Though it is changing for good, IT spending on Web/Cloud security is minuscule. Traditional appliance focused security is not helping the business which is on Internet Cloud IT Security Spending decisions must be based based on the Adaptive mechanisms that review threat landscape periodically.

1. Pinpointing Real Attacks in the
Sea of Security
Sreejesh K M, CTO @ TBC-World Group
linkedin.com/in/sreejeshkm
sreejesh.km@tbc-world.com

2. Business On Internet
• Small and Big Businesses are leveraging
Private/Public/Hybrid cloud, either as IaaS, PaaS
or SaaS or a combination of these, than ever
before. Even enterprise apps embraced Internet
• Man and Machine are generating/consuming
more data than ever (1 Billion Smart Phones and
counting)
• Man: Car/Home and
Office/Mobile/Tab/Desktop/Wearable
technologies at an unprecedented scale
• Machine: Internet of Things, Devices and
Tons of sensors interacting with cloud
• Handling Sea of Data than ever before in the
History of Min-kind, i.e literally tons of Data in
Transit and in Storage
• And who don’t use Big Data?

3. Internet - For Secure & Fast Business?
• Diversity of Browsers, Protocols, Standards,
Devices and Network Types
– Already Chaotic Internet Space, now
Operating at Unprecedented Scale adding
to Additional Security Challenges
• Sophisticated Attacks at Cloud Scale
– DDOS Attacks
– SQLI/XSS, Client-side attacks, ZERO day
attacks
• We hear this much less now
– VM theft/VM escape and Hyper Jacking.
– Data Leakage via Multi-tenant Isolation
decisions, Via Shared Cache, Cross VM Side
Kicks
– Attacks across OSI Layers

4. Changing Attack Landscape
• DDOS attacks tripled since 2010
– Attacks at the rate 20Gb/s are now seen – attackers are
surely using the cloud as well, to scale!
• Rate of increase over years for Web layer attacks
is much more than Network Layer attacks
• Hacktivism, Government Malware, Black Clouds
• CVE even had to change their syntax to include
more digits to account for more than 9999 in a
year!
• Many cases of being unable to keep
Assets/Data safe from un-authorized access,
modification or destruction during storage
and/or transmission or just a Slow Trap

5. Be Aware – False sense of Security
– More Apps being built, faster than ever (Heard
of Nightly Builds?)!
– Beware of Third-Party
» Up to 70% of Internally Developed Code
originates outside of the development
Team
» Pattern of Attackers attacking third party
Framework level vulnerabilities
– Gap between of IT Operations and
Development team w.r.to Security Readiness
(e.g. Vulnerable components, potential
breaking config changes)
– Web Security is complex. Developers have a lot
of Catch-up to do!
– Attackers are on Steroid!

6. How to Succeed?
• Some are having better success
with Cloud Scale Internet than the
others
– A lot is to do with how smartly
you are handling Security risks
– A lot is to do with, whether you
are focusing on the right areas
where there is bigger risk
– A lot is to do with, do you know
those areas of risk well enough
and Budget it Right

7. IT Spending on Security
• Businesses are willing to spend on IT Security, but not enough
focus on some areas
– 70 to 80% of Security spending is historically on the
Network Infra level or Host level security (IDS, Firewall,
Appliances)
– More Vulnerability at App Layer: More data being
transferred, more devices accessing data, more auto-scaled
servers serving data
• Attackers are quick enough to attack the surface,
where there is more vulnerability,
– Miniscule Spending at App Layer – where most attacks are
now focused
• In most Enterprise Projects. Security do find a mention,
but it is the first causality in the rat race to lower ‘Time
to Market’ and ‘Minimum Viable Product’ scenarios.
• We end up spending least of amount of money on
most attacked surface

8. Define and Measure
• Define Web Security Priority Areas per projects & system landscape
• Calculate Cost of Down-time (with criticality of Operations downtime)
• Calculate Cost of Data Loss (lost customers/brand image)
• Calculate Cost of Slowness (Cart Abandonment)
• Get Executive Buy-in for prioritized areas
• Account for appropriate investment for each Risk Area separately, early in the
cycle

9. Few Action Steps
• When out-sourcing, Factor Risks in RFQ, and get SLA backed delivery for
defined priority Security areas
• When building Solutions, Fortify from the ground-up
– Hire right team who are Competent in Security as well (How many
Resumes and JDs today speak of Security as a skill?)
– Via WAST/Code Level/Design Level Automated Security tests
– Make independent Vulnerability Testing and Penetration testing a
practice
• Prepare Effective Counters against DDOS and Unknown attacks
– BUILD vs BUY Site Defenders: Weigh the effect of creating DDOS
paradox vs investing in Solutions like Akamai Site Defenders
– Web Application firewalling

10. Quick Summary
• @Planning Stage : Define Priorities and Budget it Right for Security at Cloud Scale
• @Architect: For Volume, Velocity And Variety of Data, and still be Secure and
Fault Tolerant
• @Dev : Ongoing measures to ensure that critical Security areas are not the
causality in the event of mad push for MVP/Time to market
• @Deploy: Be aware of widely Attacked ports and Attack types, Spread out to
Horizontal Edges, Deep handshake with Dev Architects
• @Operations: Constant Monitoring and health checks, Audits, and
• Be Alert and Be Ready to Adapt!