSeguridad (2014)
Modelado de Amenazas de CiberSeguridad (2014)Modelado de Amenazas de CiberSeguridad (2014)
Modelado de Amenazas de CiberSeguridad (2014)Santiago Cavanna
 
Security intelligence and big data (2015)
Security intelligence and big data (2015)Security intelligence and big data (2015)
Security intelligence and big data (2015)Santiago Cavanna
 
ABC de la seguridad para PyMEs (2009)
ABC de la seguridad para PyMEs (2009)ABC de la seguridad para PyMEs (2009)
ABC de la seguridad para PyMEs (2009)Santiago Cavanna
 
How to improve the frequency of posting essays
How to improve the frequency of posting essaysHow to improve the frequency of posting essays
How to improve the frequency of posting essaysSantiago Cavanna
 
Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01
Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01
Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01Santiago Cavanna
 

Más de Santiago Cavanna (8)

Forum 20210824 Suarez-Cavanna Ciberseguridad
Forum 20210824 Suarez-Cavanna CiberseguridadForum 20210824 Suarez-Cavanna Ciberseguridad
Forum 20210824 Suarez-Cavanna Ciberseguridad
 
Ser pyme no es excusa, para no ocuparse de la ciberseguridad
Ser pyme no es excusa, para no ocuparse de la ciberseguridadSer pyme no es excusa, para no ocuparse de la ciberseguridad
Ser pyme no es excusa, para no ocuparse de la ciberseguridad
 
IBM Cyber Day Para Chicas - 2019
IBM Cyber Day Para Chicas - 2019IBM Cyber Day Para Chicas - 2019
IBM Cyber Day Para Chicas - 2019
 
Modelado de Amenazas de CiberSeguridad (2014)
Modelado de Amenazas de CiberSeguridad (2014)Modelado de Amenazas de CiberSeguridad (2014)
Modelado de Amenazas de CiberSeguridad (2014)
 
Security intelligence and big data (2015)
Security intelligence and big data (2015)Security intelligence and big data (2015)
Security intelligence and big data (2015)
 
ABC de la seguridad para PyMEs (2009)
ABC de la seguridad para PyMEs (2009)ABC de la seguridad para PyMEs (2009)
ABC de la seguridad para PyMEs (2009)
 
How to improve the frequency of posting essays
How to improve the frequency of posting essaysHow to improve the frequency of posting essays
How to improve the frequency of posting essays
 
Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01
Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01
Segurinfo2014 virtualizacion segura_ardita_cavanna draft v01
 

Último

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

Segurinfo2014 Santiago Cavanna

  • 1. Santiago Cavanna IBM Security Systems Argentina-Uruguay-Paraguay Marzo 2014 cavanna@ar.ibm.com El costo oculto de las aplicaciones … Vulnerables
  • 2. The Traditional Approach is Changing…. Security is no longer controlled and enforced through the network perimeter Trusted  Intranet   Online  Banking   Applica5on   Employee  Applica5on   DMZ   Untrusted  Internet  
  • 3. …. With Mobile and Cloud There Is No Perimeter Security must be centered on applications and transactions Online  Banking   Applica5on   Investment   API  Services   Employee  Applica5on   Deliver  Mobile  App   Consume  Apps  and  Services   Leverage  Public  Clouds   Trusted  Intranet   DMZ   Untrusted  Internet  
  • 4. media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents.
  • 5. Threats increase along with old and new targets ??????????????????????  Web  Apps  Targeted   Mobile  Devices  Targeted   Escala9ng  Threats   ??????????????????????  Mobile  Malware  Increasing   31%     of  new  aAacks  in   1H  2013  targeted     Web  app   vulnerabili9es   50%  +     of  Web  app   vulnerabili9es   are  cross-­‐site   scrip9ng   Mobile  devices  are   twice  as  appealing   hackers  can  obtain   personal  and   business  data   Source: Juniper Networks Third Annual Mobile Threats Report: 3/12 – 3/13 Source:  IBM  X-­‐Force  2013  Mid-­‐Year  Trend  and  Risk  Report    Source:  IBM  X-­‐Force  2013  Mid-­‐Year  Trend  and  Risk  Report    
  • 6. 83% of enterprises have difficulty finding the security skills they need tools from vendors 85 45 IBM client example 70% of security exec’s are concerned about cloud and mobile security Mobile malware grew 614% from March 2012 to March 2013 in one year A New Security Reality Is Here 61% Data theft and cybercrime are the greatest threats to their reputation of organizations say Average U.S. breach cost $7million+ 2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report 2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research
  • 7. A new security reality is here Sophisticated attackers break through conventional safeguards every day. Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2 Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute <MOUSE CLICK> Cloud, mobile, social and big data drive unprecedented change. Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud and mobile security.3 Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection, an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed. Sources: (3) 2013 CISO Survey, IBM; 2013 Juniper Mobile Threat Report <MOUSE CLICK> Yesterday’s security practices are not sustainable Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty finding the security skills they need.4 And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by an inability to measure the effectiveness of their current security efforts5 and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark. Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM
  • 8. Agenda •  IBM as Security Solution Provider •  IBM Security Framework •  X-Force, Security Reports and SecurityIntelligence.com •  Standards and regulations (NIST) •  Challenges for Security team at Application Security. •  Application Security Framework. •  Vulnerability at different SDLC Stage. –  Dynamic and static analysis. •  Self-assessment and recommendations.
  • 9. IBM Security Investment •  6,000+ IBM Security experts worldwide •  3,000+ IBM security patents •  4,000+ IBM managed security services clients worldwide •  25 IBM Security labs worldwide IBM Security: Market-changing milestones Mainframe and Server Security SOA Management and Security Network Intrusion Prevention Database Monitoring Access Management Application Security Compliance Management 1976   Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security 1999   Dascom is acquired for access management capabilities 2006   Internet Security Systems, Inc. is acquired for security research and network protection capabilities 2007   Watchfire is acquired for security and compliance capabilities Consul is acquired for risk management capabilities Princeton Softech is acquired for data management capabilities 2008   Encentuate is acquired for enterprise single-sign-on capabilities 2009   Ounce Labs is acquired for application security capabilities Guardium is acquired for enterprise database monitoring and protection capabilities 2010   Big Fix is acquired for endpoint security management capabilities NISC is acquired for information and analytics management capabilities2005   DataPower is acquired for SOA management and security capabilities 2013   Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection 2002   Access360 is acquired for identity management capabilities MetaMerge is acquired for directory integration capabilities Identity Management Advanced Fraud Protection Security Analytics Security Intelligence IBM Security Systems division is created 2011   Q1 Labs is acquired for security intelligence capabilities 2012  
  • 11. X-Force Threat Intelligence: The IBM Differentiator IBM  Confiden9al   URL/Web  Filtering   •  Provides  access  to  one  of  the  world’s  largest  URL  filter  databases  containing  more  than  20  billion   evaluated  Web  pages  and  images   An5-­‐Spam   •  Detect  spam  using  known  signatures,  discover  new  spam  types  automa9cally,  99.9%  accurate,  near  0%   overblocking   IP  Reputa5on   •  Categorize  malicious  websites  via  their  IP  address  into  different  threat  segments,  including  malware  hosts,   spam  sources,  and  anonymous  proxies Web  Applica5on  Control   •  Iden9fying  and  providing  ac9ons  for  applica9on  traffic,  both  web-­‐based,     such  as  Gmail,  and  client  based,  such  as  Skype The mission of X-Force is to: §  Monitor and evaluate the rapidly changing threat landscape §  Research new attack techniques and develop protection for tomorrow’s security challenges §  Educate our customers and the general public Advanced Security and Threat Research
  • 13.
  • 14. Safeguard  pa9ent  data   Secure  the  credit  card  environment   Protect  self-­‐service  DMV  portal   Protect  cri9cal  infrastructure   for  the  smart  grid   Reduce  online  banking  fraud     Secure  data  exchange  among  insurance  providers   Control  access  to  auto  designs     and  intellectual  property   Security  func9onality  examples  
  • 15. Standards and Regulations hAp://securityintelligence.com/nist-­‐cybersecurity-­‐framework-­‐applica9on-­‐security-­‐risk-­‐management/   v1.0  of  the  NIST  Framework  for  Improving   Cri9cal  Infrastructure  Cybersecurity.     Execu9ve  Order  13636  from  President  Obama   was  issued  on  February  12th  2014   Sogware  Risk  and  the  Framework     SoRware  security  is  a  cri5cal  component  of   cybersecurity.  If  the  apps  you’re  running  can  be  exploited,  the   services  they’re  running  are  at  risk.  And  though  there  isn’t  a  special   sec9on  devoted  to  applica9ons  or  building  sogware  in  the  NIST   Framework,  sogware  is  men9oned  a  number  of  9mes  and  should  be   addressed  as  part  of  the  broader  cybersecurity  program.  
  • 16. Security team challenges 16 1000s  of  apps     A  small  team     What  is  our  applica5on  security  status?   Which  are  our  most  important  applica1ons?   How  many    of  them  have  we  assessed?   Which  ones  present  the  highest  risk?   Which  vulnerabili1es  should  we  fix  first?   What  are  the  most  common  mistakes  developers  make?  
  • 17. Applications Reducing  the  costs  of  developing  secure  applica9ons  and  assuring   the  privacy  and  integrity  of  trusted  informa9on   Portfolio Overview AppScan Enterprise Edition • Enterprise-class solution for implementing and managing an application security program, includes high-level dashboards, test policies, scan templates and issue management capabilities • Multi-user solution providing simultaneous security scanning and centralized reporting AppScan Standard Edition • Desktop solution to automate web application security testing for IT Security, auditors, and penetration testers AppScan Source Edition •  Static application security testing to identify vulnerabilities at the line of code. Enables early detection within the development life cycle.
  • 18. Application Security Framework Test       Scan    &  Remediate   Security  Intelligence,  Policy  and  Governance   Ac9vity  monitoring,  context,    risk  assessment,  compliance  repor9ng         Development           eLearning   Correla5on   Vuln  Disclosure   Integra5ons   Integra5ons   Deployment           White/Black  Lists   Big  Data  Analy5cs   Procurement   Protect       Block  &  Prevent   Web  Applica9on  Firewall   Intrusion  Preven9on   Database  Ac9vity  Monitoring   Containeriza9on  /  Sandbox     Dynamic  Scanning  (light)     Assure       Rank  &  Validate   Applica9on  Reputa9on   Vendor  Rankings   Compliance  Scanning   Research  Updates…   Sta9c,  Dynamic,  Binary  of  Manifest   tes9ng  based  on  access   Sta9c  Source   Dynamic  Pre-­‐Launch   Sta9c  Binary   Dynamic  Produc9on   Applica9on  Tes9ng  Services  from  the  Cloud   Full  managed  service  –  easy  to  start  and  easy  to  test  third  party  apps   Mobile  Applica9on  Tes9ng   Mobile  Applica9on  Reputa9on  Services                                  Integrated  Solu9ons  –  From  Development  to  Deployment                                Risk  Management  and  Visibility   Key  Trends  
  • 19. The Old Story – Still Valid But There’s More…. Find  during  Development   $80/defect   Find  during  Build   $240/defect   Find  during  QA/Test   $960/defect   Find  in  Produc9on   $7,600  /  defect   80%  of  development  costs  are   spent  iden4fying  and   correc4ng  defects!*    **  Source:  Ponemon  Ins9tute  2009-­‐10    *  Source:  Na9onal  Ins9tute  of  Standards  and  Technology   Average  Cost  of  a  Data  Breach   $7.2M**  from  law  suits,  loss  of  customer   trust,  damage  to  brand  
  • 20. Application Security: Helping to protect against the threat of attacks and data breaches
  • 21. Finding more vulnerabilities using advanced techniques Sta9c  Analysis   -  Analyze  Source  Code   -  Use  during  development   -  Uses  Taint  Analysis  /   PaAern  Matching   Dynamic  Analysis   -  Correlate  Dynamic  and  Sta9c   results   -  Assists  remedia9on  by   iden9fica9on  of  line  of  code   Hybrid  Analysis   21 -  Analyze  Live  Web  Applica9on   -  Use  during  tes9ng   -  Uses  HTTP  tampering   Client-­‐Side  Analysis   -  Analyze  downloaded  Javascript   code  which  runs  in  client   -  Unique  in  the  industry   Run-­‐Time  Analysis   -  Combines  Dynamic  Analysis  with   run-­‐9me  agent   -  More  results,  beAer  accuracy   Total  Poten9al   Security  Issues   Applica9ons  
  • 22. No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed. To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox). Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability). Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle). Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test. Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market. Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.
  • 23. Important Questions to Consider Do the applications contain sensitive data? §  Is the data protected? §  How do you know if it’s protected? Do  you  outsource  your   mobile  applica5on   development?   How  do  you  keep  pace   with  the  constant  mobile   updates?   §  How  do  you  determine  risk?   §  Do  you  have  mobile  specific  security   exper9se?   §  Do  you  have  acceptance  criteria?   §  Do  you  check  applica9on  security  every   release?   §  Do  you  have  a  way  to  automate  tes9ng?  
  • 24. What is application security testing? Just got breached, how do we prevent this? How  do  we   protect  our   mobile   apps?   Application Security Awareness From “Do Nothing” to “Reactive” to Proactive”! Where  are  you  on   this  spectrum?  
  • 25. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
  • 26.
  • 31.
  • 32.
  • 34. Guide to implementing a secure cloud The following security measures represent general best practice implementations for cloud security. •  Implement and maintain a security program. •  Build and maintain a secure cloud infrastructure. •  Ensure confidential data protection. •  Implement strong access and identity management. •  Establish application and environment provisioning. •  Implement a governance and audit management program. •  Implement a vulnerability and intrusion management program. •  Maintain environment testing and validation. Build and maintain a secure cloud infrastructure 4. Protect administrative access. 4.3. Maintain am audit trail of administrative actions. 4.4. The cloud host should develop and publish configuration management guidelines. 4.5. Implement an Asset Discovery Mechanism to identify resources in use in the target environment. 4.6. Regularly review Asset Maps to understand assets in the cloud environment. 4.7. Maintain a Configuration Data Store to enable auditability and general security understanding. 5. Ensure patch management. 5.1. The cloud host should develop and publish a patch and change management program. 5.2. Develop a pre-production patch management system to enable business resiliency. 5.3. Ensure logging is enabled for all patch processes, and develop the appropriate documentation. 5.4. Ensure that all systems, and applications are running the latest vendor supplied patches, and updates within the specified period as specified in the patch and change management program. Ensure that an appropriate time frame is established. 5.5. Establish a process or utilize a third-party vendor to maintain awareness of the latest security vulnerabilities.
  • 37. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
  • 38. Slide 04 media.kaspersky.com/en/business-security/Kaspersky_Global_IT_Security_Risks_Survey_report_Eng_final.pdf Slide 05 http://www.slideshare.net/junipernetworks/third-annual-mobile-threats-report http://www.juniper.net/us/en/forms/mobile-threats-report/ http://www-935.ibm.com/services/us/gbs/bus/html/risk_study.html http://www-935.ibm.com/services/us/gbs/bus/html/reputational-risk-resolution-for-2013.html http://www.ibm.com/developerworks/library/se-global/ http://www.ponemon.org/data-security http://www.esg-global.com/blogs/more-on-the-security-skills-shortage-issue/ http://www.esg-global.com/blogs/the-security-skills-shortage-is-worse-than-you-think/ http://www.esg-global.com/blogs/what-cisos-can-do-about-the-cybersecurity-skills-shortage/ http://www.slideshare.net/IBMGovernmentCA/reputational-risk-16787581 Slide 10 http://www.redbooks.ibm.com/abstracts/sg248100.html Slide 12 http://securityintelligence.com/ http://www-03.ibm.com/security/xforce/ Slide 15 http://securityintelligence.com/nist-cybersecurity-framework-application-security-risk-management/
  • 39. Slide 27 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 28http://search.iss.net/Search.do?keyword=vmware&searchType=keywd&x=0&y=0 http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware http://web.nvd.nist.gov/view/vuln/search-results?query=vmware&search_type=all&cves=on Slide 29 https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Slide 30 http://www.slideshare.net/ibmsecurity/cloud-security-what-you-need-to-know-about-ibm-smartcloud-security Slide 31 http://www-935.ibm.com/services/image/cybersecurity_infographic.jpg Slide 35 http://www.redbooks.ibm.com/abstracts/redp4614.html http://publib-b.boulder.ibm.com/abstracts/sg247928.html http://www.redbooks.ibm.com/abstracts/redp4893.html Slide 35 http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/WGL03045USEN.PDF https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf https:// downloads.cloudsecurityalliance.org/initiatives/top_threats/ The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf