Mind the Security Gaps: Modern Cybersecurity Threats Mike Ruiz Systems Engineer

Disclosure: Mike is a Senior Systems Engineer at zscaler, the largest global internet Security as a Service provider. 1

Recent Major Data Breaches 2014 Breaches Reported2015 Breaches (So Far)

2016 Data Breaches as of 20 Jan 16

What are security threats today? Wyndam Hotel Group: $5B in Rev, 33k employees Fined by the FTC for inadequate protection of data. 500,000 Credit Card Numbers stolen, $10.6M in Fraud Losses Caused by malware on Wyndam Employee Computers Happened Three times 4

What are security threats today? Target Corporation, $72B in Rev, 347k employees 11GB of data stolen, affecting 110M people Undetected for three weeks despite advanced security systems Hackers phished a 3 rd party contactor outside Target perimeter Gained access to servers when the contractor entered Target’s network 5

6

Security threats have evolved Server Targets Worms Bots and RATs Malicious Code User Focused Via Flash, APK, Office Documents, PDF, JPG, etc. Bots and RATs 7

Your security must be in-line and stop both infections and exfiltration from happening Time to infection is seconds; time to exfiltration is minutes Data breaches can continue for months Days 246 Days ~180 Days 106 Days 18 Days Source: 2015 Verizon DBIR Timespan of events within POS Intrusions SecondsMinutesHoursDaysWeeksMonthsYearsNever Compromise n=169 Exfiltration n=169 Discovery n=178 0% 1% 85% 13% 1%0% 1% 88% 11% 0% 1% 11% 1%0% 36% 51%

9 Chart: Threats blocked for typical Zscaler client, 2015 Attacks are broader, deeper and more sophisticated than ever before. Attacks span multiple vectors – only security platforms can see this % APT 0.73% Cross-site Scripting 0.95% Virus 4.8% Peer to Peer 24% Botnet Calls 2.1% Cookie Stealing 0.8% Browse r Exploits 0.33 % Phishing 66.2% Malicious Content

Why have threats evolved? Endpoint AV/AS Endpoint firewalls Patch provisioning processes Sandboxing technologies …. But really, the perimeter and point solutions are leaky 10

Traditionally organizations secured their perimeter with security appliances in the data center HQRegional offices Data center Perimeter Internet Internet gateway

Reality Check: Can you Afford to Build This? Expensive to purchase and to operate, complexity introduces security gaps Slows Internet performance, fails open under load Often bypassed by mobile devices Source: Global 1000 network security diagram, August 2014 Flow management Load balancers Edge firewall SSL Server – side SSL tunnel Aggregation firewall SSL PAC File , , 16 Client - side SSL tunnel SSL Sandbox 6, 18 7, 12, 19, , 21 8, 20 4, 5 SSL 24, 25 Web Filter SSL 11 Log files Content Inspection

But with the new world of IT, there is no perimeter anymore On-the-goHome officeInternet of thingsMobile Internet HQRegional offices Data center

Shadow IT? ‣ Shadow IT is not shadow. It’s the real way IT works today. The term shadow IT is being used by people who want to stop that transition – the transition to cloud. ‣ The transition to cloud is a business driven decision, not a technology driven decision. ‣ CEO’s see Uber, AirBnB, Amazon, etc and realize they need to be in the game because growth is worth more than productivity. ‣ Cloud and Connectivity is the game. ‣ Bring the real IT out of the shadows. The business will force you to do it.w 14

Security appliances: Approach to the new world of IT HQ Slow, complex, & expensive Branches / stores Home office Internet of things Regional offices Branches / stores Home office Regional offices Too many gateways to buy, deploy & manage

Reality Check: Can you Afford to Build This ? Expensive to purchase and to operate, complexity introduces security gaps Slows Internet performance, fails open under load Often bypassed by mobile devices Source: Global 1000 network security diagram, August 2014 Flow management Load balancers Edge firewall SSL Server – side SSL tunnel Aggregation firewall SSL PAC File , , 16 Client - side SSL tunnel SSL Sandbox 6, 18 7, 12, 19, , 21 8, 20 4, 5 SSL 24, 25 Web Filter SSL 11 Log files Content Inspection

Today’s approaches and solutions are failing to protect you Security gaps Performance limitsCoverage gaps

You MUST Scan Everything, Always. HQ Regional offices Branches / storesFactories On-the-goHome officeMobile Internet of things Protect everything else Protect the data center Protect the device MDM, Device encryption, AV FW/IPS, WAF, DDOS, App sec.

A Global Checkpost between users and the Internet Branches / stores Home office Mobile Internet of things Always Connected Regional offices Consumer Cloud Private Cloud Commercial Cloud Public Cloud Scan EVERYTHING including SSL Block known and unknown threats Prevent IP leakage Enforce business policy Improve Internet performance Increase IT & user productivity

Zscaler Public Date Centers The Worlds Largest Security Cloud Los Angeles Dallas Denver Toronto New York Washington Atlanta Miami Paris Sao Paulo Johannesburg London Amsterdam Oslo Bern Frankfurt Gdansk Stockholm Moscow Mumbai Singapore Sydney Hong Kong Tokyo Madrid Taipei Dubai Riyadh Cairo Kuwait City Some DCs may incur premium charges. Contact Sales for details. Kuala Lumpur Cape Town Services in the Middle East are delivered by a Zscaler in-country Service Provider Partner. July 2015 San Francisco Sunnyvale Amman Marietta Herndon Ft. Worth Chicago Lagos Tel Aviv Milan * NOTES: Private ZEN option is available in China. Copenhagen Active Data Centers Upcoming DC’s (within 3 mos.) Underlined sites support future peering Melbourne Zurich

Zscaler is a comprehensive, unified Internet Security and Compliance platform 21 Global Software as a Service platform & operations Advanced persistent threat protection Data loss prevention Guest Wifi protection Cloud application visibility & control Next generation firewall Protecting all locations, all devices, all ports & all protocols Unified Policy management SSL inspectionReporting & analytics Web security

How Safe Are You? 22 “You’re as secure as the next employee who clicks a button and accidentally launches ransomware in your network” -Patricia Titus Former Security Expert at DoD, Former CISO Symantec, TSA, Unisys, Freddie Mac Now CISO at Markel Corporation

Thank You