View
608
Download
1
Category
Preview:
DESCRIPTION
CISOs and their security programs face overwhelming pressure to renew their focus on data protection. This pressure stems from external forces of advanced threats, a multitude of compliance obligations, and internal forces of new business initiatives. This combination of factors leads to a complex set of data protection requirements. But CISOs and security programs face further complexity meeting those requirements due to the virtual explosion in data volume and the variety of locations where that data may reside. If that's not enough, the scope of data to be protected includes not only customer data, but internal data and system data as well.In this webcast, Jim Maloney, CEO of Cyber Risk Strategies, LLCand Mark Evertz, Security Solutions Manager at Tripwire discuss: The evolution of information security and why it has renewed its focus on data protection The challenges CISOs and their security programs face in securing data, including increasing volumes of data, multiple locations of data, compliance obligations and more Why data protection efforts must go beyond customer data to also protect internal data and system data How data protection can serve as a business enabler How solutions like the Tripwire VIA Suite can help protect essential organization data Five steps CISOs can take to significantly improve their organization's information security
Citation preview
Common Data Protection Pitfalls &How You Can Avoid Them
Common Data Protection Pitfalls –And How You Can Avoid Them Jim Maloney, Cyber Risk Strategies, LLC
Mark Evertz, Tripwire, Inc.September 28, 2010
IT SECURITY & COMPLIANCE AUTOMATION
Today’s Speakers
Jim Maloney
CEO
Cyber Risk Strategies, LLC
Mark Evertz
Security Solutions Manager
Tripwire, Inc.
44 Cyber Risk Strategies, LLC
AgendaThe data protection challenge and common pitfallsData protection objectivesTripwire data protection scenariosA glimpse into the futureFive actions for improved data protection
55 Cyber Risk Strategies, LLC
The data protection challenge
Controls
Complex external threats
Changing business requirements
Growing compliance obligations
Increasing data volumes and distribution
Systems
Data
66 Cyber Risk Strategies, LLC
More data, everywhere
Disturbing trends from IDC Digital Universe report…
Last year (2009) the amount of data in the ‘Digital Universe’ grew by 62% to nearly 800,000 petabytes (1 petabyte = 1 million gigabytes).
By 2020, the Digital Universe will be 44 times larger than as it was in 2009 – 35 trillion gigabytes.
Nearly 75% of the Digital Universe is a copy – only 25% is unique.
While enterprise-generated data accounts for 20% of the Digital Universe, enterprises are liable for 80% of the data that is created (the majority created by end-users).
By 2020, more than a third of all the information in the Digital Universe will either live in or pass through the ‘cloud.’
77 Cyber Risk Strategies, LLC
Increasing scope of data
Customer Data Internal Data System Data
Personal data Business plans Firewall configurations
Financial data Intellectual property Router configurations
Health records Customer lists Platform configurations
Cardholder details Employee lists Accounts & Permissions
Criminal records Contracts Event logs
88 Cyber Risk Strategies, LLC
System data, too?
System data (configurations, settings and log files) can be the pathway to compromising customer and internal data
Hackers increasingly exploit configuration weaknesses and programming errors in order to steal information from computer systems.
There is also a trend towards ‘anti-forensics’ - criminals tampering with or deleting logs to hamper detection and investigations.
2010 Verizon Data Breach Investigations Report
99 Cyber Risk Strategies, LLC
Pitfall No. 1 – Data awareness
Where is you data?
How is it classified?
Who has access to it?
1010 Cyber Risk Strategies, LLC
Many compliance obligations
Compliance Item Primary Locale Industry Data Focus
UK Data Protection Act United Kingdom All Customer Data
Data Protection Directive European Union All Customer Data
Privacy and Electronic Communications
European Union All Customer Data
Federal Information Security Management Act
United States US Federal Agencies System Data
Privacy Act of 1974 United States US Federal Agencies Customer Data
Health Insurance Portability Act
United States HealthCustomer data (Health Care)
HITECH Act United States HealthCustomer Data (Health Care)
Identity Theft Red Flags Rule
United States FinancialCustomer Data (Identity Information)
Gramm-Leach-Bliley Act United States FinancialCustomer Data (Financial Information)
Payment Card Industry Data Security Standard
AllFirms that are part of the credit card processing cycle
Customer Data (Cardholder and Sensitive Authentication Data)
1111 Cyber Risk Strategies, LLC
Breach notification laws
Another facet of compliance is the body of laws related to breach notification.
The first breach notification law was passed in 2003 (California SB 1386) in response to concerns about the rise in identity theft.
Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches.
Breach notification is indirectly focused on data protection by requiring disclosure of data breaches to those impacted individuals.
Trying to avoid the potential impact on brand and reputation provides additional motivation for a business to prevent data breaches.
1212 Cyber Risk Strategies, LLC
Pitfall No. 2 – A compliance nightmare
Training
Audits
TechnologyPolicies
BCP
IRP
Laws and regulations
Standard of due care
Industry standards Best
practices
1313 Cyber Risk Strategies, LLC
External threats
Life keeps getting better for the CISO :-)
Advanced, persistent threats
Targeted, adaptive malware
Social engineering via new channels
1414 Cyber Risk Strategies, LLC
Advanced persistent threats
An attack directed at targets with a low profile over a prolonged duration.
The purpose of the attack is looking to gather valuable intelligence data and continued access to compromised systems.
Typically involves malware to gain access and control. The attack typically uses an interactive, “low-and-slow” approach.
1515 Cyber Risk Strategies, LLC
Targeted, adaptive malware
Use of a botnet to deliver malware to a large number of specific targets.
Purpose is to harvest financial account and credit card information for direct use or for sale.
A botnet control center distributes and monitors the installation and effectiveness of malware.
The malware is rapidly updated and redistributed.
1616 Cyber Risk Strategies, LLC
Social engineering via new channels
Sending a message creating a sense of urgency or with an enticing offer.
Purpose is too harvest identity and account information or to deliver malware.
Messages, links, attachments and web site are crafted to look like they are from the legitimate organization. User provides account information and/or receives malware.
Expanding beyond email (phishing) to include vishing, SMSishing, IM, Facebook, Twitter.
1717 Cyber Risk Strategies, LLC
Who is being targeted?
2010 Verizon Data Breach Investigations Report
1818 Cyber Risk Strategies, LLC
What data is being targeted?
2010 Verizon Data Breach Investigations Report
1919 Cyber Risk Strategies, LLC
Pitfall No. 3 – Lack of situational awareness
New threats
New vulnerabilities
New business initiatives
New information technology
New security products and services
2020 Cyber Risk Strategies, LLC
The (d)evolution of information security
1970 1980 1990 2000
Information
Computers
Internal Networks
External Networks
Applications
Clouds
2010
User Behavior
2121 Cyber Risk Strategies, LLC
Pitfall No. 4 – Loss of focus on information security
We started out focused on information security
Wandered through an OSI-like system stack
And now we’re in the clouds :-)
2222 Cyber Risk Strategies, LLC
Data protection objectives
These objectives still make sense…
Confidentiality – preventing unauthorized disclosure of sensitive information
Integrity – preventing unauthorized modification of systems and information
Availability – preventing disruption of service and information access
Accountability - the ability to determine who (or what) is responsible for the result of an action
Enhancing Security & Compliance in a Data DelugeMark EvertzSeptember 2010
IT SECURITY & COMPLIANCE AUTOMATION
VulnerabilityAssessment
Switches& RoutersFirewalls, IDS & IPSDatabasesApplications
Must Make Better Use Of Existing Data
“We consistently find that nearly 90% of the time logs are available but discovery
[of breaches] via log analysis remains under 5% ”
2010
IT SECURITY & COMPLIANCE AUTOMATION
Raw Log Data
Events of Interest!
change event
log event
Am I Secure? Is Policy Impacted?
Improved Data Protection:Correlation of Change Events & Log Events
IT SECURITY & COMPLIANCE AUTOMATION
Example: Correlating Log & Change Events
5 failed logins
Logging turned off
Host not generating events
Windows event log cleared
Login successful
Policy test fails
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire – Homepages - Dashboards
IT SECURITY & COMPLIANCE AUTOMATION
Attack in Progress? FTP Publishing Enabled…
IT SECURITY & COMPLIANCE AUTOMATION
FTP Publishing Failed Test – Actual Value (Auto 2)
IT SECURITY & COMPLIANCE AUTOMATION
Clicking Node – Allows Log Center View
IT SECURITY & COMPLIANCE AUTOMATION
FTP Publishing – Log Center Query Results
Who
WhatWhen Where
IT SECURITY & COMPLIANCE AUTOMATION
Query Further on “myUser” – Who is this???
IT SECURITY & COMPLIANCE AUTOMATION
History of myUser Account – Creation to threat!
IT SECURITY & COMPLIANCE AUTOMATION
Raw Event Data – Returned From Log Center
IT SECURITY & COMPLIANCE AUTOMATION
Normalized/Readable Data Returned By Log Center
IT SECURITY & COMPLIANCE AUTOMATION
Tripwire VIA: IT Security & Compliance Automation
Correlate to Bad Changes
Correlate to Suspicious Events
Policy EngineEvent Database
IT SECURITY & COMPLIANCE AUTOMATION
VISIBILITY Across the entire IT infrastructure
INTELLIGENCEEnable better, faster decisions
AUTOMATIONReduce manual, repetitive tasks
37
Tripwire VIA
3838 Cyber Risk Strategies, LLC
The future of data protection
More customer, internal and system data, in more locations.
Will need visibility of the current status, locations and change activity related to data to make this environment more manageable and secure.
Protecting data irrespective of its location will enable the distribution of data while maintaining the required level of protection.
Intelligent controls for data protection should follow the data instead of being dependent upon the data’s current environment.
More emphasis on recognizing patterns of acceptable and unacceptable user and system behavior.
A behavioral-based approach can make monitoring, detection and response more scalable.
Data protection controls that automatically adapt to new situations.
Design systems that are self-healing and more resilient.
3939 Cyber Risk Strategies, LLC
Improved data protection - today
Critical data inventory – Inventory and track the locations of critical data, how it is being used and by whom.
Integrated requirements – Identify and consolidate all relevant data protection compliance obligations.
Situational awareness – Establish a situational awareness process for monitoring external threats and internal changes to the business that could have an impact on data protection.
Controls framework – Adopt and adapt a controls framework. Define a service catalog and service owners. Implement baseline controls.
Risk assessment – Assess data protection controls (people, process and technology) against compliance obligations, external threats and internal business needs. Update as needed.
4040 Cyber Risk Strategies, LLC
Thank you
If you have any questions, please feel free to contact me…
Jim Maloney ( jmaloney @ cyberriskstrategies.com )
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
Mark Evertz Security Solutions Manager
Direct: 503.269. 2639E-mail : mevertz@tripwire.com
Recommended