© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 1 2010 2011 2012 2013 Who Moved My Cheese? Whyyyy The Security Industry Has Been Turned Upside Down Down Upside Upside John N. Stewart [email protected] Vice President Chief Security Officer FIRST Conference 2010 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Challenge Questions… © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 3 What is our adversary thinking… right… now… ? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 4 5 6 Significant Security Challenge Transitions Cloud Virtualization Information Collaboration Application Security s kk Applications and Databases Ris Endpoint Security Mobility and Access Perimeter Security DtDatacen ter Cen titric Time DSTA 043010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Global Flow of Information 5 Exabytes 21 Exabytes 56 Exabytes per month per month per month 1.4 Billion DVDs 4.8 Billion DVDs 12.8 Billion DVDs crossing the Network crossing the Network crossing the Network Source: Cisco Visual Networking Index © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 8 Video Will Dominate the Information Flow Global Consumer Internet Traffic (Annual) 486 Exa by tes Video Traffic 180 Exabytes 91% ofllf all Consumer Internet Traffic will be Video 36 Exabytes in 2013 Source: Cisco Visual Networking Index © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 9 World of Connected Devices Total 500 Million Total 35 Billion Total 1 Trillion 1/10th of a Device per 5 Devices per 140 Devices per Person on Earth Person on Earth Person on Earth Source: Forrester Research, Cisco © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 10 World of Applications TOTAL iPHONE APPS MOBILE APPS APPS ALONE WORLDWIDE Source: Apple, Windows Mobile, Cisco Analysis (Forecast of 2013 assuming consistent growth trends) © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 11 Increase in Security Threats 624, 000 2, 600, 000 5, 700, 000 (projected) Source: Symantec and Cisco Analysis © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12 And Beyond… PEOPLE TO PEOPLE THINGS TO THINGS High-Bandwidth Pipes Low-Bandwidth and Low-Power Rich/Real-Time Interaction Wireless Sensors Everywhere Enabling Media Experiences Non-Stop Flow of Data “SmartGrid is the “Video is the killer app” anc ho r use case” Business Internet Consumer Internet Industrial Internet © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 13 14 Asymmetric Problems in Assurance… Expensive To Protect, Trivial To Shake Confidence . WdWe spend an amaz ing amount protecting, and it is trivial to circumvent . Complexity is the enemy, and the opportunity . Our adversaries use our practice against us, especially when it is fixed © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Technology Integration Is Complex Virus Scanning - Host & Server Vulnerability Scan Risk Management Physical Security Alerts SitSecurity Network Intrusion Compliance Protection Validation Unintentional Virus Loss Anomaly Detection Outbreak Access Control & &Miti& Mitiga tion Theft Video Surveillance DDoS Event Logging Endpoint Application Security Vulnerability Router/Switch Assessment One-Time Security Token Software Loss of Website Confidentiality Defacement Facility VPN Management User Transaction Firewall Security Manage m en t Application Multifunction Optimization Security Identity Application Management Security © 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicEncryption Software 16 40,000 Routers on Cisco’ ssnetwork network © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 17 Network Layers are Complex © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 18 Hosts are Complex © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 19 Data is Complex 2,000,000 Higgyhly tuned IDS alerts per da y © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 20 “Traditional” Practice Is Losing Effectiveness www.shadowserver.org/ 14 June 2010 ~10 million new hashed binaries in 2010 to date; ~70 million total seen © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 21 Where we are good is not what we need Areas of Strength Today: Network and Device Security CSA Credent Device Security Altiris AV Application and Audit Audit Platf orm S ecurit y Service Security XML GW XML GW Data Security Email Encryption PGP NtNetwor k and Logging Logging Monitoring AD LDAP System Management Logging Logging Alerting Netwo rk Se rvices Cisco Network FW IDS DLP VPN …. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 22 Web Security – The Data Malicious Transactions Blocked . 600,000+ including: Malware downloads Browser hijacking software Unwanted advertisement software Botnet check-ins Troj(bkd)jan (backdoor) connec tions . Average response to client = 1.4 seconds . Average daily log data = 9Gb . Average a llowe d we b transac tions passe d = 500K/60 m inu tes Top 10 Blocked Web-based Top Malware Threats blocked Top 10 Blocked Domains Reputation Scoring © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 23 And Data is Moving Measure Manage Secure SlScale Sec Arch 061710 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 25 The best way to predict the future is to invent it. --Alan Kay © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 26 Ask The Right Questions You Get What You Measure, No Matter What Always question what you are doing – some things have declining investment and results Stop asking for best practices – start asking “what’s effective and how effective is it?” What can I see, what don’t I know, how will I know it when I need to? What can I shamelessly copy from someone else? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 27 See, Don’t Feel – Analyze Data Removes Emotion Understanding / Strategy / Hosting Net Team SecOps Others Action Information Event / Behavior Network Analysis System Analysis Correlation Security Vendor Others Identity Geo Proximity Homegrown Location Apps Data Sensor SCADA Others Logs “I have a series of questions, and the data gives the answers” ~ or ~ “I don’t know the questions yet; let’s look at the data” © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 28 A Trend is Emerging… Trusted System or Service Trusted Platform Software Supply Chain Independent • Authentication Assurance Security Product • Trojan Prevention • Threat Modeling • Preferred Suppliers CtifitiCertification • Strong Identity • Identity Assurance • Secure Logistics • Standards-Based • Secure Storage • Safe Libraries • Mutually Recognized • Monitoring • Run-Time Defenses • Hardware Assurance • Static Analysis • Security Defect Triage and Resolution • Compliance and Vulnerability Testing © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 29 My Responses The Hard Work… Has Just Begun Manual Automated Borders Everywhere Unknown Known/Assured © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 30 Enterprise Security Architecture Framework Alternate “Trusted Device Identity Storage Device Security Devices” & Access Platforms External Audit Inspection e ent Application and Personaent Mgmt Functionality Vehicles Platform c c m m m Service Security m Strong Orchestration Data Security Authentication Engines Classification ernan nage nage v Reggyulatory Data-Centricv a a a Data-Centrica Data Security Identity “Awareness” Policy Service Catalog Policy Cross-Product Library/Filters vice M ata Go Access Controlntity M Location rr NkNetwork and ee Data/Svc Contexting DD System Mgmnt Common Tracking Id Admin ExternalSe Framework Provisioning Cross-Product Capabilities Policy Engines IEN Policy Network Cisco Network Data “Tagging” Capabilities Enforcement Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 31 High-Level Targets Identity Management • Service opportunity for BUs • STBU SAML exploration • WebEx identityyp service concept • External identity architecture • External identity SOR • Standards for identity “realms” Data Governance • Explore encryption gateway • SSBU DLP capabilities • PMBU policy enhancements • External compliance effort • Introduce inspection capabilities Service Management • Update policy, RFIs, SLAs, SOWs • ACS/Positron integration (policy management) • NMTG data tagging/CMS integration • Security product integration with service mgmt • Develop portfolio of “Just Good Enoughs” (JGE) • Data model enhancements • Introduce regulatory capture © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 32 Future Client Platform Environment • Compliance • Management • Enforcement • Remediation Trusted layer Managed Platform Virtualized Environment Network Environment © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 33 Key Takeaways . Conclusions This Phase is Different Big changes are having a profound aaectosecutyffect on security “Know thyself” - attain a high degree of situational awareness Ask the right questions to get the right answers Look to the data to point the way © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 34 More Information Security Education Security Intelligence Operations www.cisco.com/go/securityeducation www.cisco . com/security Security Blog blogs.cisco.com/security 2009 Security Annual Report www.cisco.com/go/securityreport © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 35 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 36.