MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES

THE INTRO

WHAT’S THE PROBLEM? Managing vulnerabilities proactively is more important than ever Data sources: Trustwave Global Security Report 2014; Ponemon Institute 2014 Cost of Data Breach Study The volume of compromises is increasing 54% more investigations conducted in 2013 (vs. 2012) Breaches are costly$5.85 million on average in 2013 (US) Attackers are diversifying their targets 33% increase in theft of non-payment card data Attackers are more sophisticated 71% of victims don’t detect a breach on their own; self-detection takes 3 months Apps in particular are highly vulnerable 96% of applications harbor at least one serious vulnerability

QUESTIONS OUR CUSTOMERS ASK About managing vulnerabilities and risk… What’s on my network? How do I know if I’m being targeted? Where am I weak or vulnerable? How can I get the most out of my program? How do I prioritize? What can wait?

DATABASES NETWORKS APPLICATIONS WHAT WE OFFER A programmatic approach to vulnerability management DISCOVER POTENTIAL WEAKNESSES ACROSS ALL ASSETS ASSESS BUSINESS RISK ON MISSION CRITICAL ASSETS PENETRATION TESTING MANAGED SCANNING SELF-SERVICE SCANNING

ATTACKERINTERNET COMPANY WEBSITE Built on Adobe Cold Fusion DIRECTORY TRAVERSAL 1 View Arbitrary Files Finds Admin Password for Cold Fusion ESCALATE & GRAB STORED CREDENTIALS 2 Yields Domain Admin Credentials LEVERAGE STOLEN CREDENTIALS FOR VPN ACCESS 3 Access to Internal Network As Domain Admin CORPORATE SSL VPN DATABASE DATA EXFILTRATION 4 Directory Traversal (CVE ) CVSS score=4.3 (medium) Many businesses might ignore due to its relatively low score THE POWER OF TESTING

OUR SCANNING & TESTING PORTFOLIO Flexible options based on your needs Self-Service Scanning Cloud-based Schedule and manage scans on demand Work from a full list of results generated by our tools Managed Scanning Scans managed by Trustwave experts Validated results and reports Augment your team and minimize false positives Penetration Testing 4 Tiers of Testing based on your requirements Basic: Attacks most commonly exploitable vulnerabilities Opportunistic: Includes attack chaining; limited to a list of targets. Targeted: Targets systems w/ critical data, unrestricted scope Advanced: Full attack simulation: custom exploits and social engineering

4 12 WHY CHOOSE TRUSTWAVE? One vendor. One platform. All your assets. Broadest Coverage –Networks –Applications –Databases Most Flexibility –Cloud, managed, licensed options –Centralized dashboard view of status –“Flex Spending Account” model Maximum Control –Choose from full suite of services –Add technologies to address gaps –Proactive breach detection and IR Budget Friendly –Maximize budget with a single vendor –Easy to adjust allocations –Simplifies planning and management 3

THE BIG PICTURE

Scanning and testing are the beginning, not the end. DISCOVER & SCORE All assets Proactive discovery Automated/scalable TEST & VALIDATE Some assets Deeper analysis Identify unknown gaps MITIGATE & PROTECT Where necessary Fix flaws Fill gaps Security Solutions Penetration Testing Scanning (Cloud and Managed) DATABASES NETWORKS APPLICATIONS

ATTACKERINTERNET COMPANY WEBSITE Built on Adobe Cold Fusion DIRECTORY TRAVERSAL 1 View Arbitrary Files Finds Admin Password for Cold Fusion ESCALATE & GRAB STORED CREDENTIALS 2 Yields Domain Admin Credentials LEVERAGE STOLEN CREDENTIALS FOR VPN ACCESS 3 Access to Internal Network As Domain Admin CORPORATE SSL VPN DATABASE DATA EXFILTRATION 4 REAL-WORLD EXAMPLE Web Application Firewall can provide persistent protection, and is informed by scan results IDS/IPS can detect and stop escalation 2-Factor AUTH adds stronger access control at the VPN DB Security can eliminate unauthorized access & monitoring or blocking of inappropriate requests DLP can stop critical or unauthorized data from leaving your environment

THANK YOU QUESTIONS PLEASE