2014 Security Trends:

Attacks Advance, Hiring Gets

Harder, Skills Need Sharpening
John Pescatore, Director SANS

2014 The SANS Institute www.sans.org

Making Security Advances During

Turbulent Times

Threats arent standing still

Business/technology demands arent, either
Staffing: Force Multipliers Needed
2014 The SANS Institute www.sans.org

CXOs View of Security 2014

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

University of Maryland
Target breached, CIO resigns
NSA/Snowden drip, drip, drip
Heartbleed!
2014 The SANS Institute www.sans.org

Security: Chute or Ladder?

Top 5 Game Changers

Choose your own IT (CYOIT)
Increased virtualization and use of cloud and
software-as a-service (SaaS)
The Internet of Things/everything
Supply chain integrity worries
Increased threat targeting/evasion

2014 The SANS Institute www.sans.org

Mobility Drives Cloud and CYOIT

% of employees using personally owned devices for work

IT has less control over user devices

Heterogeneity will be the norm
Tablets and smartphones are not just small PCs!
2014 The SANS Institute www.sans.org

Cost Reduction Drives Cloud and

Virtualization
Percentage of
72%
installed x86
65%
workloads
58%
running in a
49%
VM

77%

38%
27%
18%

2015

2014

2013

2012

2011

2010

2009

2008

Plans for use of hybrid cloud

by YE2015

2014 The SANS Institute www.sans.org

Ladders
Near term
Mobile Device Management/NAC
Cloud Security Standards
Policy/legal/awareness

Next year
Security as a Service
Business App Store
Data Encryption
2014 The SANS Institute www.sans.org

Great, Now We Have to Secure an

Internet of Things

Rapid Penetration

10

Source: SANS 2013

Food production
systems/refrigeration

Manufacturing systems (not

electrical, water, gas)

Automotive smart systems

Other transportation smart

systems

Medical devices

Electrical, water, gas

production, utilities

Smart building/HVAC
automation/commercial
building management

Consumer devices (set tops,

security/camera, etc.)

What Things Will Be First?

What types of IoT applications is your organization involved in or
planning to be involved in?

80%
70%
60%
50%
40%
30%
20%
10%
0%
Producing

Operating/
Managing

Major Differences
Old Things
General purpose OS
Fixed, wired
TCP/IP, 802.11, HTML5
Layered apps
Homogeneous
Enterprise-driven
2-3 year life cycle
Impact data

New Things
Embedded OS
Mobile, wireless
Zigbee, IoT6, WebHooks
Embedded apps
Heterogeneous
Consumer-driven
.2 to 20 year life cycle
Impact health/safety

12

Supply Chain Threats and Integrity

Assuring products havent been compromised

Detecting attacks against 3rd party vendors
Shortening incident response time
2014 The SANS Institute www.sans.org

13

Ladders
Near term
Discovery/inventory (no client SW)
NNGFW/Data Diodes
Expand penetration testing

Next year
Next Generation DMZ/Security as a Service
Community Device Stores
OT/IT Integrtion
2014 The SANS Institute www.sans.org

14

Increased Targeting and Evasion

Source: Verizon 2013 DBIR

More targeting of people and data

Evasion techniques extending compromises
Customers should not be our IDS!
2014 The SANS Institute www.sans.org

15

Ladders
Near term
Critical Security Controls gap assess
Advanced Threat Detection/Forensics
White list on servers

Next year
Beachheads: data encryption, stronger
authentication, privilege management
ISAC/Info Sharing/What Works
2014 The SANS Institute www.sans.org

16

Staffing/Skills Today

2014 The SANS Institute www.sans.org

17

Staffing/Skills Tomorrow

2014 The SANS Institute www.sans.org

18

Staffing Growth Today

Did your organization reduce or increase security staffing
over the past 12 months?
30%
25%
20%
15%
10%
5%

2014 The SANS Institute www.sans.org

More than 10%

increase

1-10% increase

No change

1-10% reduction

More than 10%

reduction

Unknown

0%

19

Staffing Growth Tomorrow

What is the projection for security staffing
over the next 12 months?
30%
25%
20%
15%
10%
5%

2014 The SANS Institute www.sans.org

More than 10%

increase

1-10% increase

No change

1-10% reduction

More than 10%

reduction

Unknown

0%

20

Career Focus
Area of Focus
Management/Leadership
Administration
Engineering
Other
Audit
Forensics
Testing
Development

Today
25.4%
18.0%
17.8%
11.9%
10.7%
7.7%
4.4%
4.1%

Next 5 yrs
33.1%
5.2%
10.0%
4.3%
5.9%
9.7%
3.3%
3.0%

Reduce:
Administrative time spent
Technical time

Increase:
Upwards focus
Forensics
2014 The SANS Institute www.sans.org

21

Career Success

2014 The SANS Institute www.sans.org

22

Making Sure Load-bearing Security

Processes Survive the Renovation
When something goes wrong, its either because there is too much process, too little
process or the wrong process. (Mihnea Galeteanu)

These inescapable trends will cause much

breakage in existing governance and security
processes and controls
Critical Security Controls to review and update:
Inventory/Vulnerability Management
Privilege Management
Incident detection/prevention/response
Application security
Data protection
Staffing/awareness
Communicating to management ladders to
take, chutes to avoid.