Online security (Daniel Beazer)

Restricted & Confidential

Daniel Beazer

26th September 2016Chief Analyst

COMMON SENSE SECURITY ECOMMERCE FORUM

1Restricted & Confidential


Who we are

BUSINESS PLATFORMSCloud

Solutions

Managed Services

Connectivity Solutions

Security Solutions

HostingSolutions

ColocationSolutions


We need to talk about the security industry

Single threaded, deeply conflicted Too expensive and complex Doesn’t solve the problem


How the Security industry sells pt1

Nation State


How the security industry sells pt 2


And here’s your expensive solution …try understanding this


In fact… it’s not as bad as all that

OWASP list mostly unchanged in ten years

Ecommerce vastly more secure than offline

Attacks increase as does ecommerce Roadmap technologies like Blockchain

have massive security potential


The result of traditional security sales tactics

The industry remains small at $76bn a year, with low growth, and in a growing threat landscape

Customers unconvinced deeply sceptical, will only spend money on security if forced to or if under attack

Compliance widely avoided with major retailers ignoring compliance regulations

Fines are so small as to be a cost of business (£250k for Sony after breach involving millions of UK gamers)

Most ICO punishments are for the public sector pointlessly robbing Peter to pay Paul

Meanwhile IT is being shaken up from top to bottom


Customer data is now the most valuable prize for hackers Most security products defend the perimeter What is the target in 2016? Customer data has emerged as the hackers’ trophy CMS, databases are often poorly defended

– TalkTalk Social engineering using Facebook profiles … and the traditional IT model is being upended

‘Fixed fortifications are monuments to man’s stupidity’ General Paton


What we want: common sense security

Don’t want to be patronized or scared We don’t to drown in data We want something easy to use, easy to

set up and easy to set up It needs to be affordable


Common sense security

Passwords People Patches


Security industry in summary


A closer look at DDOS


Data breaches come from attacks on Web Apps

Web app attacks are the most successful attack campaigns (in number of breaches)

Verizon DBIR 2016: Incidents


Undetected cyber attacks

days taken to detect advanced cyberthreats in Financial Services

days taken to detect advanced cyber threats in Retail

98

197Source: Ponemon Institure 2015


Criminals are the main culprits

Source: Ponemon Institure 2015

Source: Hackmageddon 2015

http://hackmageddon.com/2015/05/12/april-2015-cyber-attacks-statistics/


DDOS trends


Most attacks are diversions – Real prize is customer data– Often poorly protected in CMS

Application layer attacks increasing– Hard to detect and mitigate– Layer 7

Botnets as a service Regulatory burden is growing

– Financial institutions in the US– Proactive breach notification GDPR



The solution: JS challenges




Current solutions

APPLIANCES CLOUD HYBRID


Appliance challenges

Large up-front capital investment, need 2 units for HA Months to acquire, install, test & tune before operational Difficult to learn, expensive skillsets to bring in-house Completely ineffective when network bandwidth is

saturated Incomplete without a Cloud-based mitigation component No sharing of threat intelligence


Why do we need hardware at all?


Cloud challenges

• Traversing public networks to and from cleansing POP drastically slows down

page loads

• Basic shared rule set, vulnerable to many types of attacks

• Better than basic is expensive

• The same bowl (IP space) with other customers

• The same low security posture and aggregated risk


Normal traffic flow


On net DDOS protection


Common sense security

Passwords People Patches

THANK YOU


COGECOPEER1.COM

Online security (Daniel Beazer)

Internet

Transcript of Online security (Daniel Beazer)