At the HP Software Performance Tour 2014 Pierpaolo Ali’, South Europe Sales Director - HP Enterprise Security Products, illustrated the 2014 vulnerability landscape in IT security.

1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Guarding against the
Breach
The 2014 Vulnerability Landscape
Pierpaolo Ali’
South Europe Sales Director
HP Enterprise Security Products
June 17, 2014

2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Discover
y
The attack lifecycle
Researc
h
Our
enterprise
Their
ecosystem
Infiltration
Capture
Exfiltration

3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Discover
y
How we can disrupt the market
Researc
h
Our
enterprise
Their
ecosystem
Infiltration
Capture
Exfiltration
Planning
damage
mitigation
Educating users
Counter intel

4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Agenda
2013 Cyber Risk Report key findings
Understanding Exactly how the Attacker Ecosystem Works
HP Security Research
Building Security in Maturity Model

5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2013 Cyber Risk Report

6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Key Findings
Research gains attention, but vulnerability
disclosures stabilize and decrease in severity
80% of applications contain
vulnerabilities exposed by incorrect
configuration
Differing definitions of “malware” make
measuring mobile malware risk extremely
difficult

7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Key Findings
The attack surface allows for
multiple avenues for compromise
46% of mobile iOS and Android
applications use encryption improperly
Internet Explorer was the software most
targeted by Zero Day Initiative (ZDI)
researchers

8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Key Findings
SCADA systems are
increasingly targeted
Sandbox bypass vulnerabilities
are the #1 issue for Java

9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Conclusions
Mitigate
Risk
Respond
Appropriately
Reduce
Attack Surface

10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Going beyond the basics of best practices
Remember that people are part of your
organization’s perimeter too
Don’t rely solely on traditional defensive
perimeter security
Expect to be compromised

11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Going beyond the basics of best practices
Make security and response a continuous
process
Understand that not all information and
network assets are equal
Seek out credible and reliable security
intelligence

12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Understanding exactly how the
Attacker Ecosystem Works

13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
A recent event

14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Repeat attacks
Company A NEW
EVENT
Zero
Day
Company B
Company CMalicious
IP Address
Malwar
e
Variant
NEW
EVENT
NEW
EVENT

15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Recruiting

16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Job offers

17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Escrow services

18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Training

19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Security Research

20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
HP Enterprise Security Products

21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
HP Security Research
SANS, CERT, NIST, ReversingLabs, software, and reputation vendors
• ~3000 researchers
• 2000+ customers sharing data
• 7000+ managed networks globally
Ecosystem
partner
ESS
HP Security Research
Innovative research
Thought leadership
• Automatically integrated into HP products
• HP finds more vulnerabilities than the rest
of the market combined
• Top security vulnerability research
organization for the past three years
—Frost & Sullivan
Actionable security
intelligence

22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
The Value HP TippingPoint DVLabs Provides
Vulnerability Research
 Crowd-sourced 0-day and
vulnerability research through the
Zero Day Initiative (ZDI)
 Original vulnerability research on
widely-used software
 Targeted research on emerging
threat technologies and trends
Malware Research
 Reputation feed of malicious
hosts and IP addresses
 In-depth threat research
Weekly updates for to stay ahead of the threats

23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Heartbleed…

24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Consistent delivery of quarterly content updates (03-29-2013, 06-28-2013, …)
Building Security In: HP SSR
Original Research
 Malware analysis, access control validation, …
Secure Coding Rulepacks (SCA)
 563 unique categories of vulnerabilities across
21 languages and over 720,000 individual APIs
Runtime Rulepack Kits
 HP Fortify SecurityScope
 HP Fortify Runtime Application Logging
 HP Fortify Runtime Application Protection (RTAP)
WebInspect SecureBase (WebInspect)
 Next-generation security testing capabilities
HP
0
100
200
300
400
500
600
05
Q1
05
Q3
06
Q1
06
Q3
07
Q1
07
Q3
08
Q1
08
Q3
09
Q1
09
Q3
10
Q1
10
Q3
11
Q1
11
Q3
12
Q1
12
Q3
13
Q1

25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Building Security in Maturity
Model
(BSIMM)

26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Building BSIMM (2009)
 Big idea: Build a maturity model from actual data gathered
from 9 well known large-scale software security initiatives
 Created a software security framework
 Interviewed nine firms in-person
 Discovered 110 activities through observation
 Organized the activities in 3 levels
 Built a scorecard
 The model has been validated with data from 67 firms
 There are no special snowflakes

27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
Prescriptive versus Descriptive Models
 Prescriptive models describe
what you should do (circa 2006)
 SAFECode
 SAMM
 MS SDL
 Touchpoints
 Every firm has a methodology
they follow (often a hybrid)
 You need an SSDL!
 Descriptive models describe
what is actually happening
 BSIMM is a descriptive model
used to measure multiple
prescriptive SSDLs

28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
Plus 22 firms that remain anonymous
67 Firms in the BSIMM-V Community

29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
Compare yourself with…
•Your peers
•Other business units
Track your performance over
time…

30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
BSIMM by the Numbers

31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
Conclusion
Don’t rely solely on traditional defensive
perimeter security.
Know thy enemy. Expect to be compromised.
Security Research can provide proactive insight
into global, vertical-specific, and geographic
threats.
BSIMM: Measure how well you’re doing

32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions?

33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Join Our Conversation
We are on your side. Visit our blogs.
HP Security Research: hp.com/go/HPSRblog
HP Security Products:
hp.com/go/SecurityProductsBlog
HP Threat Briefings: hp.com/go/ThreatBriefings
BSIMM Information: bsimm.com bsimm@hp.com

34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You