Identifying the Value of Informational Assets Before You Move Them to the Cloud

1 © Copyright 2013 EMC Corporation. All rights reserved.

Identifying the Value of Informational Assets Before You Move Them to the Cloud Jason Rader Chief Security Strategist RSA, the Security Division of EMC


Roadmap Information Disclaimer EMC makes no representation and undertakes no obligations with

regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”).

Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby.

Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC Non-Disclosure Agreement in place with your organization.


How do we value information?


Bits vs Bits

On one hand, we have bits of data

On the other, we have MANY “bits” of money


What’s the Conversion Rate?

10 Bits = €10?

1 Gigabit = £1,000?

1 Byte = 2 bits?

Where is this rate? How do I use it? – Doesn’t exist! – Too many factors affect it to map globally.


A Scholar’s Definition

“Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.”

This works for theft, but what about copy? – China/Mr. Pibb Problem – Once copied, is it a race to the bottom?

Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research.


How do we classify info today?


Why is information classification broken? Typical classification systems

are problematic – Lack definition (what

constitutes info of this kind?)

– And automation (teach systems to handle)

– Don’t address individual data value (is a vault required?)


Four Dumb* Classification Schemes

Structuralist (Focusing on regulatory compliance)

Realist (Stuff we care about, stuff we don’t)

Broker (risk-based, three tiers, soft chewy middle)

Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation)

Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner


Opportunities for Attack

Attackers and companies never value data the same. There are reasons for this:

– The data itself isn’t valuable without the knowledge/hardware to monetize it

– Secondary/unused business data is ignored – Differing interpretation of value lifecycle


How do we identify these opportunities? The value of information to us (Vc) varies widely As does the payoff for an adversary (Pa) Where those differ, we have opportunity (O)

– This could also be described as inefficiency

This opportunity can be expressed as:

O = Vc - Pa


How do we identify these opportunities?

O = Vc - Pa Positive values of O suggest we know and understand the

value, and attackers cannot monetize Negative values of O suggest we have high risk data that

attackers want, but we devalue Small values of O indicate matched intent Large values of O indicate inefficiency


Examples of how this works:

O = Vc - Pa Credit Card Information, 30m HQ Numbers

– Low value to company, transactions settled – HIGH payoff to adversary ($1/card = $30m) – Hugely negative Opportunity value

Manufacturing process for IP, control SC – Payoff is low to adversary due to supply chain – If high spend on security, could be reallocated to other areas.


The Value of Information Over Time

Time

Valu

e Max Value

Area under this curve = money for

information owner

Information eventually becomes a

liability


Events Occur, changes the curve

Time

Valu

e Max Value

Information is now copied, breach occurs

The loot becomes divided among holders.


What’s interesting about these curves?

This one is a sample, but somewhat representative

Curve notes: – Each ACTOR has their own curve – Curves can be steeper or flatter – Curves can converge/diverge with actor action – Curves only represent value for the ACTOR (i.e., unrealized

value may not be represented) – Eventually, information becomes a liability – Impending threat mirrors value curve – Think about a zero day exploit on its own curve


Beginning to translate these curves

Information’s value varies over time – We need to consider malicious actors when planning

information security defenses – Blanket controls cause inefficiency

When curves converge/diverge… – Values can dramatically consolidate/divide

Curves represent potential value to the actor – Pent up value may exist without realization


We need a new model Minimum model requirements:

– Information grouped by value ▪ To ME ▪ To Competitor/Military ▪ Only if LOST

– Address information value over time ▪ Information changes in value over time ▪ Usually depreciating, some more rapidly than others

– Reflect # of actors and motivation – Reflect change in motivation based on payoff

▪ Market forces can dramatically alter this ▪ Large data stores are more attractive than small ones


Moreover: The model needs to be simple

No industry jargon

No dictionary required

Not dozens of pages


Simple, Yet flexible Must be able to adjust with value changes Must rely on accurate inputs

– Numbers of actors – Projected payoffs with data theft – Strength of perimeter defenses – Number of business processes using the data – Amount of data sprawl – Account for amount of data as a change in payoff

Must be able to affect security posture

21


How SHOULD we view the world?

Valuable to me

Valuable if Lost

Valuable to Competitors or Military

Customer Analytics IT Configs

Biz Processes

Derivative Data Analytics for Sale Medical Records

Old Source Code Old IP

Old/Retired Encryption Keys

Secret Sauce Intellectual Property

Software Vuln DB Corp Strategy

Crown Jewels Easily Transferrable IP

Actionable IP Encryption Keys

CC Data PII/PHI Data

Unused Biz Data Disinformation

COMPINT Defense Information


The Model

Value to You

Value to Comp.

Value if Lost Examples

Breach Prob. Biz Impact ACTION

1 50 2.3B* Number of Potential Actors

Y N N Customer Analytics IT Configs Business Processes

Low A/I Secured, but not vaulted

Y Y N

Intellectual Property Secret Sauce Software Vuln DB Corp Strategy

Med C–Delayed

Risk A/I Immediate

Protect (Vault)

N Y Y?

Old Source Code Old IP (where new IP is derived) Old encryption keys

Med C/I

C: Destroy I: Secure Archive


The Model (part 2)

Value to You

Value to Comp.

Value if Lost Examples

Breach Prob. Biz Impact ACTION

1 50 2.3B* Number of Potential Actors

N N Y Credit Card Numbers PII/PHI Unused Biz Data

High (# Actors) C

Outsource Destroy Obfuscate

Y N Y

Sec. Data Analytics (revenue) Medical Records High roller customers Proprietary Algorithms Financial Results

Low (High Impact) C

Protect IP (Vault) Secure Data

Y Y Y Crown Jewels Easily transferrable IP High C

Protect (Vault)


The Relevance of Data Mass

Amount of data

Payo

ff


Combating Risk from Data Growth

Reduce data stores – Truncation – De-value options (tokens) – DESTROY

Reduce the effective size – 1M records / 10 keys =

100K recs! – Multiple algorithms


How to apply the model Look at the kinds of data your business controls

– Try to define what it is, then relate it to the model – Be sure to find information NOT IN USE – Understand flow and sprawl of data – Look for large values of O

Add values where you can – Valuing information is personal – Use your own data – Don’t rely on external sources to define data value

Remember CONFIDENCE factor! Take Action Per the Model!

Identifying the Value of Informational Assets Before You Move Them to the Cloud

Technology

emc corporation

curve copyright

information systems

inefficiency copyright

gartner copyright

vc pa copyright

unrealized value

bits of money copyright