2. Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Cyber Threat Preparedness Amos Auringer Gartner Executive Programs Colorado Government IT Summit, November 2008, Denver, Colorado Government systems make attractive targets for many reasons, but chief among them is the vast amount of private and confidential information stored - all of which can potentially be misused for criminal profit or just plain mischief. The challenge of keeping systems and data secure is a perpetually moving target and it is vital to have the right set of tools and safeguards. This session looks at the latest strategies and solutions being used in the public sector.

3. Life Is Dangerous, but Better Than the Alternatives New threats appear continuously, but not completely unpredictably. Most new threats will follow the introduction of new technologies, but the most-dangerous ones will come when the technology is mainstream. Old threats never die — the trick is to reduce the cost of dealing with them. Every threat can be mitigated or avoided — the question is always cost.

4. Internet Threat Hierarchy Experimentation Impact Frequency Vandalism "Hactivism" "Cybercrime" Information Warfare

5. n=50 Up to three responses allowed Top security threats that U.S. retailers worry about: Insider Threats Still the Most Worrisome Source: Gartner survey of 50 U.S. retailers, March 2008

6. Data Security Incidents Are Taking Some Toll on Consumers; Mainly on e-Commerce n=1590 Multiple responses allowed 8% 4% 9% 12% 20% 44% 53% 58% 59% 0%20%40%60%80%100% Your online payment behavior Your online shopping behavior Your level of trust in e-mail messages Your online banking behavior Your payment habits in stores Which stores you shop at in person Which financial institutions (banks) you use Other behaviors None of these Of which 23% spend avg. of 40% less Of which 84% delete suspect e-mail on arrival Base: 35% consumers who changed behavior due to security incidents “How has your behavior changed because of data security incidents?”

7. 2008 Hype Cycle for Cyber Threats

8. Targeted Threat Growth Source: Microsoft Windows Malicious Software Removal Tool disinfections by category, 2H05-2H07

9. Old Threats Don't Disappear

10. Gartner Threat Projection Timeline

11. I&O Consolidation: Leave No Stone Unturned Storage Metro/Wide Area Networking Data Centers Branch Office Systems Client Devices Servers Security Middleware Mainframes Larger Office Systems Storage IT Operations Management Systems In-Building Networks E-mail/Messaging Consider the mainframe for computing consolidation. Standardize application server software, operating systems and programming languages; consider the enterprise service bus. "Maturize" processes before major automation initiatives. Consider relocating office system functionality to the data centers. Standardize/integrate with "multiple personality" device; make applications device-independent. Consolidate to fewer larger data centers.

12. Workloads Data Resources Identities Provisioning Optimization Availability 2010 to 2020 Policies Services Service levels and agility up Cloud enabled Infrastructure and Operations Modernization: From Silos to Clouds 2002 Sprawled Component-Orientation 2002 to 2012 Hardware costs down, flexibility up Virtualized Layer Orientation Automated Service Orientation

13. Shared Services Are More Than Centralization Clearly documented services Central management of services Mature, scalable processes Rationalized policies, assets and processes Financial management framework Service management, sales and marketing Sourcing model

14. Vulnerabilities 'R' Us Flawed Protection Attack Flawed Products Flawed System Admin. Flawed Procurement Flawed Education Flawed People

15. 'Botnets' Continue to Grow and Morph BotArmy Name No. of Binaries No. of Distinct Compromised Hosts in Typical Enterprise Distinct Binaries per Compromise RAT-SZ-1 10,493155 67.7 Sality-1 88618 49.2 IRC-VR-1 80475 10.7 IRC-SD-1 54111 49.2 Poebot-1 3692 184.5 RAT-DL-1 21214 15.1 Matcash-1 19447 4.1 IRC-SD-2 13921 6.6 RAT-SM-1 544 13.5 Kraken 48301 0.2 Source: Damballa (2008)

16. Web Sites as the Leverageable 'Weakest Link' Vulnerabilities in Web sites are more popular because they enable more- sophisticated and multistage attacks. Site-specific vulnerabilities outnumber traditional vulnerabilities nearly 5-to-1 with much-lower patch rates — only 473 of the site-specific vulnerabilities had been patched at the time of reporting. Source: Symantec (2008)

17. Effective Management Reporting Current StatePlanned StateDesired State Gap 12345 Threat and Vulnerability Management 12345 Incident Response 12345 Identity and Access Management 12345 Process 4 12345 Process 5

18. The Program Maturity Assessment Map 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Governance Strategy and Planning Organization Process Maturity Communication ArchitectureIdentity and Access Management Threat and Vulnerability Management Risk and Controls Assessment Controls Framework Technology Management Green — strategic objective Blue — current state

19. Measuring Program Maturity

20. Security Fully Integrated in the EA Technology Architecture Information Architecture Business Architecture Security: Business security requirements Security organization Security policy framework Security processes Security: Technology security requirements Principles Security patterns Security services Security bricks Security: Data security requirements Data classification Application security templates Solutions Architecture Security solutions : Identity service Isolation service Physical ID service

21. New Acct Apps Detection Monitor ------- Transaction Profiling ------ ------- Detection Monitor ------ ----------- Cross-account Fraud Detection ------------ Cross Channel Fraud Detection Case Management Phone Online POS Branch Fraud data warehouse Common data stores Views, queries Account Customer Product External data feeds Shared Data Product 1 Product 2 Product 3 Product 4 Other Authenticate Fraud Detection Application Architecture

22. Fraud-Detection Framework Red Flag 1.Review; rules/score 2.Stop or 3.Verify transaction and user Enterprise Site App. AApp. B User Profiles Behavior Profiles BrowserPhone ATM Transaction Profile –Device &/or –Location &/or –Behavior Authenticate Location Profiles POS

23. Select the Right Monitoring System Network Activity – User System Activity – Privileged User Database Activity – Privileged User File Access Database Activity Application Activity SIEMNBADAMCMF Fraud Detection

24. Recommendation: Develop a Proactive and Layered Monitoring “System” Use Database Activity Monitoring (DAM) to monitor database administration activity and database user access, especially when native database auditing is not enabled. Use Content Monitoring and Filtering (CMF) to detect and prevent the inappropriate movement of sensitive data across the network — when well-defined data formats are present. Use fraud detection to monitor or stop suspect user activity at the access or transaction layer, within supported applications. Use Network Behavior Analysis (NBA) to monitor network traffic flows between applications and to discover anomalous traffic and associate it with a specific user. Use Security Information and Event Monitoring (SIEM) to monitor, correlate and analyze user activity across a wide range of systems and applications.

25. Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Cyber Threat Preparedness Amos Auringer Gartner Executive Programs