Upload
ulf-mattsson
View
441
Download
0
Embed Size (px)
Citation preview
Cyber Risk ManagementIn 2017: Challenges & Recommendations
Ulf Mattsson, CTO Security SolutionsAtlantic Business Technologies
Ulf MattssonInventor of more than 40 US Patents
Industry Involvement:
• PCI DDS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud & Virtualization SIGs
• IFIP - International Federation for Information Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group• NIST - National Institute of Standards and Technology
NIST Big Data Working Group • User Groups
Security: ISACA & ISSADatabases: IBM & Oracle
2
My Work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
3
Agenda
1. Talking to the board about cyber risk
2. Trends in cybersecurity
3. Data security blind spots
4. Data security metrics
5. PCI DSS is changing
6. How to integrate development and security
6
How Would You Characterize the Board’s Perception of Cybersecurity Risks?
Source: PWC – The Global State of Information Security Survey 20168
HighIncreased
Increased
Trends in Board Involvement in Cyber Security
Source: PWC – The Global State of Information Security Survey 20169
Questions the Board Will Ask
Source: PWC – The Global State of Information Security Survey 2016
• Do you believe that your information security gap (the difference between what you are doing and what you should do) is getting larger or smaller?
• How is the organisation doing relative to its peers?
• Have management decisions associated with gaps in the security program been aligned to the company’s tolerance for risk?
• How do you know that your (limited) resources are focused on areas and initiatives critical to information security success?
• Are you more confident or less confident than you were a year ago? How about compared to two or three years ago?
10
CEOs, CFOs, business risk owners & CISOs questions
1. "How much cyber risk do we have in dollars and cents?"
2. "How much cyber insurance do we need?"
3. "Why am I investing in this cyber security tool?"
4. "How well are our crown jewel assets protected?"
5. "How do I know that we’ve actually lowered our risk exposure?"
6. "As my business changes through M&A, adding new business
applications and new cyber risks , how can I get the quickest view of the
impact on my overall business risk?"
11
Need for Security + Business Skills
The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills
“I need people who understand that they are here to help the business make money and enable business to succeed -- that’s the bottom line. But it’s very hard to find information security professionals who have that mindset,” a CISO at a leading technology company told us.
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-about/a/d-id/1315690
12
Problematic and Increasing Shortage of Cybersecurity Skills
• 46 percent of organizations say they
have a “problematic shortage” of
cybersecurity skills in 2016
• 28 percent of organizations claimed to
have a “problematic shortage” of
cybersecurity skills in 2015
• 18 percent year-over-year increase
13
Risk ManagementAre your security controls covering all sensitive data?
Are your deployed security controls failing?
Are you prioritizing business asset risk?
15
Cyber Budgeting
Source: storm.innosec.com
Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost
CRM High Medium $ 20,000 0 $ 20,000
HR High Medium $ 100,000 20,000 $ 120,000
Feed High Low $ 1,000 0 $ 1,000
Crossbow Medium Medium $ 5,000 50,00 $ 10,000
eTrader Low Low $ 1,000 0 $ 1,000
IT Alert Low Low $ 1,000 0 $ 1,000
SAP Low Low $ 1,000 0 $ 1,000 Total $ 129,000 $ 25,000 $ 154,000
16
Audience Focused Dashboards
CISO CEO and Board of Directors
Senior Management
How compliant are we? How much risk do we have?
What work do we need to prioritize?
18
Data Security Context
Operating System
Security Controls
OS File System
Database
Application Framework
Application Source Code
Security Context
High
Low
Application
Data
Network
External Network
Internal Network
Application Server
20
Visibility into Third-Party Risk
Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard
21
Law Enforcement will Discover Your Breach—Not You.
Source: Verizon 2016 Data Breach Investigations Report
23
Incident Classification Patterns Across Confirmed Data Breaches
Source: Verizon 2016 Data Breach Investigations Report
Web ApplicationAttacks
24
Verizon: Worry Only About the Major Breach Patterns
Source: Verizon 2016 Data Breach Investigations Report
26
Where Can I View Data Access Context?
Full Data Context
Some Data Context
Minimum Data Context
No Data Context
28
Data Security Context
Operating System
Security Controls
OS File System
Database
Application Framework
Application Source Code
Security Context
High
Low
Application
Data
Network
External Network
Internal Network
Application Server
29
Protect Against Ransomware
1. Implement an enterprise endpoint backup product to protect user data
2. Build a list of storage locations that users can connect to that are
inherently vulnerable, such as shares
3. Evaluate the potential business impact of data being encrypted due to a
ransomware attack, and adjust recovery point objectives (RPOs) to more
frequently back up these computer systems
Source: Gartner - Use These Five Backup and Recovery Best Practices to Protect Against Ransomware, June 2016
31
Free Ransomware Decryption Tools have Rescued Data
Source: http://www.zdnet.com/article/these-free-ransomware-decryption-tools-have-rescued-data-from-2500-locked-devices/
The tools -- part of the No More Ransom project -- were launched three months ago by the Dutch National Police, Europol, Intel Security, and Kaspersky Lab.
32
90% of the data in the world has been created in the past two years
Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.htmlIBM
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
36
PCI DSS 3.2
Detect and report on failures of critical security control systems, #10.8
Implement a data-discovery methodology to confirm PCI DSS scope and to locate clear-text PAN at least quarterly, #A3.2x
Security must be built into the development process, #3, #4, and #6
Protect stored cardholder data, #3 “Evolving”
Quarterly internal and external network vulnerability scans, #11
39
New PCI DSS 3.2 Standard - Data Discovery
PCI DSS v2
Mentioned data flow in “Scope of Assessment for Compliance with PCI
DSS Requirements.”
PCI DSS v3.1
Added data flow into a requirement.
PCI DSS v3.2
Added data discovery into a requirements.
40
New PCI DSS 3.2 Standard - Security Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to detect and
report on failures of critical security control systems.
PCI Security Standards Council CTO Troy Leach explained
1. “without formal processes to detect and alert to critical security control failures as
soon as possible, the window of time grows that allows attackers to identify a way to
compromise the systems and steal sensitive data from the x data environment.”
2. “While this is a new requirement only for service providers, we encourage all
organizations to evaluate the merit of this control for their unique environment and
adopt as good security hygiene.”
41
Data Centric Security and PCI DSS
SecDevOps
PCI DSS 3.2
New
Emerging
• No context to • application data usage• Detection after a breach• Complex before and after
Data Centric Audit and Protection -
Centrally managed security
Protect stored Cardholder data
Old
Cardholder Information Security
Program (CISP) by Visa USA
Year2000 2004 2016 ??2014 42
Protect Sensitive Cloud Data - Example
Internal NetworkAdministrator
AttackerRemote
User
Internal User
Public Cloud
Each sensitive field is protected
Each authorized field is in clear
Each sensitive field is protected
Cloud Gateway
44
Securing Big Data - Examples of Security Agents
Import de-identified data
Export identifiable data
Export audit for reporting
Data protection at database, application, file
Or in a staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest)
45
Data Centric Security Lifecycle & PCI DSS
DCAP Data Centric Audit and
Protection -Centrally managed
security
UEBA User behavior analytics helps
businesses detect targeted attacks
PCI DSS Protect stored
cardholder data
Year2004 2014 2015
PCI DSS 3.2PCI DSS
Security in the development
process SecDevOps
2016 47
DevSecOps & SecDevOps
The terms are quite similar, they are fundamentally different but equally important topics
Source: Capgemini
48
SecDevOps vs DevSecOps
SecDevOps (Securing DevOps)
1. Embed security into the DevOps style of operation2. Ensuring "secure by design" discipline in the software delivery methodology using
techniques such as automated security review of code, automated application security testing
DevSecOps (Applying DevOps to Security Operations)
1. Developing and deploying a series of minimum viable products on security programs2. In implementing security log monitoring, rather than have very large high value
program with a waterfall delivery plan to design, implement, test 3. Operating a SIEM that monitors a large number of log sources4. Onboard small sets of sources onto a cloud based platform and slowly evolve the
monitoring capability
Source: Capgemini
49
Security Tools for DevOps
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Fuzz testing is essentially throwing lots of random garbage
VulnerabilityAnalysis
Runtime Application Self Protection (RASP)
Interactive Application Self-Testing (IAST)
51
Examples of Services That Can Fill The Gap
Application Services
• Application Hosting & Cloud
Migration
• IT Consulting & Information Architecture
• Software Development & User Experience
Design
Security Services
• Audit & Assessment Services
• Application Security Consulting
• Managed Vulnerability Scanning
• Security Tools Implementation
• Virtual CISO
SecDevOps
55
Our Services
Application Services
• Cloud Migration
• IT Consulting
• Information Architecture
• Software Development
• User Experience Design
• Application Hosting
• Digital Marketing
• Ecommerce
Security Services
• Audit & Assessment Services
• Managed Vulnerability Scanning
• Security Tools Implementation
• Application Security Consulting
• Virtual CISO
56