2014 Security Trends: Attacks Advance, Hiring Gets … · Making Security Advances During Turbulent Times Threats aren’t standing still usiness/technology demands aren’t, either

2014 Security Trends: Attacks Advance, Hiring Gets

Harder, Skills Need Sharpening

John Pescatore, Director SANS

© 2014 The SANS™ Institute – www.sans.org

Making Security Advances During Turbulent Times

Threats aren’t standing still

Business/technology demands aren’t, either

Staffing: Force Multipliers Needed

© 2014 The SANS™ Institute – www.sans.org 2

CXO’s View of Security 2014

• University of Maryland

• Target breached, CIO resigns

• NSA/Snowden drip, drip, drip

• Heartbleed!


http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Security: Chute or Ladder?

Top 5 Game Changers

Choose your own IT (CYOIT)

Increased virtualization and use of cloud and software-as a-service (SaaS)

The Internet of Things/everything

Supply chain integrity worries

Increased threat targeting/evasion


Mobility Drives Cloud and CYOIT

IT has less control over user devices

Heterogeneity will be the norm

Tablets and smartphones are not just small PCs!


% of employees using personally owned devices for work

Cost Reduction Drives Cloud and Virtualization


20

15

20

14

20

13

20

12

20

11

20

10

20

09

20

08

77%

72%

65%

58%

49%

38%

27%

18%

Percentage of installed x86 workloads running in a VM

Plans for use of hybrid cloud by YE2015

Ladders

Near term Mobile Device Management/NAC

Cloud Security Standards

Policy/legal/awareness

Next year Security as a Service

Business App Store

Data Encryption


Great, Now We Have to Secure an Internet of “Things”

9

Rapid Penetration

10

What Things Will Be First?

0%

10%

20%

30%

40%

50%

60%

70%

80%

Co

nsum

er

devic

es (

set to

ps,

security

/cam

era

, e

tc.)

Sm

art

build

ing

/HV

AC

au

tom

ation/c

om

me

rcia

lbu

ildin

g m

ana

gem

en

t

Ele

ctr

ica

l, w

ate

r, g

as

pro

ductio

n, u

tilit

ies

Me

dic

al d

evic

es

Oth

er

transpo

rta

tio

n s

ma

rtsyste

ms

Auto

motive s

mart

syste

ms

Ma

nufa

ctu

rin

g s

yste

ms (

not

ele

ctr

ical, w

ate

r, g

as)

Foo

d p

roduction

syste

ms/r

efr

igera

tion

What types of IoT applications is your organization involved in or planning to be involved in?

Producing

Operating/Managing

Source: SANS 2013

Major Differences

Old Things

General purpose OS

Fixed, wired

TCP/IP, 802.11, HTML5

Layered apps

Homogeneous

Enterprise-driven

2-3 year life cycle

Impact data

New Things

Embedded OS

Mobile, wireless

Zigbee, IoT6, WebHooks

Embedded apps

Heterogeneous

Consumer-driven

.2 to 20 year life cycle

Impact health/safety

12

Supply Chain Threats and Integrity

Assuring products haven’t been compromised

Detecting attacks against 3rd party vendors

Shortening incident response time


Ladders

Near term

Discovery/inventory (no client SW)

NNGFW/”Data Diodes”

Expand penetration testing

Next year

Next Generation DMZ/Security as a Service

Community “Device Stores”

OT/IT Integrtion


Increased Targeting and Evasion

More targeting of people and data

Evasion techniques extending compromises

Customers should not be our IDS!


Source: Verizon 2013 DBIR

Ladders

Near term

Critical Security Controls gap assess

Advanced Threat Detection/Forensics

White list on servers

Next year

Beachheads: data encryption, stronger authentication, privilege management

ISAC/Info Sharing/What Works


Staffing/Skills Today


Staffing/Skills Tomorrow


Staffing Growth Today


0%

5%

10%

15%

20%

25%

30%

Un

kn

ow

n

Mo

re th

an 1

0%

redu

ction

1-1

0%

redu

ction

No

ch

ang

e

1-1

0%

incre

ase

Mo

re th

an 1

0%

incre

ase

Did your organization reduce or increase security staffing over the past 12 months?

Staffing Growth Tomorrow


0%

5%

10%

15%

20%

25%

30%U

nkn

ow

n

Mo

re th

an 1

0%

redu

ction

1-1

0%

redu

ction

No

ch

ang

e

1-1

0%

incre

ase

Mo

re th

an 1

0%

incre

ase

What is the projection for security staffing over the next 12 months?

Career Focus

Reduce: Administrative time spent Technical time

Increase: Upwards focus Forensics


Area of Focus Today Next 5 yrs

Management/Leadership 25.4% 33.1%

Administration 18.0% 5.2%

Engineering 17.8% 10.0%

Other 11.9% 4.3%

Audit 10.7% 5.9%

Forensics 7.7% 9.7%

Testing 4.4% 3.3%

Development 4.1% 3.0%

Career Success


Making Sure Load-bearing Security Processes Survive the Renovation

When something goes wrong, it’s either because there is too much process, too little process or the wrong process. (Mihnea Galeteanu)

• These inescapable trends will cause much breakage in existing governance and security processes and controls

• Critical Security Controls to review and update: • Inventory/Vulnerability Management • Privilege Management • Incident detection/prevention/response • Application security • Data protection • Staffing/awareness

• Communicating to management – ladders to take, chutes to avoid.

2014 Security Trends: Attacks Advance, Hiring Gets … · Making Security Advances During Turbulent Times Threats aren’t standing still usiness/technology demands aren’t, either

Documents