SlideShare a Scribd company logo
1 of 45
Download to read offline
Top 9 Data Security Trends for 2012

Amichai Shulman
CTO & Co-Founder
Agenda


   Trend selection process
   Score card for 2011
   Brief overview of 2012 trends
   In-depth discussion and mitigation techniques:
     + SSL Gets Hit in the Crossfire
     + Internal Collaboration Meets Its Evil Twin
     + NoSQL = No Security?
     + The Kimono Comes off of Conumerized IT
 Mitigation strategies for the other trends
Today’s Presenter
Amichai Shulman – CTO Imperva

 Speaker at Industry Events
   + RSA, Sybase Techwave, Info Security UK, Black Hat
 Lecturer on Info Security
   + Technion - Israel Institute of Technology
 Former security consultant to banks & financial services firms
 Leads the Application Defense Center (ADC)
   + Discovered over 20 commercial application vulnerabilities
      – Credited by Oracle, MS-SQL, IBM and others




         Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
Trend Selection Process


 Collect Information
   +   Media reports
   +   Analysts
   +   Incident reports
   +   Customer feedback
   +   Vulnerabilities, hacker forums
 Analyze
   + Extract the chaff from the wheat
 Trends are not necessarily technical
   + Information security is influenced by human nature at least as it
     is by technology
   + Business environment and legislative trends have huge impact
Scorecard for 2011 Predictions

        Trend                                                 Score

   1    Regulatory Convergence                                 B
   2    Information security becomes a business process        A
   3    Hacker activity consolidation                          A-
   4    Mobile devices impact data and application security    B
   5    Data and application security in the cloud             A-
   6    File security takes center stage                       A

   7    Social networks to invest in security                  A+

   8    Man in the browser attacks                             A+

   9    Insider threat awareness                               A+

   10   APT meets industrialized hacking                       A
Top Security Trends for 2012: Brief Overview


   SSL Gets Caught in the Crossfire
   HTML5 Goes Live
   DDoS Moves Up the Stack
   Internal Collaboration Meets Its Evil Twin
   NoSQL = NoSecurity?
   The Kimono Comes Off of Consumerized IT
   Anti-Social Media
   The Rise of the Middle Man
   Security (Finally) Trumps Compliance
SSL Gets Caught in the Crossfire

     The distributed trust model based on SSL and
    PKI as currently implemented is going bankrupt




7
                                             CONFIDENTIAL
Brief Overview of SSL




   Trust      Certificate Authority   Proof of Trust




       User                           Service
The Demise of the Trusted CA




  Trust       Certificate Authority   Proof of Trust




      User                            Service
Targeting Corporate Certificates




   Trust       Certificate Authority         Proof of Trust




                                       IDS/IPS

                                       Load Balancer
                     CDN
                                       WAF


       User                                  Service
Denial of Service Attacks




   Trust       Certificate Authority   Proof of Trust




       User                            Service
There’s More 




  Trust      Certificate Authority   Proof of Trust




      User                           Service
SSL Caught in the Crossfire: Mitigation Strategies




 Invoke a serious discussion about real
  alternatives for secure Web communications
   + Moxie Marlinspike took off the glove in Blackhat 2011
   + Requires both industry and academic research
 Strengthen anti-Dos and anti-DDoS protection
SSL Caught in the Crossfire: Summary


 Attackers are increasingly focusing their attacks against the
  various components of SSL
 Attacks against PKI
    + Attackers have repeatedly compromised various CA organizations
    + Any CA can issue a digital certificate for any application
    + A hacker, who gains control on any CA, can issue forged
      certificates and impersonate any website
 The theft of issued certificates
    + Application certificates are no longer limited to being stored by the
      application
    + Proxies, load balancers, content delivery networks, DLP and WAF
      solutions need to access the certificate’s private key
 Denial of service attacks
    + Heavy computational burden by the SSL-handshake process
SSL Caught in the Crossfire: Summary (cont.)


 Hackers will leverage SSL to carry out their attacks with
  increased confidentiality
   + Intermediate proxies cannot add headers to indicate original
     sender IP address
   + Loss of information when following a link from an SSL page to a
     non-SSL page
   + Security devices lose visibility due to encryption
 Same PKI infrastructure is used for code signing
   + OS security
   + Mobile app market security
Internal Collaboration Meets its Evil
                     Twin

      We expect to see a growing number of data
     breaches from internal collaboration platforms
                    used externally



16
                                              CONFIDENTIAL
In the Beginning…




        Internal Access
Food Brings Along Appetite




                             External Web access




        Internal Access      Partner access
Risks


 Confidential Data Control
   + A platform hosting confidential information is exposed externally
   + Access control and governance mechanisms are not necessarily
     scalable to large crowds
   + Lack of security and governance expertise around existing
     capabilities
Risks (cont.)


 Exposure to Search Engines
   + Search engines constantly crawl and update their indexing
     policies so that any breaches or mis-configured entry points are
     quickly apparent to all.
   + Google hacking tools. E.g. SharePoint GoogleDiggity, Sharepoint
     URLBrute
Risks (cont.)


 Increased Threat Profile - Hackers
   + Advanced technical skills
   + Global access and population size
   + Additional motivation
Internal Collaboration Meets its Evil Twin:
Mitigation Strategies



 Add attack protection solutions around collaboration
  suites
 Use strict monitoring and look for increased data
  governance solutions
 Introduce scalable user rights management
  solutions
 Look for data leakage by integrating classic DLP and
  Google Hacking services tools
Internal Collaboration Meets its Evil Twin: Summary


 We predict a growing number of data breaches due to
  internal collaboration platforms which are used
  externally.
   + Platforms such as Microsoft Sharepoint and Jive are used by
     many organizations to share information and manage content.
   + Some organizations have also extended the use to partners and
     even to the public via Websites.
 Risks of extending an internal platform to external use:
   + Data segregation.
       – Ensuring that stored sensitive data does not become accessible through the
         less restricted interfaces of the platform is not an easy task.
       – For the entire lifetime of the systems, controls should be put in place to
         allow collaboration and sharing of sensitive information within the
         organization while keeping it out of the reach of the general public.
Internal Collaboration Meets its Evil Twin: Summary
(cont.)

 Risks of extending an internal platform to external use -
  cont:
   + Threat profile - the difference between the internal and external
      threat.
        – The size of potential attacker population increases instantaneously.
        – Search engines constantly crawl and update their indexing policies so that
          any breaches or mis-configured entry points are quickly apparent to all.
        – Google hacking tools. E.g. SharePoint GoogleDiggity, Sharepoint URLBrute
NoSQL = No Security?

     We expect NoSQL data security to become a
      concern for enterprises next year, possibly
           following some actual breaches



25
                                             CONFIDENTIAL
BIG Overview of Big Data

                    Scalability
                    Availability
BIG Overview of Big Data Security


                       Scalability
                       Availability




Security has been pushed out of these
systems.
An innovative idea or a future problem?
RISKS



        Model Maturity

        Software Maturity

        Staff Maturity
Risks (cont.)


           Client Software – Re-
           inventing the Wheel

           Data Redundancy and
           Dispersion

           Privacy
NoSQL = No Security?: Mitigation Strategy




 General solutions are not expected before 2013
 Carefully choose dev team to include industry
  veterans
 Heavy use of code reviews
 Reduce direct exposure to end-users through
  intensive input validation and network
  segregation
NoSQL = No Security?: Summary


 Model Maturity
   + Not enough security built into existing offering
   + Desired security model is unclear
   + No guarantee that there is a match between existing capabilities
     and desired model
 Software Maturity
   + Server software is prone to vulnerabilities
   + Expect 5 years of vulnerability turmoil (based on past experience
     with SQL technologies)
 Staff Maturity
   + Everyone is new to NoSQL
   + Make it work first, if you’re still standing try to configure security
   + Staff bound to make configuration mistakes
NoSQL = No Security?: Summary (cont.)


 Client software is rebuilding security
   + Since security does not exist on server side it is rebuilt into every
     application
   + Adds complexity, lack of security expertise
   + Always left for last
 Data redundancy and dispersion
   + Inherent distribution and replication
   + Model is non-normalized
   + Harder to locate sensitive data
 Privacy concerns
   + Use cases jeopardize our ability to avoid being tracked by service
      providers
The Kimono Comes Off of
                Consumerized IT

     We expect organizations to spend a lot of time,
       money and effort on these techniques and
     technologies next year, with very poor results



33
                                               CONFIDENTIAL
IT Consumerization




               Enterprise Network
IT Consumerization + Cloud




               Enterprise Network
Taking Control Back?




               Enterprise Network
Taking Control Back?




               Enterprise Network
The Kimono Comes Off of Consumerized IT:
Mitigation Strategies




 Put more control around data store rather than
  end-point
 Consider structured and unstructured data alike
 Increase efforts towards detecting abuse of
  privileges
The Kimono Comes Off of Consumerized IT:
Summary

 Companies are trying to get control back the wrong way
  – Restricting their users
 It never worked in the past
   + Allow no Javascript
   + Don’t access social network from work
 Enterprise IT cannot scale to manage and control the
  amount of devices and its diversity
   + Track record of enterprise IT in avoiding infections and leakage
     from internal, enterprise owned machines is not that great
The Kimono Comes Off of Consumerized IT:
Summary (cont.)

 Enterprise infrastrcutre is required to provide the same
  level of world-wide availability and robustness of all
  cloud services together
   + Defeats the purpose of using cloud solutions to begin with
 Enterprise will need to address concerns regarding
  personal information controlled by corporate on end-user
  devices
Mitigation Strategies for the Other Trends




                                        CONFIDENTIAL
Dealing with the Other Trends: Mitigation
Strategies (1)

 HTML5 Goes Live
   + Assume user devices are compromised
   + Learn to interact with infected clients (challenge users, reduce
     functionality on the fly)
 DDoS Moves Up the Stack
   + Look for application layer protection
   + Visibility into SSL connections
   + Understand application messages
   + Differentiate application data from network Gibberish
Dealing with the Other Trends: Mitigation
Strategies (2)

 Anti-Social Media
   + Solutions must be incorporated into existing platforms by
     enterprises themselves.
       – Solutions will have to rely on 3rd parties that offer trust and data control
         services over the social media platform.
       – No current market solution ready to handle these problems.

 Security (Finally) Trumps Compliance
   + Perform wise security decisions based on actual risk
     management
   + Implement security and then assess whether they have done
     enough in the context of each regulation
Webinar Materials

 Get LinkedIn to
 Imperva Data Security Direct for…

                         Answers to
        Post-Webinar
                          Attendee
         Discussions
                         Questions



          Webinar
                        Webinar Slides
       Recording Link
www.imperva.com

More Related Content

What's hot

Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...Ingram Micro Cloud
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardCisco Security
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Cisco Security
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime WhitepaperCloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime WhitepaperMartin Ruubel
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Bruno Caseiro
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromiseCMR WORLD TECH
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Ransomware webinar may 2016 final version external
Ransomware webinar   may 2016 final version externalRansomware webinar   may 2016 final version external
Ransomware webinar may 2016 final version externalZscaler
 
The_CNPITH_STORY_V1.2(draft)
The_CNPITH_STORY_V1.2(draft)The_CNPITH_STORY_V1.2(draft)
The_CNPITH_STORY_V1.2(draft)David Simpson
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperMartin Ruubel
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideEntrust Datacard
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Securescoopnewsgroup
 
Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?
Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?
Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?michaelbasoah
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroPrime Infoserv
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
Trend Micro - is your cloud secure
Trend Micro - is your cloud secureTrend Micro - is your cloud secure
Trend Micro - is your cloud secureKappa Data
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 

What's hot (20)

Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
 
Infonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor ScorecardInfonetics Network and Content Security Vendor Scorecard
Infonetics Network and Content Security Vendor Scorecard
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime WhitepaperCloud Insecurity and True Accountability - Guardtime Whitepaper
Cloud Insecurity and True Accountability - Guardtime Whitepaper
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
Ransomware webinar may 2016 final version external
Ransomware webinar   may 2016 final version externalRansomware webinar   may 2016 final version external
Ransomware webinar may 2016 final version external
 
The_CNPITH_STORY_V1.2(draft)
The_CNPITH_STORY_V1.2(draft)The_CNPITH_STORY_V1.2(draft)
The_CNPITH_STORY_V1.2(draft)
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
 
Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?
Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?
Are Your Appliance Security Solutions Ready For 2048-bit SSL Certificates ?
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010
 
Trend Micro - is your cloud secure
Trend Micro - is your cloud secureTrend Micro - is your cloud secure
Trend Micro - is your cloud secure
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 

Similar to Top 9 Data Security Trends for 2012

The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats -  CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats -  CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinCloud Expo
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7Mark Interrante
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Security Everywhere: A Growth Engine for the Digital Economy
Security Everywhere: A Growth Engine for the Digital EconomySecurity Everywhere: A Growth Engine for the Digital Economy
Security Everywhere: A Growth Engine for the Digital EconomyCisco Russia
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
IBM per la sicurezza del Datacenter
IBM per la sicurezza del DatacenterIBM per la sicurezza del Datacenter
IBM per la sicurezza del DatacenterAnna Landolfi
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
F_DR_Dark Reading Editorial Report_March 2022.pdf
F_DR_Dark Reading Editorial Report_March 2022.pdfF_DR_Dark Reading Editorial Report_March 2022.pdf
F_DR_Dark Reading Editorial Report_March 2022.pdfjosbjs
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeCore Security
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifySumana Mehta
 

Similar to Top 9 Data Security Trends for 2012 (20)

The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats -  CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats -  CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7HP2065_TieCon_Presentation_V7
HP2065_TieCon_Presentation_V7
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Security Everywhere: A Growth Engine for the Digital Economy
Security Everywhere: A Growth Engine for the Digital EconomySecurity Everywhere: A Growth Engine for the Digital Economy
Security Everywhere: A Growth Engine for the Digital Economy
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
150819_oml_pki_v1p
150819_oml_pki_v1p150819_oml_pki_v1p
150819_oml_pki_v1p
 
150819_oml_pki_v1p
150819_oml_pki_v1p150819_oml_pki_v1p
150819_oml_pki_v1p
 
IBM per la sicurezza del Datacenter
IBM per la sicurezza del DatacenterIBM per la sicurezza del Datacenter
IBM per la sicurezza del Datacenter
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
F_DR_Dark Reading Editorial Report_March 2022.pdf
F_DR_Dark Reading Editorial Report_March 2022.pdfF_DR_Dark Reading Editorial Report_March 2022.pdf
F_DR_Dark Reading Editorial Report_March 2022.pdf
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan RowcliffeNo More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2: New attacks on the Internet’s Next Generation FoundationHacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2: New attacks on the Internet’s Next Generation FoundationHacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 

Top 9 Data Security Trends for 2012

  • 1. Top 9 Data Security Trends for 2012 Amichai Shulman CTO & Co-Founder
  • 2. Agenda  Trend selection process  Score card for 2011  Brief overview of 2012 trends  In-depth discussion and mitigation techniques: + SSL Gets Hit in the Crossfire + Internal Collaboration Meets Its Evil Twin + NoSQL = No Security? + The Kimono Comes off of Conumerized IT  Mitigation strategies for the other trends
  • 3. Today’s Presenter Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
  • 4. Trend Selection Process  Collect Information + Media reports + Analysts + Incident reports + Customer feedback + Vulnerabilities, hacker forums  Analyze + Extract the chaff from the wheat  Trends are not necessarily technical + Information security is influenced by human nature at least as it is by technology + Business environment and legislative trends have huge impact
  • 5. Scorecard for 2011 Predictions Trend Score 1 Regulatory Convergence B 2 Information security becomes a business process A 3 Hacker activity consolidation A- 4 Mobile devices impact data and application security B 5 Data and application security in the cloud A- 6 File security takes center stage A 7 Social networks to invest in security A+ 8 Man in the browser attacks A+ 9 Insider threat awareness A+ 10 APT meets industrialized hacking A
  • 6. Top Security Trends for 2012: Brief Overview  SSL Gets Caught in the Crossfire  HTML5 Goes Live  DDoS Moves Up the Stack  Internal Collaboration Meets Its Evil Twin  NoSQL = NoSecurity?  The Kimono Comes Off of Consumerized IT  Anti-Social Media  The Rise of the Middle Man  Security (Finally) Trumps Compliance
  • 7. SSL Gets Caught in the Crossfire The distributed trust model based on SSL and PKI as currently implemented is going bankrupt 7 CONFIDENTIAL
  • 8. Brief Overview of SSL Trust Certificate Authority Proof of Trust User Service
  • 9. The Demise of the Trusted CA Trust Certificate Authority Proof of Trust User Service
  • 10. Targeting Corporate Certificates Trust Certificate Authority Proof of Trust IDS/IPS Load Balancer CDN WAF User Service
  • 11. Denial of Service Attacks Trust Certificate Authority Proof of Trust User Service
  • 12. There’s More  Trust Certificate Authority Proof of Trust User Service
  • 13. SSL Caught in the Crossfire: Mitigation Strategies  Invoke a serious discussion about real alternatives for secure Web communications + Moxie Marlinspike took off the glove in Blackhat 2011 + Requires both industry and academic research  Strengthen anti-Dos and anti-DDoS protection
  • 14. SSL Caught in the Crossfire: Summary  Attackers are increasingly focusing their attacks against the various components of SSL  Attacks against PKI + Attackers have repeatedly compromised various CA organizations + Any CA can issue a digital certificate for any application + A hacker, who gains control on any CA, can issue forged certificates and impersonate any website  The theft of issued certificates + Application certificates are no longer limited to being stored by the application + Proxies, load balancers, content delivery networks, DLP and WAF solutions need to access the certificate’s private key  Denial of service attacks + Heavy computational burden by the SSL-handshake process
  • 15. SSL Caught in the Crossfire: Summary (cont.)  Hackers will leverage SSL to carry out their attacks with increased confidentiality + Intermediate proxies cannot add headers to indicate original sender IP address + Loss of information when following a link from an SSL page to a non-SSL page + Security devices lose visibility due to encryption  Same PKI infrastructure is used for code signing + OS security + Mobile app market security
  • 16. Internal Collaboration Meets its Evil Twin We expect to see a growing number of data breaches from internal collaboration platforms used externally 16 CONFIDENTIAL
  • 17. In the Beginning… Internal Access
  • 18. Food Brings Along Appetite External Web access Internal Access Partner access
  • 19. Risks  Confidential Data Control + A platform hosting confidential information is exposed externally + Access control and governance mechanisms are not necessarily scalable to large crowds + Lack of security and governance expertise around existing capabilities
  • 20. Risks (cont.)  Exposure to Search Engines + Search engines constantly crawl and update their indexing policies so that any breaches or mis-configured entry points are quickly apparent to all. + Google hacking tools. E.g. SharePoint GoogleDiggity, Sharepoint URLBrute
  • 21. Risks (cont.)  Increased Threat Profile - Hackers + Advanced technical skills + Global access and population size + Additional motivation
  • 22. Internal Collaboration Meets its Evil Twin: Mitigation Strategies  Add attack protection solutions around collaboration suites  Use strict monitoring and look for increased data governance solutions  Introduce scalable user rights management solutions  Look for data leakage by integrating classic DLP and Google Hacking services tools
  • 23. Internal Collaboration Meets its Evil Twin: Summary  We predict a growing number of data breaches due to internal collaboration platforms which are used externally. + Platforms such as Microsoft Sharepoint and Jive are used by many organizations to share information and manage content. + Some organizations have also extended the use to partners and even to the public via Websites.  Risks of extending an internal platform to external use: + Data segregation. – Ensuring that stored sensitive data does not become accessible through the less restricted interfaces of the platform is not an easy task. – For the entire lifetime of the systems, controls should be put in place to allow collaboration and sharing of sensitive information within the organization while keeping it out of the reach of the general public.
  • 24. Internal Collaboration Meets its Evil Twin: Summary (cont.)  Risks of extending an internal platform to external use - cont: + Threat profile - the difference between the internal and external threat. – The size of potential attacker population increases instantaneously. – Search engines constantly crawl and update their indexing policies so that any breaches or mis-configured entry points are quickly apparent to all. – Google hacking tools. E.g. SharePoint GoogleDiggity, Sharepoint URLBrute
  • 25. NoSQL = No Security? We expect NoSQL data security to become a concern for enterprises next year, possibly following some actual breaches 25 CONFIDENTIAL
  • 26. BIG Overview of Big Data Scalability Availability
  • 27. BIG Overview of Big Data Security Scalability Availability Security has been pushed out of these systems. An innovative idea or a future problem?
  • 28. RISKS Model Maturity Software Maturity Staff Maturity
  • 29. Risks (cont.) Client Software – Re- inventing the Wheel Data Redundancy and Dispersion Privacy
  • 30. NoSQL = No Security?: Mitigation Strategy  General solutions are not expected before 2013  Carefully choose dev team to include industry veterans  Heavy use of code reviews  Reduce direct exposure to end-users through intensive input validation and network segregation
  • 31. NoSQL = No Security?: Summary  Model Maturity + Not enough security built into existing offering + Desired security model is unclear + No guarantee that there is a match between existing capabilities and desired model  Software Maturity + Server software is prone to vulnerabilities + Expect 5 years of vulnerability turmoil (based on past experience with SQL technologies)  Staff Maturity + Everyone is new to NoSQL + Make it work first, if you’re still standing try to configure security + Staff bound to make configuration mistakes
  • 32. NoSQL = No Security?: Summary (cont.)  Client software is rebuilding security + Since security does not exist on server side it is rebuilt into every application + Adds complexity, lack of security expertise + Always left for last  Data redundancy and dispersion + Inherent distribution and replication + Model is non-normalized + Harder to locate sensitive data  Privacy concerns + Use cases jeopardize our ability to avoid being tracked by service providers
  • 33. The Kimono Comes Off of Consumerized IT We expect organizations to spend a lot of time, money and effort on these techniques and technologies next year, with very poor results 33 CONFIDENTIAL
  • 34. IT Consumerization Enterprise Network
  • 35. IT Consumerization + Cloud Enterprise Network
  • 36. Taking Control Back? Enterprise Network
  • 37. Taking Control Back? Enterprise Network
  • 38. The Kimono Comes Off of Consumerized IT: Mitigation Strategies  Put more control around data store rather than end-point  Consider structured and unstructured data alike  Increase efforts towards detecting abuse of privileges
  • 39. The Kimono Comes Off of Consumerized IT: Summary  Companies are trying to get control back the wrong way – Restricting their users  It never worked in the past + Allow no Javascript + Don’t access social network from work  Enterprise IT cannot scale to manage and control the amount of devices and its diversity + Track record of enterprise IT in avoiding infections and leakage from internal, enterprise owned machines is not that great
  • 40. The Kimono Comes Off of Consumerized IT: Summary (cont.)  Enterprise infrastrcutre is required to provide the same level of world-wide availability and robustness of all cloud services together + Defeats the purpose of using cloud solutions to begin with  Enterprise will need to address concerns regarding personal information controlled by corporate on end-user devices
  • 41. Mitigation Strategies for the Other Trends CONFIDENTIAL
  • 42. Dealing with the Other Trends: Mitigation Strategies (1)  HTML5 Goes Live + Assume user devices are compromised + Learn to interact with infected clients (challenge users, reduce functionality on the fly)  DDoS Moves Up the Stack + Look for application layer protection + Visibility into SSL connections + Understand application messages + Differentiate application data from network Gibberish
  • 43. Dealing with the Other Trends: Mitigation Strategies (2)  Anti-Social Media + Solutions must be incorporated into existing platforms by enterprises themselves. – Solutions will have to rely on 3rd parties that offer trust and data control services over the social media platform. – No current market solution ready to handle these problems.  Security (Finally) Trumps Compliance + Perform wise security decisions based on actual risk management + Implement security and then assess whether they have done enough in the context of each regulation
  • 44. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Webinar Slides Recording Link