The Darker Value of Your Corporate Data What Cyber Criminals are After and a Collaborative Approach for Protecting it This Photo by Unknown Author is licensed under CC BY-NC
The Darker Value of Your
Corporate Data
What Cyber Criminals are After and a Collaborative Approach
for Protecting it
This Photo by Unknown Author is licensed under CC BY-NC
2
Average Number of Days an Advanced Persistent Threat (APT) spends on a company network before being detected.
2017 Verizon Data Breach Investigations Report3
And Then Someone Gets One of These
4
Information Security – It’s Personal
5
National Security Agency• (Edward Snowden) Classified DATA loss
Office of Personnel Management• Highly Sensitive Security Clearance DATA loss• SF86 – 136 pages
Once Inside The Network Bubble We’re Safe!
6
Firewall
IPS
Antivirus
But… Boundaries Are Expanding
7
Work from Home
BYOD
Cloud
Vendors
Satellite Offices
Once Inside the Network We’re Safe! … Said the APT
Who Are The Threats?
8 2017 Verizon Data Breach Investigations Report
Collusion3%
Internal25%
Nation States18%
Business Partners
2%
Organized Crime52%
• Well Organized• Well Funded• Smart• Dedicated• Fully Staffed
How Does an Intrusion Occur?
• Reconnaissance
• Initial Exploitation
• Establish Persistence
• Install Tools
• Move Laterally
• Exploit
• Collect
• Exfiltrate
9
180 days
Finding and extracting your company’s most valuable information!
This is when an Incident becomes a Data Breach! Company Cost is $225 per record!
2017 Ponemon Report
Threat Attack Chain Sequence
Costs of Crimeware Sold on the Dark Web
Product Price
Keylogger US $1-5
Xena RAT builder US $1-50 (Silver/Gold Tech Support)
Exploit US $1+
Botnet and/or Botnet builder US $5-50
Worm US $5-15
Ransomware US $10
Betabot DDoS tool US $75
10 2017 Verizon Data Breach Investigations Report
Theft Targets and Motivation
11
Financial24%
Healthcare15%
Public Sector12%
All Other34%
Retail and Hospitality
15%
2017 Verizon Data Breach Investigations Report
• Personal Information/Medical Records• Identity Theft
• Tax Return Fraud
• Gossip Value
• Insider and Privilege Misuse• Data for cash
• Curiosity
• Espionage • Start a Competing Company
• Bring to New Employer
Cyber Crime Is A Business
12
Espionage27%
Financial70%
Fun, Ideology, Grudge (FIG)
3%
2017 Verizon Data Breach Investigations Report
Data Type Value
Website Management Credentials: $3–5
Remote Desktop Credentials: $10–25
Credit Cards with CVV2:Plus Bank ID Number:Plus Full Card Owner details:
$5-$8$15$30
Bank Account Credentials with Balance of:$400-$1,000:$1,000-$2,500 Balance:$2,500-$5,000 Balance: $5,000-$8,000 Balance:
$20-$50$50-$120$120-$200$200-$300
Bundle of 10 Medicare numbers: $4700
The Purpose of Information Security“The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability”… Using People, Process and Technology.
• Confidentiality – protecting information from unauthorized access and disclosure.
• Integrity – protecting information from unauthorized modification.
• Availability – preventing disruption in information access.
13
Castle Approach to Information Security
14
A Day in the Life of a Security Analyst
1. SIEM (Security Information and Event Monitor)
2. Network IDS/IPS
3. Email Gateway security
4. Web proxy
5. Application White/Black List
6. Risk Management
7. RSA Token Manager
8. Endpoint protection
9. Patch Management
10. Vulnerability Scanning
11. DNS
12. Encryption (SSL Decrypt)
13. Firewall monitoring
14. Antivirus
15. Malware 15
RiskDashboard
Detail
Drill to Detial
EndpointDashboard
Detail
Drill to Detial
Net monitorDashboard
Detail
Drill to Detial
MEGDashboard
Detail
Drill to Detial
NSMDashboard
Detail
Drill to Detial
SIEMDashboard
SIEM Detail
Drill to Detial
AntivirusDashboard
Detail
Drill to Detial
Web proxyDashboard
Detail
Drill to Detial
White listDashboard
Detail
Drill to Detial
MalwareDashboard
Detail
Drill to Detial
FirewallDashboard
Detail
Drill to Detial
VADashboard
Detail
Drill to Detial
Security Analyst
Information Security Concerns
People• Limited number of resources – 1 or 2 Security Analysts• In 2017 there were 780,000 cybersecurity jobs and approximately 350,000
open cybersecurity positions
Process• Overwhelmed by number of security incidents• Hard to prioritize what’s important
Technology• Lots of technology from many vendors• Little integration
Data• It’s all over the place
16Cybersecurity Business Report, 6/8/17
Here is Our Corporate Data, Protect it!
17
EnterpriseData
Level of Protection
DATA
Valu
e/R
isk
Current Data Protection Model -Treat All Data the Same
18
The Castle Approach
Customer Credit Card Data
Today’s Lunch Menu Specials
Oh Look, a free pizza offer in my e-mail!…Click
19
“The key to our success is knowing that network better
than the people who set it up”
“You know what technologies you intended to use. We
know the technologies actually in use.”
“Don't assume a crack is too small to be noticed or too
small to be exploited"
20 Usenix Enigma Security Conference 2016
Rob Joyce –Chief, Tailored Access Operations (TAO) NSA
Twitter: @Hart_Jason
Jason Hart –World Visionary in Cyber Security and Ex Ethical Hacker
“Attack prevention is a broken model.”
“To me, prevention techniques like firewalls are just ‘speed bumps’…
…you’re just slowing me down”
21
“You must locate your sensitive data and protect it.”
Castle Approach to Information Security is flawed
Museum Approach to Information Security
22
Monitor and Protect Data Based on Its Value and Risk To The Business
Enterprise Data
Level of Protection
Valu
e/R
isk
Museum Approach
23
Restricted
Confidential
Everything Else
Discover and Classify based on Value to company and threats
Monitor and Protect based on Risk and Policy
Customer Credit Card Data
Today’s Lunch Menu Specials
DATA
What Data Deserves to be Protected?
Information that can be used• To identify, contact, or locate a single person
• Identify an individual in context
• Distinguish or trace an individual's identity• name, social security number, date and place of birth, mother's maiden
name, or biometric records
• Other information that is linked or linkable to an individual• medical, educational, financial, and employment information.
24
Personally Identifiable Information (PII), or Sensitive Personal Information (SPI).
Examples of Corporate Restricted versus Confidential Information
Restricted• Trade Secrets
• Intellectual Property
• Mergers and Acquisitions
• Social Security Number (SSN)
• Driver's license/state ID numbers
• Financial account numbers
• Credit card numbers
• Personal medical and medical insurance information
• Passwords
Confidential• Sales Projections
• Marketing Plans
• Home address and phone
• Birth date
• Gender
• Religious orientation
• Evaluations
• Sensitive research
25
26
Change the Information Security View of Corporate Data
…To This
27
Data Architects Know Data
They know for each area of the business:
• What data is important
• Who is the owner
• Where it is located
• How it’s accessed
Throughout the enterprise
28
Monitor
Protect
Fin
ance
Hu
man
Re
sou
rce
s
IT
Pat
ien
t Sa
fety
Un
de
rwri
tin
g
Business Units
Discover
Classify
Sensitive Information
Define Acceptable
RiskPosture
Data Architects role in Information Security: Find and Protect Valuable Data Assets• Discover and Classify sensitive data
assets
• What data is out there?
• How sensitive is it?
• Document the flow
• What data is being accessed?
• How often is the data accessed?
• Who’s using the data?
• Determine the risk
• How exposed is it?
• What data is being extracted?
• How secure is the repository?
• Is it fully patched?
• Are configuration best practices being used?
• Reduce the risk
• Is the data protected at the right level based on value/risk?
29
Leverage Existing Knowledge
Utilize the information you already have to help improve security:
• Business Requirements
• Documents provide intelligence and insight into what’s information is valuable to a given business unit
• Source to Target Mappings
• Provides location of important and valuable information
• Databases, flat files, landing areas, 3rd party info
• Provides target location for sensitive and valuable information
• ETL Flows
• Provides intermediate landing areas where sensitive data resides for short periods of time –Advanced Persistent Threats
• Data lineage
• Reporting
• Sensitive data in reports that can be masked or redacted for specific groups
30
Source To Target Mapping
Data Source ETL Target
System Name
Table Name
Column Name Data Type
Sensitive Data InfoSec Transform Table Column Data Type
Sensitive Data InfoSec Access Rights
CRM Cust fname char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER First_Name varchar2(80) Y PII Sales Role
Cust lname char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER Last_Name varchar2(80) Y PII Sales Role
Cust addr1 char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER Address_Ln1 varchar2(180) Y PII Sales Role
Cust addr2 char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER Address_Ln2 varchar2(180) Y PII Sales Role
Cust city char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER City varchar2(180) Y PII Sales Role
Cust state char(2) Y PII Uppercase DIM_CUSTOMER State varchar2(2) Y PII Sales Role
Cust zip char(10) Y PII Left(5) DIM_CUSTOMER Zip_Code varchar2(5) Y PII Sales Role
Cust zip char(10) Y PIICheck for '-'; 4 digits after DIM_CUSTOMER Zip_4 varchar2(4) Y PII Sales Role
Cust ssn char(11) Y PII format as xx-xxx-xxxx DIM_CUSTOMER SSN varchar2(11) Y PII Sales Role
OM CustCC cc_num varchar2(80) Y PCI Remove white space DIM CREDIT_CARD Card_Number varchar2(16) Y PCI Sales Order Role
CustCC cvv varchar2(10) Y PCI DIM_CREDIT_CARD CVV_CODE varchar2(10) Y PCI Sales Order Role
31
Provide Data Lineage
32
Rob Joyce –Chief, Tailored Access Operations (TAO) NSA
“Enable those logs but also look at those logs.”
“One of our worst nightmares is that ‘out of band’ network tap that really is capturing all the data”
33 Usenix Enigma Security Conference 2016
SIEMDashboard
SIEM Detail
Drill to Detial
DAMDashboard
SIEM Detail
Drill to Detial
RiskDashboard
Detail
Drill to Detial
EndpointDashboard
Detail
Drill to Detial
Net monitorDashboard
Detail
Drill to Detial
MEGDashboard
Detail
Drill to Detial
NSMDashboard
Detail
Drill to Detial
AntivirusDashboard
Detail
Drill to Detial
Web proxyDashboard
Detail
Drill to Detial
White listDashboard
Detail
Drill to Detial
MalwareDashboard
Detail
Drill to Detial
FirewallDashboard
Detail
Drill to Detial
VADashboard
Detail
Drill to Detial
Museum Approach Plus Castle Approach
34Security Analyst
Efficiency InsightUser Behavior Analytics
Museum Approach Advantages
• Data Access Control• Data Classification• Define Roles • Fine Grained Data Access based on need
• Audit Trails• Who • What • When • Where
• Enables Actions on Data• Alert• Block/Terminate• Redact• Filter
35
Protect Data through blocking, masking and alerting based on role based security policy models
36
Protect Databases and BigData platforms
Row-Level Masking (only dept #20)
Column-Level Masking (only dept#)
Museum Approach Breaks the Attack Chain
• Reconnaissance
• Initial Exploitation
• Establish Persistence
• Install Tools
• Move Laterally
• Exploit
• Collect
• Exfiltrate
37
180 daysWandering around your network…
But not taking your sensitive information!
Just Today’s Lunch Specials.
Information Security and Compliance Leadership and Staff• CISO - responsible for establishing and maintaining the enterprise vision, strategy, and
program to ensure information assets and technologies are adequately protected.
• Information Risk Manager – assess and identify the potential risks that may hinder the reputation, safety, security, and financial prosperity of a company.
• Compliance Officer – responsible for ensuring the company complies with its outside regulatory requirements and internal policies.
• Security Engineer – responsible for building security architecture and engineering security systems.
• Security Analyst – detect, investigate, and respond to incidents.
38
Information Security Legal and Regulatory RequirementsCompliance
• Payment Card Industry Data Security Standard (PCI-DSS)
• SOX
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITEC)
• FFIEC, CAT
• NERC CIP
• NIST SP 800-37 and 800-53
• NY DFS 23 NYCRR Part 500
Privacy
• Privacy Shield
• EU GDPR
Audit
• SSAE 16
• SOC 2
• ISO 27001
• FISMA and FedRAMP
• NIST SP 800-53A
• COSO
39
General Data Protection Regulation (GDPR)
• Protect any information related to a natural person or ‘Data Subject’ residing in the EU, that can be used to directly or indirectly identify the person.
• It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
• Provides the right to be forgotten
• Provides the right to ask for an individuals information
• Data Subjects must consent by ‘OPT IN’ for each specific use
• Data Breach notification within 72 hours
• Privacy violations can result in fines of €20M or up to 4% of Global Sales Revenue whichever is higher
Must be compliant by May 25, 2018
40
NY DFS23 NYCRR Part 500 Requirements
• Utilize Audit Trails – 500.06
• Develop Access Privileges – 500.07
• Implement Application Development Security – 500.08
• Perform periodic Risk Assessments – 500.09
• Dedicated Cybersecurity Personnel and Intelligence – 500.10
• Implement Data Retention Policy – 500.13
• Train and Monitor Users – 500.14
• Notify Superintendent within 72 hours of ‘reportable’ Cybersecurity event – 500.17
First Deadline September 3, 2018
41
Call To Action
• Remember not all data has the same value.• Discover • Classify• Monitor• Protect
• Gain an understanding of Compliance and Regulations your company needs to meet.
• Annotate Sensitive Information when developing source to target data• Document Information Flow• Get to know and share information with Information Security Team
42
Average Number of Days and Advanced Persistent Threat (APT) spends on a company network before being detected.
2017 Verizon Data Breach Investigations Report
And those were the ones that were reported!
43
Thank YouMike Czerniawski
DataCraft Partners
@mikeczern
44