Cyber Risk Management in 2017 - Challenges & Recommendations

1
1
Cyber Risk Management in 2017:
Challenges & Recommendations
Ulf Mattsson, Chief Technology Officer

2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry Involvement
PCI DSS - PCI Security Standards Council
• Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing
• WG 11.3 Data and Application Security
CSA - Cloud Security Alliance
ANSI - American National Standards Institute
• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology
• NIST Big Data Working Group
User Groups
• Security: ISACA & ISSA
• Databases: IBM & Oracle

3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force

6
LOCATION:
Citi - 153 East 53rd Street, New York, NY 10022
DATE:
Wednesday, December 14, 2016
AGENDA:
6:00PM - 6:30PM Registration, Refreshments and Networking
6:30PM - 7:30PM - Presentation
7:30PM - 9:00PM - Chapter Updates followed by the Holiday Networking Event and Cocktail Reception and Photo booth!

7
Agenda
• Severe penalties if data isn’t robustly secured
• Cyber security controls in place determines the
compliance
• CISOs are turning to cyber risk management
• Data security blind spots
o Sensitive data not found & failures of our deployed critical
security control systems
• Real security metrics
• Development process & security automation

8
Cyber Risk Disasters
Source: innosec.com

10
How would you characterise the board’s
perception of cybersecurity risks over the
last one to two years?
Source: PWC – The Global State of Information Security Survey 2016

11
Trends in Board Involvement in Cyber Security

12
the Board
not knowing
the
Questions to Ask
on IT security

13
Questions the Board Should Ask

14
The global shortage of technical skills in information security is by now well
documented, but an equally concerning shortage of soft skills
"I need people who understand that they are here to help the business
make money and enable the business to succeed -- that's the bottom
line. But it's very hard to find information security professionals who
have that mindset," a CISO at a leading technology company told us
Security & Business Skills
14
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-
talks-about/a/d-id/1315690

15
CEOs, CFOs, business risk owners and
CISOs questions
1. "How much cyber risk do we have in dollars and cents?"
2. "How much cyber insurance do we need?"
3. "Why am I investing in this cyber security tool?"
4. "How well are our crown jewel assets protected?"
5. "How do I know that we’ve actually lowered our risk exposure?"
6. "As my business changes through M&A, adding new business
applications and new cyber risks , how can I get the quickest view of
the impact on my overall business risk?"

16
Need for Business Intelligence to
Effectively Manage the Full Range of
Enterprise Risks
• Meet compliance goals associated with multiple
regulations, policies, and standards
o Basel III, ISO 27001, PCI-DSS, COBIT, FISMA, DISA,
FNCR, SAAE 16, FedRamp, NIST, FISMA, DISA, NERC CIP/693,
SOX, HIPAA, and SOC 1, 2, 3
• Alerts, business intelligence capabilities, mobile
capabilities that enable organizations to minimize risk

17
Your Most Valuable Asset is Your Data
• What is it?
• Where is it?
• Who Has Access to it?
• Is it Secure?
• Am I Compliant?
• Am I Adhering to Best Practices
• How Do I Compare to My Peers?

18
Who is a Security Expert? Media Attention?
Vendors?
Senior
Junior
Business
Impact
Experience
Business
Risk
Geek

19
Verizon Data breach investigations
& pci dss evolution

20
Source: Verizon 2016 Data Breach Investigations Report
Law Enforcement will Discover Your Breach – Not You

21
Incident Classification Patterns Across Confirmed
Data Breaches
Web Application
Attacks

22
Verizon: Worry Only About The Major Breach Patterns
WAF:
Lacking
Application
Context
Additional
Application
Context
Needed
(PCI DSS
direction)

23
Data Security Context
Operating System
Security Controls
OS File System
Database
Application Server
Application Framework
Application Source Code
Context
High
Low
Application
Data
Network
External Network
Internal Network

24
Data Centric Audit
and Protection -
Centrally managed
security
Protect
stored
Cardholder
data
YearI
2004
I
2014
PCI
DSS 3.2
SecDevOps
I
2016
Ne
w
Old
Emerging
• No context to
• application data usage
• Detection after a breach
• Complex before and after
I
??
Data Centric Security – The Old and The New
Cardholder
Information Security
Program (CISP) by
Visa USA
I
2000

25
Increasing Number of Breaches

26
Protect Against Ransomware
1. Implement an enterprise endpoint backup product to protect user
data
2. Build a list of storage locations that users can connect to that are
inherently vulnerable, such as shares
3. Evaluate the potential business impact of data being encrypted due
to a ransomware attack, and adjust recovery point objectives
(RPOs) to more frequently back up these computer systems
Source: Gartner - Use These Five Backup and Recovery Best Practices to Protect Against Ransomware, June 2016

27
Source: http://www.zdnet.com/article/these-free-ransomware-decryption-tools-have-rescued-data-from-2500-locked-devices/
Free Ransomware Decryption Tools have
Rescued Data
The tools -- part of the No More Ransom project -- were launched three months
ago by the Dutch National Police, Europol, Intel Security, and Kaspersky Lab.

29
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015

30
Visibility Into Third Party Risk
Discover and thwart third party vulnerabilities and
security gaps in real-time to better control the
impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time

31
Cybercriminal
Sweet Spot
Source: calnet
Cybercrime Trends and Targets

32
Problematic and Increasing
Shortage of Cybersecurity Skills
• 46 percent of organizations say
they have a “problematic shortage”
of cybersecurity skills in 2016
• 28 percent of organizations claimed
to have a “problematic shortage” of
cybersecurity skills in 2015
• 18 percent year-over-year increase
Source: EDG and Network World | May 10, 2016

33
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015

34
data not found
in data discovery

35
How can I Find My Blind Spots?
Existing PII Data
Unprotected
PII Data
Data
Found in Audit
Time
Protected
PII Data
Audit

36
90% of the Data in the World today has been Created in the Last Two Years
Every Day, we Create 2.5 Quintillion Bytes of Data
Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.html
IBM

37
failures of our deployed critical security control systems

38
How can I Find My Blind Spots?
Deployed
Security Controls
Missing
Events
Functioning
Security
Controls
Time
Collected
Events
Deployment

40
Generating Key Security Metrics
# Unprotected PII
Data
Time
# Failing Security
Systems
Time

41
Risk Management - Example
Are your security
controls covering
all sensitive data?
Are your deployed
security controls
failing?
Source: innosec.com

42
Integrated Compliance Solutions
Source: innosec.com

43
Audience Focused Dashboards
How Compliant are we?
How much risk to we
have?
What work do we need to
prioritize?
CEO and Board of
Directors
CISO Senior
Management
Source: innosec.com

44
Project and Task Management
Source: innosec.com

45
Cyber Risk Dashboard
Source: innosec.com

46
Asset Sensitivity, Risk and Quarterly Findings
Source: innosec.com

48
Detect and report on failures
of critical security control
systems, #10.8
Implement a data-discovery methodology to confirm PCI
DSS scope and to locate clear-text PAN at least quarterly,
#A3.2x
Security must be built into
the development process,
#3, #4, and #6
PCI DSS 3.2
Protect stored
cardholder data, #3
“Evolving”

50
How can we Find Methods to
Quickly and Accurately Discover all PII?
Do you need agents for this?
Can we apply machine learning to better deal with SSN false
positives?
Please look at the LinkedIn group “Enterprise Data Discovery” at
https://www.linkedin.com/groups/8563068

51
Information Security, Worldwide, 2014-2020
The information security market is estimated
to have grown 13.9% in revenue in 2015
with the IT security outsourcing segment
recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update

52
Discovery Deployment Example
Example of Customer Provisioning:
• Virtual host to load Software or Appliance
• User ID with “Read Only” Access
• Firewall Access
ApplianceDiscovery
Admin

53
Data Discovery Scan - Example
Discovery
Admin
Database Schema Table Column Type Hits Confidence
Rows
Scanned
Total
Rows Hit %
Scanned
%
actrs10-rs10prd ITMBK_BARB ITMBK_BARB.STAFF SSN ssn 5356 4 9481 9481 56.49% 100.00%
actrs11-rs11prd AAPR AAPR.REG_AAP SSN ssn 12 4 12 12 100.00% 100.00%
actrs11-rs11prd AAPTIR AAPTIR.APPLICANT SSN ssn 3 4 3 3 100.00% 100.00%
actrs11-rs11prd BENESSE BENESSE.TRAIN SSN s-s-n 21 5 21 21 100.00% 100.00%
actrs11-rs11prd CAAPPROD CAAPPROD.PN55650683 SSN ssn 58 4 58 58 100.00% 100.00%
actrs11-rs11prd COMP COMP.AAPTIR SPEC_CDE ssn 4 1 4 4 100.00% 100.00%
actrs11-rs11prd COMP COMP.AAPTIR SSN ssn 4 4 4 4 100.00% 100.00%
actrs11-rs11prd FOOBAR1 FOOBAR1.SCORE SSN s-s-n 7 5 7 7 100.00% 100.00%
actrs11-rs11prd INS INS.MSTEMP ANUMBER ssn 155 1 155 155 100.00% 100.00%
Hits
Column

54
Example - Report on Failures of Critical Security controls
API
MTSS
Management
Environment

55
Managed Tools Security Services - Example
Time
Deployment

56
Benefits of Managed Tool Security Service
Security controls in place and functioning.
Prepared to address information security when it
becomes a Boardroom Issue
Visibility to measure ROI
Confidence in reduced risk of data loss, damaged share
price, stolen IP, etc.
Ability to produce a positive return on capital
investments in tools.
Cost reduction in (people, licenses, maintenance, etc.)
Reduced risk of breach and associated costs (financial,
reputational, regulatory losses)

57
DATA security
built into the development process

58
DevSecOps & SecDevOps
The terms are quite similar, they are fundamentally different but equally
important topics
Source: Capgemini

59
Security Tools for DevOps
Static Application
Security Testing
(SAST)
Dynamic Application Security Testing (DAST)
Fuzz testing is
essentially
throwing lots of
random garbage
Vulnerability
Analysis Runtime Application
Self Protection
(RASP)
Interactive
Application
Self-Testing
(IAST)

60
60
Thank You!
Questions?
Ulf Mattsson, Chief Technology Officer

61
Building Security Into DevOps
• Security testing — just like functional testing, regression testing, load
testing, and just about any other form of validation — can be embedded into
the process
• Security becomes not just the domain of security experts with specialized
knowledge, but integrated into the development and delivery process
• Security controls can be used to flag new features or gate releases — within
the same set of controls you use to ensure custom code, application stacks,
or server configurations, meet specifications
• Security goes from being "Dr. No" to just another set of tests which help
validate code quality
Source: https://securosis.com/assets/library/reports/Security_Into_DevOps_Final.pdf

62
Rugged DevOps, SecDevOps, DevSecOps, Scrum, SAFe, & DAD

63
• SecDevOps: Embracing the Speed of DevOps and Continuous
Delivery in a Secure Environment.
• Used in the real world, often at leading-edge organizations
• DevOps really is a thing, it really does affect security, and you really
can use it to your advantage in super interesting ways
• As cloud and DevOps disrupt traditional approaches to security, new
capabilities emerge to automate and enhance security operations.
Rugged DevOps or SecDevOps
Source: Securosis

64
DevOps - Scrum, SAFe, or DAD?
SAFe - Scaled Agile Framework (SAFe)
DAD - Disciplined agile delivery (DAD)
Scrum - Large-scale scrum (LeSS), Nexus (scaled professionalScrum)
Source: wikipedia.org/wiki/Agile_software_development

65
Development methods -
Adaptive to Predictive
Risk analysis can be used to choose between methods
Source: Wikipedia
Adaptive (agile) Predictive (plan-driven)

66
DevOps was Born out of Lean Manufacturing
1. DevOps was born out of lean manufacturing, Kaizen and Deming's principles
around quality control techniques
2. The key concept is continuous elimination of waste — resulting in improved
efficiency, quality, and cost savings
3. There are numerous approaches to waste reduction, but in software development
the key concepts are reducing work-in-progress, finding errors quickly to reduce
rework costs, scheduling techniques, and process instrumentation so progress
can be measured
4. These ideas have been proven in practice for decades, but mostly applied to
manufacture of physical goods
5. DevOps applies these practices to software delivery, enabled by advances in
automation and orchestration

67
DevSecOps vs SecDevOps
SecDevOps (Securing DevOps)
• Embed security into the DevOps style of operation
• Ensuring "secure by design" discipline in the software delivery methodology
using techniques such as automated security review of code, automated
application security testing
DevSecOps (Applying DevOps to Security Operations)
• Developing and deploying a series of minimum viable products on security
programs
• In implementing security log monitoring, rather than have very large high value
program with a waterfall delivery plan to design, implement, test
• Operating a SIEM that monitors a large number of log sources
• Onboard small sets of sources onto a cloud based platform and slowly evolve
the monitoring capability
Source: Capgemini

68
The SecOps Playbook
How SecOps Enables Secure Code Release, At Scale and At Speed
• The term “SecOps” — interchangeable with DevSecOps and
SecDevOps — isn’t new
• Since its introduction into our vocabulary, a lot has been said about its
history and why it matters, but we haven’t actually described ways of
implementing it
• DevOps itself has now matured to a point where most high-velocity
organizations running on modern infrastructure have embraced it or are
thinking about implementing it; and as a result, many have felt the
struggle that comes from trying to balance speedy DevOps practices with
necessary security practices
Source:http://docs.media.bitpipe.com/io_13x/io_134651/item_1445291/Threat%20Stack%20SecOps%20Pla
ybook.pdf , Threat Stack, Inc.

69
DCAP
Data Centric Audit
and Protection -
Centrally managed
security
Data Centric Security Lifecycle & PCI DSS
UEBA
User behavior
analytics helps
businesses
detect targeted
attacks
PCI DSS
Protect stored
cardholder data
YearI
2004
I
2014
I
2015
PCI DSS
3.2
SecDevOps
I
2016
PCI DSS
Security in the
development
process

70
Are You Ready
for
PCI-DSS V3.2?
The new requirements introduced in PCI DSS will be considered best practices until
31 January 2018.
Starting 1 February 2018 they are effective as requirements.

71
• PCI DSS v2
o Mentioned data flow in “Scope of Assessment for Compliance with
PCI DSS Requirements.”
• PCI DSS v3.1
o Added data flow into a requirement.
• PCI DSS v3.2
o Added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers

72
PCI DSS 3.2 – Security Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to
detect and report on failures of critical security control systems.
PCI Security Standards Council CTO Troy Leach explained
• “without formal processes to detect and alert to critical security control
failures as soon as possible, the window of time grows that allows
attackers to identify a way to compromise the systems and steal
sensitive data from the cardholder data environment.”
• “While this is a new requirement only for service providers, we encourage
all organizations to evaluate the merit of this control for their unique
environment and adopt as good security hygiene.”

74
What is
DLP & Data Discovery?

75
Data Loss Prevention (DLP) - Techtarget
Data loss prevention (DLP) is a strategy for making sure that
end users do not send sensitive or critical information outside
the corporate network. The term is also used to describe
software products that help a network administrator control
what data end users can transfer.
DLP software products use business rules to classify and protect
confidential and critical information so that unauthorized end
users cannot accidentally or maliciously share data whose
disclosure could put the organization at risk
Source: http://whatis.techtarget.com/definition/data-loss-prevention-DLP

76
Data Loss Prevention - DLP
Source: 2016 Gartner Magic Quadrant for Enterprise Data Loss Prevention
Enterprise DLP solutions incorporate sophisticated detection techniques to
help organizations address their most critical data protection requirements.
Solutions are packaged in agent software for desktops and servers, physical
and virtual appliances for monitoring networks and agents, or soft appliances
for data discovery
Integrated DLP is a limited DLP feature set that is integrated within other data
security products, including, but not limited to, secure Web gateways (SWGs),
secure email gateways (SEGs), email encryption products, enterprise content
management (ECM) platforms, data classification tools, data discovery tools
and cloud access security brokers (CASBs) Integrated DLP is a limited DLP
feature set that is integrated within other data

77
Smart Data Discovery
Smart data discovery is a next-generation data discovery capability
that provides business users or citizen data scientists with insights
from advanced analytics. Smart data discovery facilitates the
discovery of hidden patterns in large, complex datasets, without
building models or writing algorithms or queries. It goes beyond
data discovery by incorporating advanced analytics functionality.
Source: Forecast Snapshot: Smart Data Discovery, Worldwide, 2016

78
Critical Capabilities for Enterprise Data Loss
Prevention - DLP

79
Data Discovery - Definitions
Data discovery is a user-driven process of
searching for patterns or specific items in a data
set. Data discovery applications use visual tools
such as geographical maps, pivot-tables, and
heat-maps to make the process of finding
patterns or specific items rapid and intuitive.
Data discovery may leverage statistical and data
mining techniques to accomplish these goals
Source: https://en.wikipedia.org/wiki/Data_discovery
“Cardholder data discovery accurately identifies
insecure PANs issued by all major card brands.”

80
Data security for
cloud and big data
platforms

81
Protect Sensitive Cloud Data - Example
Internal Network
Administrator
Attacker
Remote
User
Internal
User
Cloud Gateway
Public Cloud
Each
sensitive field
is protectedEach
authorized
field is in
clear
Each
sensitive field
is protected
Data Security Agents, including encryption, tokenization
or masking of fields or files (at transit and rest)

82
Securing Big Data – Examples of Security Agents
Import de-
identified data
Export
identifiable
data
Export audit
for reporting
Data
protection at
database,
application,
file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit
and rest)

Cyber Risk Management in 2017 - Challenges & Recommendations

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Cyber Risk Management in 2017 - Challenges & Recommendations

Similar a Cyber Risk Management in 2017 - Challenges & Recommendations (20)

Más de Ulf Mattsson

Más de Ulf Mattsson (20)

Último

Último (20)

Cyber Risk Management in 2017 - Challenges & Recommendations