FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets

Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 1

Of Crown Jewels and Data AssetsApril 2017


The threat landscape


It’s all in the news

You cannot hide


The changing threat landscapeAccording to Information Security Forum (ISF), Threat Horizon 2018 report information security threats are set to worsen. Organisations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, proliferation of data, increased regulation, and a debilitating skills shortage.


So what do we know


Industry 4.0The outcome of being “smart”

The rise of the extended kinetic enterprise

1st industrial revolutionThrough introduction of mechanical production facilities with the help of water and steam power

2nd industrial revolutionThrough introduction of mass production with the help of electrical energy

3rd industrial revolutionThrough application of electronics and IT to further automate production

4th industrial revolutionOn the basis of cyber-physical production systems (CPPS), merging of real and virtual worlds Industry 4.0

Industry 3.0

Industry 2.0

Industry 1.0

First mechanical weaving loom 1784

End of 18th century Beginning of 20th century Beginning of 1970s of 20th century

Today

Deg

ree

of c

ompl

exit

y

First assembly line 1870

First programmable logic control system 1969

Internet of things

Internet of services

Internet of data

Internet of people

Industry 4.0

Smart Buildings

Smart Mobility

Smart Homes

Smart Grid

Smart Logistics

Social Web

Business Web

CPPS

Smart Factory


What it means for you…

Given the breadth of the cyber ecosystem the attack surface or opportunity for malicious attack, it is imperative that there is acknowledgement that organisations need to move their focus to a data first approach.

MAGNITUDE

RISK

TIME

STAGESTECHNOLOGIESVALUE DRIVERS

Discernment of patterns among data that leads to action, descriptions or predictions

Gathering information created at different times or from different sources

Initiating, changing or maintaining an event or state

Use of sensors to generate data about a physical event or state

Transmission of information from generation to processing location


What it means for you…

Understand the lifecycle of your data and know the worth of risk in today’s connected enterprise

… focus on data


Cyber Risk ≠ Cyber Security

Cyber risk and cyber security are often used interchangeably however they are two different concepts. Often inadvertently the focus is on cyber security, neglecting broader cyber risk management.

Cyber security is a category of solutions that partially address cyber risk. Cyber security is based on the principles of confidentiality, integrity and availability

Cyber risk is a category of business risks that have strategic, operational and regulatory implications. Cyber risk management assesses threats, vulnerabilities and its potential impact to the broader organisation

Cyber Risk Cyber Security


Cyber Risk ≠ Cyber Security

The end game will be a bigger digital objective of which Cyber is just one of the many key ingredients.

Cyber Risk Cyber SecurityCyber

• Internet of Things• Big Data• Cloud• Social / Mobility• Blockchain• Augmented Reality• Digital Platforms• CX / UX• Open Data Networks• Process Automation• Right Speed IT• Information Management• Core Systems Reinvention

Digi

tal

Enab

lem

ent


So how do we protect our data assets


Data Protection

Fundamental changes to how organizations approach data protection need to occur in order for the risk landscape to improve. Organizations are not investing in the right areas to address the risks and threats which are most impactful and likely.

Recent attacks demonstrate that we need to change the game

3. Implementing solutions to protect data and monitor for data loss at the “data layer”

1. Risk mitigation versus compliance requirements

2. Building and maintaining a comprehensive inventory of sensitive assets and data

4. Consistently executing the security fundamentals


Data ProtectionWhy is protecting data so difficult?

Explosive data growth…Data is doubling in size every two years and by 2020, it will reach 44 zettabytes5.

…and data proliferationThe average organisation shares documents with

826 external domains / organisations6

Technology flawed by design6,488 new security vulnerabilities8 were added to the National Vulnerability Database (NVD) in 2015. This means an average of

Compliance focused mindsetCyber Risk standards, laws, and regulations have not and cannot keep up with both business and technological change and evolving adversaries.

Consistently failing to implement security fundamentalsMany companies lack the standard data protection capabilities (i.e., malware protection, data lifecycle management).

99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published2.

Business and technology innovationInnovations are creating additional cyber risk for organisations.Many organisations have started moving mission critical applications to the cloud. The average company uses

1

2020

4.4 ZB 44 ZB

This could fill up the library of congress more than 10

million times

2013

3

4

5

2

By 2020, there will be Internet of Things (IoT) devices2.

Although PCI compliance among organizations has increased from 20% to 29% from 2014 to 20152, the number of data breaches has also increased during that time period from 1300 to 2100.

20152,100

breaches

20141,300

breaches

This is more than 10x what IT expects.

17 new vulnerabilities each day

5 Billion

738 cloud services7

Top Trends

Autonomic Platforms

Internet of Things

Cloud Enablement

Digital Enablement

Extended Enterprise& Third Party Risk


Data breach root causesLet’s keep it simple

It’s not due to lack of funding

It’s because most organisations do not use a data-centric

approach to protection

1. Organizations do not have enough experienced Cyber Security resources to appropriately protect all IT infrastructure and sensitive data

2. The end user continues to be targeted and exploited via spear-phishing, drive-by-exploits, and social engineering attacks

3. Many companies often release insecure software before sufficient testing can be performed due to the need for quick release into the market

4. Attackers are profiting and succeeding so they are not going away and not giving up

5. The level of sophistication in hacker goals and hacker tools continues to rise.


What is Data-centric protection?

Data protection is one of the key focus areas for leading regulations and standards. Rules around data security are becoming more prevalent, stringent and mandatory increasing with the assumption that adversaries are in. This assumption means organisations needs to focus on the what is important to them. Their Most Valuable Information. Rather than data than just keeping the attackers out.

Principle Description

Data Securit

y

Know what Data is important and where it is

Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection.

Apply Data-level protection capabilities

Implementing Data-layer protection capabilities can help to both prevent and detect Data breaches at an organisation’s “last line of defence”.

Know what Data is important Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection.

Core

Prin

cipal

s

Data Gov.

Data agenda Set a data agenda to manage the explosive growth in data.

Define the data Ensure that requirements and definitions must be driven by the business and not IT.

Data-centric processes Established data centric processes with data at the heart of the conversation to drive the standardisation of shared concepts.

Privacy Understand obligations Understand your privacy requirements, risks and personal information

assets you hold.

Monitor and manage Continuously monitor, measure and improve privacy risk management processes.

Ready to respond Be resilient to respond to privacy risk.


How to change the game

Data protection capabilities should occur from the “inside out”, in addition to the “outside in”. Assume your adversaries are “in”, and limit what they can do, and the impact they can cause.

Data protection from the inside out

Focus on scopeInvest in areas that maximize return on investment

Focusing at the data layer makes it harder for attackers to get hold of sensitive information

Top GoalsDiscourage Attackers:Make attacks harder, more time consuming and costly

Engineer for Control Failure:Protect data assuming other traditional controls will fail

Minimise Breach Impact:Any data loss should result in the least possible impact

Play the Percentages:Invest in areas that maximise return on investment

Business Centric Capabilities– Third-party access– Business impact to data– Operational risk profiling of

data– Data ownership– Data lifecycle ownership– Data lifecycle management

Data Centric CapabilitiesFocus on the sensitive data itself– Identify and maintain an inventory of the most critical

assets through enterprise data discovery, classification and management programs

– Render compromised data useless through tokenisation, encryption and obfuscation

– Zero in on the most likely targets for attacks– Monitor for data access or exfiltration at database layer

and endpoints

Illustrative Supplemental CapabilitiesClose access paths through fundamental security controls– Strong Authentication– Malware Detection– Privileged User Management

– Vulnerability and Patch Management

– Configuration Management

Data

Application

Platform

Network


Data protection framework

Growth / Innovation Privacy Risk management Regulatory compliance

Business ValueBusiness

objectives

• Policies and standards covering each of the Data Protection capabilities

• Operational procedures and supporting guides

• Data protection reference architecture

• Risk Reporting framework and dashboards

• KRIs and KPIs• Embedding data protection culture

across the business (IT, HR, etc.)• Data protection training and awareness

• Data risk management lifecycle including identification, testing, response, and treatment

• Threat modeling and data risk identification

• Data Protection strategy and roadmap• Data Protection organization structure

and accountability• Regulatory compliance and exam

management

Strategy and operating model Policies, standards, and architecture Risk reporting and culture

Governance

Data Protection

Technology Capabilities

Data Security Governance (Operational Capabilities)

Data discovery and inventory Data classification

Data encryption, tokenization, and obfuscation Key and certificate management

Information rights management Payments security

Data retention and destruction Data loss prevention

Data access governance Database security

• Business Impact & Readiness

• IT Operations & Readiness

• Stakeholder Management & Communication

• Collaboration & Information Life Cycle Tools

• Master Data Management and Sharing

• Data Security & Architecture

• Data Workflow• Metadata

Repository• Progress

Tracking• Issue

monitoring• Continuous

improvement• Score carding• Data analytics

Controls set (e.g. ISF, NIST, Privacy regulation, NAB SKCA)Assessment


It’s not all about frameworks and policies

INTEGRATED FRAMEWORK FOR DATA PROTECION

Data Collection / Creation

Data Storage Data Usage and Sharing Data Retention and Destruction

Data Classification

Data Security Architecture

Security Metrics and Reporting, Board Reporting

Awareness and Culture, Secure Data Lifecycle, Data Management, Third Party Security

Encryption and Tokenisation, Privacy Assessment Platform, Third Party Security Platform

Discovery and Classification

Data Loss Prevention

User Behavior Analytics

CASB

Analytics and Reporting

Dat

a Pr

otec

tion

Cap

abili

ties

Data Classification

Discovery and Classification

Data Loss Prevention

CASB


Protection across the data lifecycleData Collection Data Storage Data Usage and Sharing Data Retention and

Destruction Sensitive data is collected by an organization as part of its day-to-day operations via point of sale devices, application forms, data from credit bureaus, etc.

Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc., for further use by applications and users

Data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices, and other devices within and outside the network

Data is retained or destroyed by organization per regulatory, internal compliance or business requirements, using electronic or physical media for retention

Dat

a Ta

rget

s

- MITM attack - Malicious insider

- POS Malware

- Stolen Device- Eavesdropping

- Data Exfiltration

- Remnant data

- Backup Failure

Dat

a Pr

otec

tion

Ca

pabi

litie

s

Data

Web application

s

Databases and storage devices

Cloud data transfers Retain data on

storage devices

Data encryption, tokenization, and obfuscation / Key and certificate management / Payment security

Data loss prevention

Data discovery, inventory, and classification

Data access governance Data retention and destructionInformation rights management

Database security

End user reporting

Application data transfers

Scanning and

printing devices

Physical documents

Destroy electronic data and physical documents after

use

Thre

ats

- Data Exfiltration- Corrupt backup


How would it work – its all about options

There are many ways to get started, depending on the needs, priorities and maturity of an individual organization’s data protection program.

Data Discovery Exercise

Perform a data discovery exercise to understand where structured and structured sensitive data exists across the organization. Provide recommendations on how to protect and manage sensitive data identified.

Conduct a risk assessment to identify areas in the organization that is most at risk for data being exfiltrated. Provide recommendations on remediation activities to strengthen those areas.

Data Exfiltration Risk Assessment

Assist with the implementation and deployment of data protection technology solutions and capabilities. We can provide full scale technology implementation support.

Data Protection Technology and Capability Implementation

Develop supporting capabilities (eg: governance, operating model, key risk indicators, key performance indicators, etc) to enhance and strengthen the data protection program

Data Protection Program Foundation Development

Conduct a data protection assessment of the opportunity to understand key risks the organization is facing as well as capability maturity and any gaps that exist. Develop a data protection strategy and roadmap to define the components and capabilities needed to build a Data Protection program.

Data Protection Assessment and Strategy

Perform service level agreement (SLA) based for Data Loss Prevention (DLP) tools, including event analysis, system maintenance, reporting and other operational tasks.

Managed Services

1

2

3

4

5

6


Manage it as a program

Identify PU Stakeholders

Strategy Operations

Planning and Design Discover and Classify Monitor and RespondDeploy Protection Mechanisms

Identify Senior Management

and Stakeholders

Identify Applicable Data Protection Laws and Regulations

Develop Assessment

Project Plan & Team

Develop Program Vision and Objectives

Define Requirements and Controls

Management Processes

Data Protection Governance

Strategy

Develop Strategy and

Roadmap

Training & Awareness Plan and Materials

Procure and Deploy Data Discovery, Classification and

Inventory Tools

Data Types Most Valuable to the Business

Data Flow Mapping of Valuable Data

Assessment of Risk & Controls

Remediation and Action Plan

Prioritise Data Protection Implementation based upon Data

Classification Scheme

Design and Implement Data Protection Solution across the Data

Lifecycle Stages

Integrate Applications, Business Processes, Platform and Systems with the Data Protection Solutions

Deploy Fundamental Security Controls to Enhance Broader Data

Protection Posture

Deploy Data Monitoring Tools Processes

Define and Implement Incident Response Processes

Implement Metrics, Monitoring Reporting (including Board)

Report on Outcomes


Of Crown Jewels and Data Assets


This document and the information contained in it is confidential and should not be used or disclosed in any way without our prior consent.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.The entity named herein is a legally separate and independent entity. In providing this document, the author only acts in the named capacity and does not act in any other capacity. Nothing in this document, nor any related attachments or communications or services, have any capacity to bind any other entity under the ‘Deloitte’ network of member firms (including those operating in Australia).Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.

About Deloitte AustraliaIn Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit our web site at www.deloitte.com.au.Liability limited by a scheme approved under Professional Standards Legislation.Member of Deloitte Touche Tohmatsu Limited

© 2017 Deloitte Risk Advisory Pty Ltd

Puneet KukrejaNational Lead Partner – Data Protection GroupNational Cyber Leader – Banking and Financial ServicesCyber Risk AdvisoryT: +61403037010E: [email protected]

Thank you.

mailto:[email protected]

Data & Analytics

FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets