Jonathan Raymond - 2010 Rotman report - AtlSecCon 2011

1. Jonathan Raymond,
TELUSSecurity Solutions

2. Why a Rotman-TELUS Study?
Why Canada?
 Canada has its own security culture. Decisions should be
made using our own experiences
Why Rotman?
 Security is a business issue; Rotman is a business thought
leader
Why TELUS?
 We continue in our commitment to security research
through TELUS Security Labs
2

3. Why this study matters
The study answers key questions like:
 What’s happening to my peers?
 What issues should I be concerned about?
 How do I compare to top performers?
 What best practices should we adopt?
 What does “secure enough” look like?
3

4. Study enhancements
Focused questions
 Explored topics that were likely to change year-on-year
 Focus on funding and staffing “post recession”
 Examined concerns around social media, virtualization,
cloud computing and mobile devices
 Looked at the impact of outsourcing on security
effectiveness
 Consolidated questions to improve response rates
4

5. 5
The threat landscape continues to grow
 Breaches have grown 29%
from 2009
 Getting better at keeping
out malware
 Breach costs are down by
78%
0
4
8
12
16
2010 2009 2008

6. TELUS Security Labs
 www.telussecuritylabs.com
 30 researchers, $3M budget
 Security threat research and outsourced development for
security product vendors
 Primary customers are 45 of the world’s leading security
product vendors
6

7. 7
 $$$: Financial malware have started looking beyond Internet Explorer to steal credentials.
 Code Reuse: Master Boot Record (MBR) infector rootkits are making a comeback and
those already there are also infecting newer architectures such as IA-64. (Zimuse,
Alureon/Tidserv, Mebratix, Yonsole)
 We think with HTML5 exploit attacks will increase in 2011. Look out for PDF attachments
to email!

8. 8
Attacks are more focused
 Getting better at keeping
out malware and common
attacks (21% drop)
 Breach costs are down by
78%
 Attackers are apparently
becoming less
opportunistic
1. Malware and spam
2. Device theft
3. Phishing
4. Unauthorized access to
information by employees
5. Bots within the
organization / Denial of
Service attacks
Top Breach Types

9. Insiders continue to be a problem
 1 in 3 breaches originates internally
• Accidental or innocent
• Deliberate and malicious
• Device theft or loss
9

10. 10
Data loss and compliance top of mind
 Contracts are an effective
mechanism for managing
third party security
compliance
 Publicly traded
organizations more
concerned about new
technology, less concerned
about user accountability
1. Loss of sensitive data
2. Compliance with
Regulations
3. Managing security of new
technologies
4. User understanding and
accountability of access
5. Managing business
partner risks
Ranked Concerns

11. A pattern of under investment
 Budgets cut on average by 10% in 2009
 Less investment in 2010 with average budgets moving to
6.5% of the IT budget
 Use of outsourcing has increased
11
0%
10%
20%
30%
< 1 % 1% - 2% 3% - 4% 5% - 6% 7% - 9% 10% -15% 16% - 25% 25% plus
Government Private Public
Average Optimal

12. 12
Security leadership in demand
$70,000
$90,000
$110,000
$130,000
$150,000
CIO CSO Director
2010 2009
 The business is increasingly
directing how security risks
should be managed
 Half of respondents have
10+ years of experience
 Most top earners had 6+
years in IT security

13. 13
Watch for security employee satisfaction
 Managers and below are
seeing slight salary
reductions
 Individual security
professionals are tasked
with more
 Team sizes have shrunk
 As the economy recovers
staff retention will be an
issue
$70,000
$90,000
$110,000
Manager Security
Analyst
System
Admin
2010 2009

14. A note of caution
Reduced budgets and increased security
workloads are laying the ground for long
term erosion of our security posture
14

15. Outsourcing and Security Incidents
Outsourcing appears to have no significant negative
impact on an organization’s security incident rate
• Consistent with the 2009 study, no correlation between
breach rates and the decision whether or not to
outsource could be found.
15

16. Secure development practices are lagging
 No significant increase in the number of companies using
secure development practices
 1 in 4 respondents just assume secure development will
happen
 A concern as respondents are reporting more data centric
attacks
 However, those that are already include security into their
development practices are increasing their investment
• Twice as likely to adopt preventative practices
• ~90% test their system security
16

17. 17
The company that owns the Nasdaq Stock Market
confirmed over the weekend that its computer network
had been broken into, specifically a service that lets
leaders of companies, including board members, securely
share confidential documents.
Wall St Journal 7 Feb 2011
Dozens of military, government and education websites have been hacked
and are up for sale, according to researchers from Imperva's Hacker
Intelligence Initiative (HII).
The list includes defence, state and university sites in Europe and the US
that have been hacked exploiting SQL injection vulnerabilities, the
researchers said.
Administrator access to these sites is being sold at $55 to $499 each, said
Noa Bar Yosef, senior security strategist at Imperva.
In some cases, hackers are selling personally identifiable information (PII)
from infiltrated sites at $20 for 1,000 records.
Computer Weekly 24 Jan 2011

18. 18
Invest in prevention
1. Integration of security
into development
2. Business partner security
policy compliance
3. Business partner privacy
policy compliance
4. Creating a vulnerability
management process
5. Developing a security
policy
1. SSL VPN
2. Firewalls
3. IPSEC based VPN
4. Anti-Virus
5. Email Security (anti-spam,
anti-malware)
Top 5 Initiatives Top 5 Technologies

19. 19
Challenge of new technologies
 Organizations that block
social media experienced
marginally more breaches
than those that allow it
 The dilemma of smart
phones: how to secure
them without making them
dumb phones

20. 20
Complexity undermines initiatives
 Complex technologies,
such as encryption, are
failing to deliver value
 Technology integrators are
not addressing
requirements management
20. Security Information &
Event management
(SIEM)
21. Data Leakage Prevention
22. Application Security
Assessment Tools
(web/code)
23. Database Encryption
24. Email Encryption
Lowest ranked technologies

21. 21
The obligatory cloud slide
1. Data location
2. Outside the business
3. Multi-tenancy
4. Ability to audit
5. Remove data form the
cloud
6. Difficult to perform
forensics
7. Availability
1. Malicious control of the
hypervisor
2. Keeping VM images
patched
3. Shared resource
dependencies
4. Monitoring inter-VM
communications
5. No visibility into host
system security
2009 Concerns 2010 Concerns

22. 22
The key concerns of government
1. Disclosure or loss of
sensitive information
2. Compliance
3. User accountability
4. Security risks from new
technology
5. Managing risks from third
parties
NB: these logos do not represent
response rates to this survey

23. Top performers
 Building capabilities to manage the vulnerability lifecycle
from start to finish
 Investing in senior leadership
 Integrating security into their development lifecycle
And our advice from 2008 and 2009 still holds true today
 Invest in the right level of staff and give them authority
 Focus on training for IT, business and external partners
 If you don’t plan on enforcing a security policy be prepared
for breaches
23

24. 24
telus.com/securitystudy
Available online
Jonathan.raymond@telus.com
(+1) 416 882 7683