With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
2. 2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry Involvement
PCI DSS - PCI Security Standards Council
• Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing
• WG 11.3 Data and Application Security
CSA - Cloud Security Alliance
ANSI - American National Standards Institute
• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology
• NIST Big Data Working Group
User Groups
• Security: ISACA & ISSA
• Databases: IBM & Oracle
3. 3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
6. 6
LOCATION:
Citi - 153 East 53rd Street, New York, NY 10022
DATE:
Wednesday, December 14, 2016
AGENDA:
6:00PM - 6:30PM Registration, Refreshments and Networking
6:30PM - 7:30PM - Presentation
7:30PM - 9:00PM - Chapter Updates followed by the Holiday Networking Event and Cocktail Reception and Photo booth!
7. 7
Agenda
• Severe penalties if data isn’t robustly secured
• Cyber security controls in place determines the
compliance
• CISOs are turning to cyber risk management
• Data security blind spots
o Sensitive data not found & failures of our deployed critical
security control systems
• Real security metrics
• Development process & security automation
10. 10
How would you characterise the board’s
perception of cybersecurity risks over the
last one to two years?
Source: PWC – The Global State of Information Security Survey 2016
11. 11
Trends in Board Involvement in Cyber Security
Source: PWC – The Global State of Information Security Survey 2016
13. 13
Questions the Board Should Ask
Source: PWC – The Global State of Information Security Survey 2016
14. 14
The global shortage of technical skills in information security is by now well
documented, but an equally concerning shortage of soft skills
"I need people who understand that they are here to help the business
make money and enable the business to succeed -- that's the bottom
line. But it's very hard to find information security professionals who
have that mindset," a CISO at a leading technology company told us
Security & Business Skills
14
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-
talks-about/a/d-id/1315690
15. 15
CEOs, CFOs, business risk owners and
CISOs questions
1. "How much cyber risk do we have in dollars and cents?"
2. "How much cyber insurance do we need?"
3. "Why am I investing in this cyber security tool?"
4. "How well are our crown jewel assets protected?"
5. "How do I know that we’ve actually lowered our risk exposure?"
6. "As my business changes through M&A, adding new business
applications and new cyber risks , how can I get the quickest view of
the impact on my overall business risk?"
16. 16
Need for Business Intelligence to
Effectively Manage the Full Range of
Enterprise Risks
• Meet compliance goals associated with multiple
regulations, policies, and standards
o Basel III, ISO 27001, PCI-DSS, COBIT, FISMA, DISA,
FNCR, SAAE 16, FedRamp, NIST, FISMA, DISA, NERC CIP/693,
SOX, HIPAA, and SOC 1, 2, 3
• Alerts, business intelligence capabilities, mobile
capabilities that enable organizations to minimize risk
17. 17
Your Most Valuable Asset is Your Data
• What is it?
• Where is it?
• Who Has Access to it?
• Is it Secure?
• Am I Compliant?
• Am I Adhering to Best Practices
• How Do I Compare to My Peers?
18. 18
Who is a Security Expert? Media Attention?
Vendors?
Senior
Junior
Business
Impact
Experience
Business
Risk
Geek
20. 20
Source: Verizon 2016 Data Breach Investigations Report
Law Enforcement will Discover Your Breach – Not You
21. 21
Source: Verizon 2016 Data Breach Investigations Report
Incident Classification Patterns Across Confirmed
Data Breaches
Web Application
Attacks
22. 22
Source: Verizon 2016 Data Breach Investigations Report
Verizon: Worry Only About The Major Breach Patterns
WAF:
Lacking
Application
Context
Additional
Application
Context
Needed
(PCI DSS
direction)
23. 23
Data Security Context
Operating System
Security Controls
OS File System
Database
Application Server
Application Framework
Application Source Code
Context
High
Low
Application
Data
Network
External Network
Internal Network
24. 24
Data Centric Audit
and Protection -
Centrally managed
security
Protect
stored
Cardholder
data
YearI
2004
I
2014
PCI
DSS 3.2
SecDevOps
I
2016
Ne
w
Old
Emerging
• No context to
• application data usage
• Detection after a breach
• Complex before and after
I
??
Data Centric Security – The Old and The New
Cardholder
Information Security
Program (CISP) by
Visa USA
I
2000
26. 26
Protect Against Ransomware
1. Implement an enterprise endpoint backup product to protect user
data
2. Build a list of storage locations that users can connect to that are
inherently vulnerable, such as shares
3. Evaluate the potential business impact of data being encrypted due
to a ransomware attack, and adjust recovery point objectives
(RPOs) to more frequently back up these computer systems
Source: Gartner - Use These Five Backup and Recovery Best Practices to Protect Against Ransomware, June 2016
29. 29
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
30. 30
Visibility Into Third Party Risk
Discover and thwart third party vulnerabilities and
security gaps in real-time to better control the
impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time
32. 32
Problematic and Increasing
Shortage of Cybersecurity Skills
• 46 percent of organizations say
they have a “problematic shortage”
of cybersecurity skills in 2016
• 28 percent of organizations claimed
to have a “problematic shortage” of
cybersecurity skills in 2015
• 18 percent year-over-year increase
Source: EDG and Network World | May 10, 2016
33. 33
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
35. 35
How can I Find My Blind Spots?
Existing PII Data
Unprotected
PII Data
Data
Found in Audit
Time
Protected
PII Data
Audit
36. 36
90% of the Data in the World today has been Created in the Last Two Years
Every Day, we Create 2.5 Quintillion Bytes of Data
Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.html
IBM
41. 41
Risk Management - Example
Are your security
controls covering
all sensitive data?
Are your deployed
security controls
failing?
Source: innosec.com
43. 43
Audience Focused Dashboards
How Compliant are we?
How much risk to we
have?
What work do we need to
prioritize?
CEO and Board of
Directors
CISO Senior
Management
Source: innosec.com
48. 48
Detect and report on failures
of critical security control
systems, #10.8
Implement a data-discovery methodology to confirm PCI
DSS scope and to locate clear-text PAN at least quarterly,
#A3.2x
Security must be built into
the development process,
#3, #4, and #6
PCI DSS 3.2
Protect stored
cardholder data, #3
“Evolving”
50. 50
How can we Find Methods to
Quickly and Accurately Discover all PII?
Do you need agents for this?
Can we apply machine learning to better deal with SSN false
positives?
Please look at the LinkedIn group “Enterprise Data Discovery” at
https://www.linkedin.com/groups/8563068
51. 51
Information Security, Worldwide, 2014-2020
The information security market is estimated
to have grown 13.9% in revenue in 2015
with the IT security outsourcing segment
recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
52. 52
Discovery Deployment Example
Example of Customer Provisioning:
• Virtual host to load Software or Appliance
• User ID with “Read Only” Access
• Firewall Access
ApplianceDiscovery
Admin
56. 56
Benefits of Managed Tool Security Service
Security controls in place and functioning.
Prepared to address information security when it
becomes a Boardroom Issue
Visibility to measure ROI
Confidence in reduced risk of data loss, damaged share
price, stolen IP, etc.
Ability to produce a positive return on capital
investments in tools.
Cost reduction in (people, licenses, maintenance, etc.)
Reduced risk of breach and associated costs (financial,
reputational, regulatory losses)
61. 61
Building Security Into DevOps
• Security testing — just like functional testing, regression testing, load
testing, and just about any other form of validation — can be embedded into
the process
• Security becomes not just the domain of security experts with specialized
knowledge, but integrated into the development and delivery process
• Security controls can be used to flag new features or gate releases — within
the same set of controls you use to ensure custom code, application stacks,
or server configurations, meet specifications
• Security goes from being "Dr. No" to just another set of tests which help
validate code quality
Source: https://securosis.com/assets/library/reports/Security_Into_DevOps_Final.pdf
63. 63
• SecDevOps: Embracing the Speed of DevOps and Continuous
Delivery in a Secure Environment.
• Used in the real world, often at leading-edge organizations
• DevOps really is a thing, it really does affect security, and you really
can use it to your advantage in super interesting ways
• As cloud and DevOps disrupt traditional approaches to security, new
capabilities emerge to automate and enhance security operations.
Rugged DevOps or SecDevOps
Source: Securosis
65. 65
Development methods -
Adaptive to Predictive
Risk analysis can be used to choose between methods
Source: Wikipedia
Adaptive (agile) Predictive (plan-driven)
66. 66
DevOps was Born out of Lean Manufacturing
1. DevOps was born out of lean manufacturing, Kaizen and Deming's principles
around quality control techniques
2. The key concept is continuous elimination of waste — resulting in improved
efficiency, quality, and cost savings
3. There are numerous approaches to waste reduction, but in software development
the key concepts are reducing work-in-progress, finding errors quickly to reduce
rework costs, scheduling techniques, and process instrumentation so progress
can be measured
4. These ideas have been proven in practice for decades, but mostly applied to
manufacture of physical goods
5. DevOps applies these practices to software delivery, enabled by advances in
automation and orchestration
67. 67
DevSecOps vs SecDevOps
SecDevOps (Securing DevOps)
• Embed security into the DevOps style of operation
• Ensuring "secure by design" discipline in the software delivery methodology
using techniques such as automated security review of code, automated
application security testing
DevSecOps (Applying DevOps to Security Operations)
• Developing and deploying a series of minimum viable products on security
programs
• In implementing security log monitoring, rather than have very large high value
program with a waterfall delivery plan to design, implement, test
• Operating a SIEM that monitors a large number of log sources
• Onboard small sets of sources onto a cloud based platform and slowly evolve
the monitoring capability
Source: Capgemini
68. 68
The SecOps Playbook
How SecOps Enables Secure Code Release, At Scale and At Speed
• The term “SecOps” — interchangeable with DevSecOps and
SecDevOps — isn’t new
• Since its introduction into our vocabulary, a lot has been said about its
history and why it matters, but we haven’t actually described ways of
implementing it
• DevOps itself has now matured to a point where most high-velocity
organizations running on modern infrastructure have embraced it or are
thinking about implementing it; and as a result, many have felt the
struggle that comes from trying to balance speedy DevOps practices with
necessary security practices
Source:http://docs.media.bitpipe.com/io_13x/io_134651/item_1445291/Threat%20Stack%20SecOps%20Pla
ybook.pdf , Threat Stack, Inc.
69. 69
DCAP
Data Centric Audit
and Protection -
Centrally managed
security
Data Centric Security Lifecycle & PCI DSS
UEBA
User behavior
analytics helps
businesses
detect targeted
attacks
PCI DSS
Protect stored
cardholder data
YearI
2004
I
2014
I
2015
PCI DSS
3.2
SecDevOps
I
2016
PCI DSS
Security in the
development
process
70. 70
Are You Ready
for
PCI-DSS V3.2?
The new requirements introduced in PCI DSS will be considered best practices until
31 January 2018.
Starting 1 February 2018 they are effective as requirements.
71. 71
• PCI DSS v2
o Mentioned data flow in “Scope of Assessment for Compliance with
PCI DSS Requirements.”
• PCI DSS v3.1
o Added data flow into a requirement.
• PCI DSS v3.2
o Added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
72. 72
PCI DSS 3.2 – Security Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to
detect and report on failures of critical security control systems.
PCI Security Standards Council CTO Troy Leach explained
• “without formal processes to detect and alert to critical security control
failures as soon as possible, the window of time grows that allows
attackers to identify a way to compromise the systems and steal
sensitive data from the cardholder data environment.”
• “While this is a new requirement only for service providers, we encourage
all organizations to evaluate the merit of this control for their unique
environment and adopt as good security hygiene.”
75. 75
Data Loss Prevention (DLP) - Techtarget
Data loss prevention (DLP) is a strategy for making sure that
end users do not send sensitive or critical information outside
the corporate network. The term is also used to describe
software products that help a network administrator control
what data end users can transfer.
DLP software products use business rules to classify and protect
confidential and critical information so that unauthorized end
users cannot accidentally or maliciously share data whose
disclosure could put the organization at risk
Source: http://whatis.techtarget.com/definition/data-loss-prevention-DLP
76. 76
Data Loss Prevention - DLP
Source: 2016 Gartner Magic Quadrant for Enterprise Data Loss Prevention
Enterprise DLP solutions incorporate sophisticated detection techniques to
help organizations address their most critical data protection requirements.
Solutions are packaged in agent software for desktops and servers, physical
and virtual appliances for monitoring networks and agents, or soft appliances
for data discovery
Integrated DLP is a limited DLP feature set that is integrated within other data
security products, including, but not limited to, secure Web gateways (SWGs),
secure email gateways (SEGs), email encryption products, enterprise content
management (ECM) platforms, data classification tools, data discovery tools
and cloud access security brokers (CASBs) Integrated DLP is a limited DLP
feature set that is integrated within other data
77. 77
Smart Data Discovery
Smart data discovery is a next-generation data discovery capability
that provides business users or citizen data scientists with insights
from advanced analytics. Smart data discovery facilitates the
discovery of hidden patterns in large, complex datasets, without
building models or writing algorithms or queries. It goes beyond
data discovery by incorporating advanced analytics functionality.
Source: Forecast Snapshot: Smart Data Discovery, Worldwide, 2016
79. 79
Data Discovery - Definitions
Data discovery is a user-driven process of
searching for patterns or specific items in a data
set. Data discovery applications use visual tools
such as geographical maps, pivot-tables, and
heat-maps to make the process of finding
patterns or specific items rapid and intuitive.
Data discovery may leverage statistical and data
mining techniques to accomplish these goals
Source: https://en.wikipedia.org/wiki/Data_discovery
“Cardholder data discovery accurately identifies
insecure PANs issued by all major card brands.”
81. 81
Protect Sensitive Cloud Data - Example
Internal Network
Administrator
Attacker
Remote
User
Internal
User
Cloud Gateway
Public Cloud
Each
sensitive field
is protectedEach
authorized
field is in
clear
Each
sensitive field
is protected
Data Security Agents, including encryption, tokenization
or masking of fields or files (at transit and rest)
82. 82
Securing Big Data – Examples of Security Agents
Import de-
identified data
Export
identifiable
data
Export audit
for reporting
Data
protection at
database,
application,
file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit
and rest)