© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 1 2010 2011 2012 2013
Who Moved My Cheese? Whyyyy The Security Industry
Has Been Turned Upside Down Down Upside Upside
John N. Stewart [email protected]
Vice President Chief Security Officer FIRST Conference 2010
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Challenge Questions…
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 3 What is our adversary thinking… right… now… ?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 4 5 6 Significant Security Challenge Transitions Cloud Virtualization
Information Collaboration
Application Security s kk Applications and Databases
Ris Endpoint Security Mobility and Access
Perimeter Security DtDatacen ter Cen titric
Time DSTA 043010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Global Flow of Information
5 Exabytes 21 Exabytes 56 Exabytes per month per month per month 1.4 Billion DVDs 4.8 Billion DVDs 12.8 Billion DVDs crossing the Network crossing the Network crossing the Network
Source: Cisco Visual Networking Index
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Video Will Dominate the Information Flow
Global Consumer Internet Traffic (Annual) 486 Exa by tes Video Traffic
180 Exabytes 91% ofllf all Consumer Internet Traffic will be Video 36 Exabytes in 2013
Source: Cisco Visual Networking Index
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 9 World of Connected Devices
Total 500 Million Total 35 Billion Total 1 Trillion
1/10th of a Device per 5 Devices per 140 Devices per Person on Earth Person on Earth Person on Earth
Source: Forrester Research, Cisco
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 10 World of Applications
TOTAL iPHONE APPS MOBILE APPS APPS ALONE WORLDWIDE
Source: Apple, Windows Mobile, Cisco Analysis (Forecast of 2013 assuming consistent growth trends)
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 11 Increase in Security Threats
624, 000 2, 600, 000 5, 700, 000 (projected)
Source: Symantec and Cisco Analysis
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12 And Beyond… PEOPLE TO PEOPLE THINGS TO THINGS High-Bandwidth Pipes Low-Bandwidth and Low-Power Rich/Real-Time Interaction Wireless Sensors Everywhere Enabling Media Experiences Non-Stop Flow of Data
“SmartGrid is the “Video is the killer app” an ch or use case”
Business Internet Consumer Internet Industrial Internet
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 13 14 Asymmetric Problems in Assurance… Expensive To Protect, Trivial To Shake Confidence
. WdWe spend an amaz ing amount protecting, and it is trivial to circumvent
. Complexity is the enemy, and the opportunity
. Our adversaries use our practice against us, especially when it is fixed
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Technology Integration Is Complex
Virus Scanning - Host & Server
Vulnerability Scan Risk Management Physical Security Alerts SitSecurity Network Intrusion Compliance Protection Validation Unintentional Virus Loss Anomaly Detection Outbreak Access Control & &Miti& Mitiga tion Theft Video Surveillance DDoS
Event Logging Endpoint Application Security Vulnerability Router/Switch Assessment One-Time Security Token Software Loss of Website Confidentiality Defacement Facility VPN Management User Transaction Firewall Security Man agem en t Application Multifunction Optimization Security Identity Application Management Security © 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicEncryption Software 16 40,000 Routers on Cisco’ ssnetwork network
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Network Layers are Complex
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 18 Hosts are Complex
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 19 Data is Complex
2,000,000
Higgyhly tuned IDS alerts per day
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 20 “Traditional” Practice Is Losing Effectiveness
www.shadowserver.org/ 14 June 2010 ~10 million new hashed binaries in 2010 to date; ~70 million total seen
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 21 Where we are good is not what we need Areas of Strength Today: Network and Device Security
CSA Credent Device Security Altiris AV
Application and Audit Audit Platf orm S ecurit y Service Security XML GW XML GW
Data Security Email Encryption PGP
NtNetwor k and Logging Logging Monitoring AD LDAP System Management Logging Logging Alerting
Netw ork Servi ces Cisco Network FW IDS DLP VPN ….
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 22 Web Security – The Data Malicious Transactions Blocked
. 600,000+ including: Malware downloads Browser hijacking software Unwanted advertisement software Botnet check-ins Troj(bkd)jan (backdoor) connec tions . Average response to client = 1.4 seconds . Average daily log data = 9Gb . Average a llowe d we b transac tions passe d = 500K/60 mi nu tes
Top 10 Blocked Web-based Top Malware Threats blocked Top 10 Blocked Domains Reputation Scoring
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 23 And Data is Moving Measure Manage
Secure
SlScale
Sec Arch 061710 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 25 The best way to predict the future is to invent it.
--Alan Kay
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 26 Ask The Right Questions You Get What You Measure, No Matter What
Always question what you are doing – some things have declining investment and results
Stop asking for best practices – start asking “what’s effective and how effective is it?”
What can I see, what don’t I know, how will I know it when I need to?
What can I shamelessly copy from someone else?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 27 See, Don’t Feel – Analyze Data Removes Emotion
Understanding / Strategy / Hosting Net Team SecOps Others Action Information Event / Behavior Network Analysis System Analysis Correlation Security Vendor Others
Identity Geo Proximity Homegrown Location Apps Data Sensor SCADA Others Logs
“I have a series of questions, and the data gives the answers” ~ or ~ “I don’t know the questions yet; let’s look at the data” © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 28 A Trend is Emerging…
Trusted System or Service
Trusted Platform Software Supply Chain Independent • Authentication Assurance Security Product • Trojan Prevention • Threat Modeling • Preferred Suppliers CtifitiCertification • Strong Identity • Identity Assurance • Secure Logistics • Standards-Based • Secure Storage • Safe Libraries • Mutually Recognized • Monitoring • Run-Time Defenses • Hardware Assurance • Static Analysis • Security Defect Triage and Resolution • Compliance and Vulnerability Testing
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 29 My Responses The Hard Work… Has Just Begun
Manual Automated
Borders Everywhere
Unknown Known/Assured
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 30 Enterprise Security Architecture Framework
Alternate “Trusted Device Identity Storage Device Security Devices” & Access Platforms
External Audit Inspection e ent Application and Personaent Mgmt Functionality Vehicles Platform c c m m m Service Security m Strong Orchestration Data Security Authentication Engines Classification ernan nage nage v Reggyulatory Data-Centricv a a a Data-Centrica Data Security Identity “Awareness” Policy Service Catalog Policy Cross-Product Library/Filters vice M ata Go Access Controlntity M Location rr
NkNetwork and ee Data/Svc
Contexting DD System Mgmnt Common Tracking Id Admin ExternalSe Framework Provisioning Cross-Product Capabilities Policy Engines
IEN Policy Network Cisco Network Data “Tagging” Capabilities Enforcement Services
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 31 High-Level Targets Identity Management
• Service opportunity for BUs • STBU SAML exploration • WebEx identityyp service concept • External identity architecture • External identity SOR • Standards for identity “realms”
Data Governance
• Explore encryption gateway • SSBU DLP capabilities • PMBU policy enhancements • External compliance effort • Introduce inspection capabilities Service Management • Update policy, RFIs, SLAs, SOWs • ACS/Positron integration (policy management) • NMTG data tagging/CMS integration • Security product integration with service mgmt • Develop portfolio of “Just Good Enoughs” (JGE) • Data model enhancements • Introduce regulatory capture
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 32 Future Client Platform Environment
• Compliance • Management • Enforcement • Remediation
Trusted layer
Managed Platform
Virtualized Environment Network Environment
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 33 Key Takeaways
. Conclusions This Phase is Different Big changes are having a profound aaectosecutyffect on security “Know thyself” - attain a high degree of situational awareness Ask the right questions to get the right answers Look to the data to point the way
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 34 More Information Security Education Security Intelligence Operations www.cisco.com/go/securityeducation www.cisco . com/security
Security Blog blogs.cisco.com/security 2009 Security Annual Report www.cisco.com/go/securityreport
© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 35 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 36