Myths & Realities of Data Security & Compliance - ISACA Atlanta - Ulf Mattsson Jul 22 2016. Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures. In this session, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.

1. 1
1
Myths & Realities of
Data Security & Compliance:
Risk-based Data Protection
Ulf Mattsson, Chief Technology Officer, Compliance Engineering
umattsson@complianceengineers.com
www.complianceengineers.com

2. 2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry Involvement
PCI DSS - PCI Security Standards Council
• Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing
• WG 11.3 Data and Application Security
CSA - Cloud Security Alliance
ANSI - American National Standards Institute
• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology
• NIST Big Data Working Group
User Groups
• Security: ISACA & ISSA
• Databases: IBM & Oracle

3. 3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC 2013 – 2014 Tokenization Task Force

4. 44

5. 5

6. 6
• The Dilemma for CISO, CIO, CFO, CEO, and Board
• Where are my most valuable data asset?
• Who Has Access to it?
• Is it Secure?
• Insider/External Threats?
• Am I Compliant?
• What is/has been the Financial Cost?
• Am I Adhering to Best Practices? How Do I Compare to My Peers?
• Can I Automate the Lifecycle of Data Security?
The Security & Compliance Issue

7. 7

8. 8

9. 9
Not Knowing
Where Sensitive
Data Is

10. 10
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015

11. 11

12. 12
PCI-DSS
and Beyond

13. 13
Are You Ready
for the
New Requirements of
PCI-DSS V3.2?

14. 14
Keep cardholder data storage to a minimum by implementing data retention
and disposal policies, procedures and processes that include at least the
following for all cardholder data storage
Discovery Results Supporting Compliance
1. Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements
2. Specific retention requirements for cardholder data
3. Processes for secure deletion of data when no longer needed
4. A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention.
Old PCI DSS Requirement 3.1

15. 15
• PCI DSS v2 did not have data flow in the 12
requirements, but mentioned it in “Scope of
Assessment for Compliance with PCI DSS
Requirements.”
• PCI DSS v3.1 added data flow into a requirement.
• PCI DSS v3.2 added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers

16. 16
16
Example of
A Discovery
Process
Scoping
Asset Classification
Job Scan Definition
Scanning
Analysis
Reporting
Remediation
PCI DSS 3.2 Requirement - Discovery

17. 17
• IT risk and security leaders must move from trying to prevent
every threat and acknowledge that perfect protection is not
achievable.
• Organizations need to detect and respond to malicious
behaviors and incidents, because even the best preventative
controls will not prevent all incidents.
• By 2020, 60% of enterprise information security budgets will
be allocated for rapid detection and response approaches, up
from less than 20% in 2015.
Shift in Cybersecurity Investment
Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016

18. 18
Growing Information Security Outsourcing
The information security market is estimated to have
grown 13.9% in revenue in 2015
with the IT security outsourcing segment
recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update

19. 19
Hybrid
Data Discovery
Example

20. 20
Discovery Deployment Example
Example of Customer Provisioning:
• Virtual host to load Software or Appliance
• User ID with “Read Only” Access
• Firewall Access
ApplianceDiscovery
Admin

21. 21
Example - Discovery Scanning Job Status List

22. 22
STEP 4:
The scanning
execution can
be monitored
by Provider
and the
customer via a
Job Scheduler
interface
Discovery Process (Step 4) – Scanning Job Lists
Discover all sensitive PII – Not just PCI data

23. 23
Discovery Scanning Report
Discover All Sensitive PII – Not just PCI data
Database Schema Table Column Type Hits Confidence
Rows
Scanned
Total
Rows Hit %
Scanned
%
actrs10-rs10prd ITMBK_BARB ITMBK_BARB.STAFF SSN ssn 5356 4 9481 9481 56.49% 100.00%
actrs11-rs11prd AAPR AAPR.REG_AAP SSN ssn 12 4 12 12 100.00% 100.00%
actrs11-rs11prd AAPTIR AAPTIR.APPLICANT SSN ssn 3 4 3 3 100.00% 100.00%
actrs11-rs11prd BENESSE BENESSE.TRAIN SSN s-s-n 21 5 21 21 100.00% 100.00%
actrs11-rs11prd CAAPPROD CAAPPROD.PN55650683 SSN ssn 58 4 58 58 100.00% 100.00%
actrs11-rs11prd COMP COMP.AAPTIR SPEC_CDE ssn 4 1 4 4 100.00% 100.00%
actrs11-rs11prd COMP COMP.AAPTIR SSN ssn 4 4 4 4 100.00% 100.00%
actrs11-rs11prd FOOBAR1 FOOBAR1.SCORE SSN s-s-n 7 5 7 7 100.00% 100.00%
actrs11-rs11prd INS INS.MSTEMP ANUMBER ssn 155 1 155 155 100.00% 100.00%

24. 24
On Premise
Data Discovery
Example

25. 25
Example of On Premise Solution Scan

26. 26
Example of On Premise Discovery Asset
Management

27. 27

28. 28
FS-ISAC* Summit
about
“Know Your Data”
*: FS-ISAC is the leading ISAC in the security area

29. 29
FS-ISAC Summit about “Know Your Data”
• Encryption at rest has become the new norm
• However, that’s not sufficient
• Visibility into how and where it flows during the course
of normal business is critical
Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit

30. 30
Risk &
Remediation

31. 31
Know Your Data – Identify High Risk Data
Begin by determining the risk profile of all relevant data collected and stored
• Data that is resalable for a profit
• Value of the information to your organization
• Anticipated cost of its exposure
Data Field Risk Level
Credit Card Number 25
Social Security Number 20
CVV 20
Customer Name 12
Secret Formula 10
Employee Name 9
Employee Health Record 6
Zip Code 3

32. 32
Match Data Protection Solutions with Risk Level
Risk Level Solution
Monitor
Monitor, mask,
access control
limits, format
control encryption
Tokenization,
strong
encryption
Low Risk
(1-5)
At Risk
(6-15)
High Risk
(16-25)
Data
Field
Risk
Level
Credit Card Number 25
Social Security Number 20
CVV 20
Customer Name 12
Secret Formula 10
Employee Name 9
Employee Health Record 6
Zip Code 3
Deploy Defenses

33. 33
Different
Data Security
Methods

34. 34
Memory
Tokenization
Type Preserving
Encryption
Strong
Encryption
in
Databases
2016 -
2010 -
2008 -
2004 -
2002 -
2000 -
1998 -
Platform
Masking
Feature
Securing Sensitive Data - Examples

35. 35
Time
Total Cost of
Ownership
Strong Encryption:
3DES, AES …
I
2010
I
1970
How did Data Security Evolve 1970 - 2010?
I
2005
I
2000
Type Preserving
Encryption:
FPE, DTP …
Tokenization
in Memory
High -
Low -

36. 36
Legend: Best
Worst
Choose Your Defenses – Strengths & Weakness

37. 37
Compliance

38. 38
NIST - Increasing Relevance
Crypto Modules
PCI DSS
Payment Card Industry Data Security Standard
Hardware & Software Security Modules
NIST Federal Information Processing
Standard FIPS 140
NIST Special Publication 800-57
AES
Advanced Encryption Standard
NIST U.S. FIPS
PUB 197
FPEFormat Preserving Encryption
NIST Special Publication 800-38G
HIPAA
HIPAA/HITECH/BREACH-NOTIFICATION
NIST SP 800-111

39. 39
FPE Gets NIST Stamp of Approval

40. 40
Need for Masking Standards
Many of the current techniques
and procedures in use, such as
the HIPAA Privacy Rule’s Safe
Harbor de-identification standard,
are not firmly rooted in theory.
There are no widely accepted
standards for testing the
effectiveness of a de-
identification process or gauging
the utility lost as a result of
de-identification.

41. 41
Defines Tokenization Security Requirements

42. 42
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Data?
I
Un-structured
Simple -
Complex -
PCI
PHI
PII
File
Encryption
Card
Holder
Data
Field
Tokenization / Encryption
Protected
Health
Information
42

43. 43
Data Location is
Important

44. 44
NW
DMZ
Web Apps
TRUSTED
SEGMENT
Serve
r
Internet
Load
Balancing
Proxy
FW
Proxy
FW
Enterprise
Apps
Network
Devices
Server
SAN,
NAS,
Tape
Internal
Users
DB Server
Proxy
FW
TRANSACTIONS
IDS/
IPS
End-
point
Wire-
less
DBA
ATTACK
MALWARE /
TROJAN
OS ADMIN
FILE ATTACK
SQL
INJECTION
MEDIA
ATTACK
SNIFFER
ATTACK
Data Attacks on the Enterprise Data Flow

45. 45
Common Vulnerabilities in E-Commerce
Source: Verifone

46. 46
Data Exposed in Cloud & Big Data
Do we
know our
sensitive
data?
Big
Data
Public
Cloud

47. 47
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Lessuseofencryption
Public
Cloud

48. 48
• Rather than making the protection platform based, the security
is applied directly to the data, protecting it wherever it goes,
in any environment
• Cloud environments by nature have more access points and
cannot be disconnected
• Data-centric protection reduces the reliance on controlling the
high number of access points
Data-Centric Protection Increases Security

49. 49
Protect Sensitive Cloud Data - Example
Internal Network
Administrator
Attacker
Remote
User
Internal
User
Cloud Gateway
Public Cloud
Each
sensitive field
is protectedEach
authorized
field is in
clear
Each
sensitive field
is protected
Data encryption, tokenization or masking of fields or files (at transit and rest)

50. 50
Cloud Providers Not Becoming Security Vendors
• There is great demand for security providers that can offer
orchestration of security policy and controls that span not just
multicloud environments but also extend to on-premises
infrastructure
• Customers are starting to realize that the responsibility for mitigating
risks associated with user behavior lies with them and not the
CSP — driving them to evaluate a strategy that allows for incident
detection, response and remediation capabilities in cloud
environments
Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016

51. 51
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Lessuseofencryption
Big
Data

52. 52
Attacking Big Data
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data

53. 53
Securing Big Data - Examples
• Volume encryption in Hadoop
• Hbase, Pig, Hive, Flume and Scope using protection API
• MapReduce using protection API
• File and folder encryption in HDFS
• Export de-identified data
Import de-
identified data
Export
identifiable
data
Export audit
for reporting
Data
protection at
database,
application,
file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data encryption, tokenization or masking of fields or files (at transit and rest)

54. 54
Topology Performance Scalability Security
Local Service
Remote Service
Data Protection Implementation Layers
System Layer Performance Transparency Security
Application
Database
File System
Legend: Best
Worst

55. 55
Are Your
Deployed
Security Controls
Failing?

56. 56

57. 57
PCI DSS 3.2 – Security Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to
detect and report on failures of critical security control systems.
PCI Security Standards Council CTO Troy Leach explained
• “without formal processes to detect and alert to critical security control
failures as soon as possible, the window of time grows that allows
attackers to identify a way to compromise the systems and steal
sensitive data from the cardholder data environment.”
• “While this is a new requirement only for service providers, we encourage
all organizations to evaluate the merit of this control for their unique
environment and adopt as good security hygiene.”

58. 58
Example - Report on Failures of Critical Security controls
API
MTSS
Management
Environment

59. 59
Managed Tools Security Services - Example

60. 60
MSSP - Managed Security
Service Provider
• SOC – Security Operations
Center
• Security monitoring
• Firewall integration /
management
• Vulnerability scanning
• SIEM - Security Incident &
Event Monitoring and
management
MTSS - Managed Tool Security
Service
• Professional Services that applies
best practices & expert analysis of
your security tools
• Customized alarms and reports
through SaaS
• Provides overall security tools
management and monitoring
• Ticketing, Resolution & Reporting
• Ensure availability of security
tools
• License analysis
Examples of Security Outsourcing Models
WHO IS MONITORING YOUR MSSP?

61. 61
Benefits of Managed Tool Security Service
Security controls in place and functioning.
Prepared to address information security when it
becomes a Boardroom Issue
Visibility to measure ROI
Confidence in reduced risk of data loss, damaged share
price, stolen IP, etc.
Ability to produce a positive return on capital
investments in tools.
Cost reduction in (people, licenses, maintenance, etc.)
Reduced risk of breach and associated costs (financial,
reputational, regulatory losses)

62. 62
I think it is Time to
Re-think
CONFIDENTIAL 62

63. 63

64. 64
64
About Compliance
Engineering

65. 65
SOCTools
24/7 Eyes on
Glass (EoG)
monitoring,
Security
Operations
Center (SOC)
Managed
Tools Security
Service
Software as a Service (SaaS)
data discovery solution
Security Tools and Integrated Services
Discovery
Security Tools
and
Integrated
Services

66. 66
Compliance
Assessments
• PCI DSS & PA Gap
• HIPAA (2013
HITECH)
• SSAE 16-SOC 2&3*
• GLBA, SOX
• FCRA, FISMA
• SB 1385, ISO
27XXX
• Security Posture
Assessments
(based on industry
best practices)
• BCP & DRP (SMB
market)
Professional Security
Services
• Security Architecture
• Engineering/Operations
• Staff Augmentation
• Penetration Testing
• Platform Baseline
Hardening (M/F, Unix,
Teradata, i-Series,
BYOD, Windows)
• IDM/IAM/PAM
architecture
• SIEM design, operation
and implementation
• eGRC Readiness &
Deployment
E Security &
Vendor Products
• Data Discovery
• Managed Tools
Security Service
• Data Loss
Protection
• SIEM & Logging
• Identity and Access
Management
• EndPoint
Protection
• Network Security
Devices
• Encryption
• Unified Threat
• Multi-factor
Authentication
Managed
Security
Services
• MSSP/SOC
• SIEM 365
• Data Center
SOC
• IDM/IAM
Security
Administration
• Healthcare
Infrastructure
Solutions (2013
3rd Qtr.
• Vulnerability
Scans
• Penetration
Testing
Samples of Our Services

67. 67
67
Thank you
Ulf Mattsson, Chief Technology Officer, Compliance Engineering
umattsson@complianceengineers.com
www.complianceengineers.com