Más contenido relacionado The Changing IT Threat Landscape: Three Steps to A Proactive Security Strategy4. Changing Threat Landscape
Emerging trends, threats and responses
Khalid Kark, Vice President, Principal Analyst
4 © 2010 Forrester Research, Inc. Reproduction Prohibited
2009
5. Agenda
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
5 © 2010 Forrester Research, Inc. Reproduction Prohibited
6. Security continues to play catch-up
Economics
Regulations
New business models
Consumerization
Business partners
Third-party service
providers
6 © 2010 Forrester Research, Inc. Reproduction Prohibited
7. Agenda
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
7 © 2010 Forrester Research, Inc. Reproduction Prohibited
8. The threat landscape keeps evolving . . .
Motivation Fame Financial gain
Method Audacious “Low and slow”
Focus Indiscriminate Targeted
Tools Manual Automated
Result Disruptive Disastrous
Type Unique malware Variant tool kits
Target Infrastructure Applications
Agent Insider Third parties
8 © 2010 Forrester Research, Inc. Reproduction Prohibited
9. Method – Low and Slow
Target an individual or a corporation
Take your time to get the information
Can take weeks or months
May need to stop the “attack” for extended
periods
“Trickle” of information over time
Goal – not get detected
Many breaches today are discovered
when something goes horribly wrong
Many don’t even know it exists
9 © 2010 Forrester Research, Inc. Reproduction Prohibited
10. Tools: Automated
Web crawlers
Automated IM conversations
Escalation levels
Publically available information
Archives
Better analytics and predictions
Self learning systems - Artificial
intelligence
10 © 2010 Forrester Research, Inc. Reproduction Prohibited
11. Type: toolkits and variants
90K variants of Zeus malware
Mutation is standard part of writing
malware today
Adaptability to defenses is key
Advanced encryption algorithms
Tool kits and “do it yourself” kits
Botnets for hire – really cheap
Cost and variation is making existing
malware defenses obsolete
11 © 2010 Forrester Research, Inc. Reproduction Prohibited
12. Agenda
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
12 © 2010 Forrester Research, Inc. Reproduction Prohibited
13. Increased concern around empowered
technologies
Web 2.0
(wikis, blogs, et 40%
c.)
Cloud
42%
computing
Smartphones 54%
Base: 1,025 North American and European IT Security decision-makers
Source: Forrsights Security Survey, Q3 2010
13 © 2010 Forrester Research, Inc. Reproduction Prohibited
14. Exponential growth in social media adoption
Daily visit social networking sites
(e.g. Facebook, LinkedIn)
40%
30%
20%
10%
0%
2008 2009 2010
14 © 2010 Forrester Research, Inc. Reproduction Prohibited
15. Mobile subscribers and connections speeds
ascend
Global mobile broadband subscribers
(in millions)
400
300
200
100
0
2008 2009 2010*
Source: GSM Association
15 © 2010 Forrester Research, Inc. Reproduction Prohibited
16. Rapid growth in cloud services
Global IT market
(US$ billions)
$40
$30
IaaS
$20 SaaS and
PaaS
$10
$0
2009 2010* 2011* 2012* 2013*
* Forrester forecast
16 © 2010 Forrester Research, Inc. Reproduction Prohibited
17. Agenda
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
17 © 2010 Forrester Research, Inc. Reproduction Prohibited
18. Too many things on the plate – distracted decisions
Threat and vulnerability mgmt.
Technical infrastructure security
Data security
Identity and access management
Policy and risk management
Application security
Full
Most
Privacy and regulations
Half
Third-party security
Business continuity/disaster recovery
Physical security
Fraud management
0% 20% 40% 60% 80% 100%
18 © 2010 Forrester Research, Inc. Reproduction Prohibited
19. Reactive investment for security
Maintenance/licensi
ng of existing
security Security
technology, 22% staffing, 23%
Security
Upgrades to outsourcing and
existing security MSSP, 12%
technology, 17%
Security consultants
and integrators, 8%
New security
technology, 18%
19 © 2010 Forrester Research, Inc. Reproduction Prohibited
20. Relying on vendors to answer strategic questions
20 © 2010 Forrester Research, Inc. Reproduction Prohibited
21. Not having a broad scope
21 © 2010 Forrester Research, Inc. Reproduction Prohibited
May 2010 “Security Organization 2.0: Building A Robust Security Organization”
22. Agenda
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
22 © 2010 Forrester Research, Inc. Reproduction Prohibited
24. Current state versus target
Identity and access management
5
Business continuity and
4 Threat and vulnerability
disaster recovery
management
3
2
Application systems 1 Investigations and
development records management
0
Ideal
Information asset Incident Current
management management
Target
Sourcing and vendor management
Source: Output from Forrester’s Information Security Maturity Model
24 © 2010 Forrester Research, Inc. Reproduction Prohibited
25. Agenda
1. Threat: Changing Business Dynamics
2. Threat: Changing Threat Landscape
3. Threat: Empowered Employees
4. Best Practice: Focus Your People Controls To Maximize Impact
5. Best Practice: Manage Process Controls To Minimize Risk
6. Best Practice: Invest In Technology Controls To Gain Efficiencies
25 © 2010 Forrester Research, Inc. Reproduction Prohibited
26. Technology
MSSPs can play a huge role helping you here.
You're not just building on reactive controls but preventive ones as well.
– IDS to IPS
– SIEM and Log management
– DLP
– GRC
You're not investing in the best technologies but have a holistic and
layered defense.
– Best of breed to easier integration and management.
– Strategic security partners
– Point solutions to layers of security
26 © 2010 Forrester Research, Inc. Reproduction Prohibited
27. Reactionary spending versus planned allocations
IAM
7%
Content
7% Network
Security 25%
Application,
10%
Risk &
compliance Data security,
10 % 15 %
Security Ops
Client & threat 14 %
mgmt. 10%
Source: Forrsights Security Survey, Q3 2010
27 © 2010 Forrester Research, Inc. Reproduction Prohibited
28. Thank you
Khalid Kark
+1 469.221.5307
kkark@forrester.com
www.forrester.com
© 2009 Forrester Research, Inc. Reproduction Prohibited
Notas del editor http://www.istockphoto.com/stock-photo-11678211-partnership-concept.phphttp://www.istockphoto.com/stock-photo-7642635-graph-pointing-upwards-with-person-supporting-it.phphttp://www.istockphoto.com/stock-photo-13738689-3d-colourful-peopls-support-the-world.php http://topnews.in/files/Economic-downturn.jpghttp://s3.amazonaws.com/pixmac-preview/the-3d-person-puppet-rising-under-the-yellow-diagram.jpgEconomic downturnEfficient use of existing resourcesCost cuttingEmphasis on security and riskRegulatory complianceIndustryRegionCountry (legal)New business modelsOutsourcingCloudBusiness alliances Global presence http://www.istockphoto.com/stock-photo-11678211-partnership-concept.phphttp://www.istockphoto.com/stock-photo-7642635-graph-pointing-upwards-with-person-supporting-it.phphttp://www.istockphoto.com/stock-photo-13738689-3d-colourful-peopls-support-the-world.php http://www.istockphoto.com/stock-photo-11678211-partnership-concept.phphttp://www.istockphoto.com/stock-photo-7642635-graph-pointing-upwards-with-person-supporting-it.phphttp://www.istockphoto.com/stock-photo-13738689-3d-colourful-peopls-support-the-world.php North American Technographics® Online Benchmark Survey, Q2 2010 (US)*Source: North American Technographics® Interactive Marketing Online Survey, Q2 2009**Source: North American Technographics® Media And Marketing Online Survey, Q2 2008 http://www.istockphoto.com/stock-photo-11678211-partnership-concept.phphttp://www.istockphoto.com/stock-photo-7642635-graph-pointing-upwards-with-person-supporting-it.phphttp://www.istockphoto.com/stock-photo-13738689-3d-colourful-peopls-support-the-world.php http://www.istockphoto.com/stock-photo-11678211-partnership-concept.phphttp://www.istockphoto.com/stock-photo-7642635-graph-pointing-upwards-with-person-supporting-it.phphttp://www.istockphoto.com/stock-photo-13738689-3d-colourful-peopls-support-the-world.php http://www.istockphoto.com/stock-photo-11678211-partnership-concept.phphttp://www.istockphoto.com/stock-photo-7642635-graph-pointing-upwards-with-person-supporting-it.phphttp://www.istockphoto.com/stock-photo-13738689-3d-colourful-peopls-support-the-world.php