enterprise data security directions 2007 asim ahmed steve moscarelli members of issa and csi asim...
TRANSCRIPT
Enterprise Data SecurityDirections 2007
Enterprise Data SecurityDirections 2007
Asim Ahmed
Steve Moscarelli
Members of ISSA and CSI
2
The Insider ThreatID Theft Tops FTC's List of Complaints
The Insider ThreatID Theft Tops FTC's List of Complaints
• In 2006,for the 5th straight year, identity theft ranked 1st of all fraud complaints.
• 10 million cases of Identity Theft annually. • 59 percent of companies have detected some internal abuse of their networks
• In 2006,for the 5th straight year, identity theft ranked 1st of all fraud complaints.
• 10 million cases of Identity Theft annually. • 59 percent of companies have detected some internal abuse of their networks
3
Data Security and Compliance Necessity of exposure, and the riskData Security and Compliance Necessity of exposure, and the risk
Employees(remote workers,mobile workers)
Business Partners(suppliers, outsourcers, (suppliers, outsourcers,
consultantsconsultants)
CompetitorsCustomers
Hackers
ContractorsTemporaries
Visitors
Digital B
usiness
Digital B
usiness Cyber-crime
Cyber-crime
SOURCE: FORRESTER RESEARCH
Employees
Sensitive Data
4
Customer
Information Leaks, Spills, Theft, Loss or Extrusion: A Growing ChallengeInformation Leaks, Spills, Theft, Loss or Extrusion: A Growing Challenge
CustomerData
An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in
violation of regulatory or company policies
An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in
violation of regulatory or company policies
Company Info Sent Over Web-mail
Sent by Customer Service Rep
Patient (Client)
Patient Information
Confidential
Information
Finance
Doctor (Lawyer)
Patient NameInsurance Information
Diagnosis
Customer Service
SSN, SalariesMarketing Plans Customer Name
5
Information Leaks: How Do They Occur?Information Leaks: How Do They Occur?
Customer Data
Company Info Marketing Plans
Confidential Information
SSN, SalariesCustomer Name
Patient Information
An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in
violation of regulatory or company policies
An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in
violation of regulatory or company policies
Your Data
Customer Service
Sales
R&D
Doctors
Contractors
Finance
Sent by Customer Service Rep
FinancialsUpcoming reports
M&A
6
Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company
Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company
Sources: 2005 CSI/FBI Computer Crime and Security StudyForrester Research, Inc.
COMPETITIVE EDGE
CUSTOMER PRESSURE
PRIVACY REGULATIONS
BUSINESS GOVERNANCE
IdentityTheft, Brand Damage
Intellectual property, trade secrets, confidential plans
SEC/NASD rules, legal liability
Insurance rules
SOX, HIPAA, GLBA, PIPEDA, FERPA, EU DPD
7
Data Security and Compliance
Growing Problem with Exec VisibilityData Security and Compliance
Growing Problem with Exec Visibility
• Executive Concern Executive Concern
– California Data Privacy Act (SB-1386) California Data Privacy Act (SB-1386)
• Pennsylvania, New York, Illinois, Wisconsin and 21 other states with Pennsylvania, New York, Illinois, Wisconsin and 21 other states with
regulations regulations
– Health Insurance Portability and Accountability Act (HIPAA)Health Insurance Portability and Accountability Act (HIPAA)
– Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX)
– Gramm-Leach-Bliley Act (GLBA) Gramm-Leach-Bliley Act (GLBA)
• Traditional Security does not address DataTraditional Security does not address Data
– Network security (FW, IPS) no knowledge of dataNetwork security (FW, IPS) no knowledge of data
– No 2 organizations have exactly the same data.No 2 organizations have exactly the same data.
– Database security not granular enough plus performance issuesDatabase security not granular enough plus performance issues
• Executive Concern Executive Concern
– California Data Privacy Act (SB-1386) California Data Privacy Act (SB-1386)
• Pennsylvania, New York, Illinois, Wisconsin and 21 other states with Pennsylvania, New York, Illinois, Wisconsin and 21 other states with
regulations regulations
– Health Insurance Portability and Accountability Act (HIPAA)Health Insurance Portability and Accountability Act (HIPAA)
– Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX)
– Gramm-Leach-Bliley Act (GLBA) Gramm-Leach-Bliley Act (GLBA)
• Traditional Security does not address DataTraditional Security does not address Data
– Network security (FW, IPS) no knowledge of dataNetwork security (FW, IPS) no knowledge of data
– No 2 organizations have exactly the same data.No 2 organizations have exactly the same data.
– Database security not granular enough plus performance issuesDatabase security not granular enough plus performance issues
8
Increasing Business Impact of Information LeaksIncreasing Business Impact of Information Leaks• Compliance requirements are
increasing– Federal regulations such Gramm-
Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)
– State regulations such as California Data Privacy Act (SB-1386) and 21 other states
– High costs of data breaches: estimated at $140 per consumer record
Intellectual property/confidential information losses can damage business and competitive advantage
• Compliance requirements are increasing– Federal regulations such Gramm-
Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)
– State regulations such as California Data Privacy Act (SB-1386) and 21 other states
– High costs of data breaches: estimated at $140 per consumer record
Intellectual property/confidential information losses can damage business and competitive advantage
Indirect Costs$1.5M$15/record
Opportunity Costs$7.5M$75/record
Direct Costs$5.0M$50/record
Total Costs$140/record
Source: Ponemon InstituteSVB Alliant
9
Top 10 Most Frequent IncidentsTop 10 Most Frequent Incidents
1. Patient PHI sent to partner, again, and again
2. Employee 401k information sent outbound and inbound
3. Payroll data being sent to home email address
4. Draft press release to outside legal council
5. Financial and M&A postings to message boards
6. Source code sent with resume to competitor
7. SSNs…and thousands of them
8. Credit Card or account numbers….and thousands of them
9. Confidential patient information
10. Internal memos and confidential information
1. Patient PHI sent to partner, again, and again
2. Employee 401k information sent outbound and inbound
3. Payroll data being sent to home email address
4. Draft press release to outside legal council
5. Financial and M&A postings to message boards
6. Source code sent with resume to competitor
7. SSNs…and thousands of them
8. Credit Card or account numbers….and thousands of them
9. Confidential patient information
10. Internal memos and confidential information
10
Total cost : $140 per customerTotal cost : $140 per customer
Average recovery costs by type Costs Breakdown
Source: The Ponemon Institute
11
Data Security and Compliance Why Data is a Priority?Data Security and Compliance Why Data is a Priority?
Indirect Costs$1.5M$15/record
Opportunity Costs$7.5M$75/record
Direct Costs$5.0M$50/record
Cost of Data Breaches$140/record
Source: Ponemon Institute SVB Alliant
Leakage of confidential/proprietary information Unpatched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers
52%
24%18%14%10%
4%4%4%2%2%
What do you consider to pose the biggest current threat to your organization’s overall security? (multiple responses)
Source: Merrill Lynch survey of 50 North American CISOs, July 2006
12
– Partner Lost
– Customer Lost
– Partner Lost
– Customer Lost
Data Security and Compliance Implications of Data BreachData Security and Compliance Implications of Data Breach
Card Center Hit by Thieves Agrees to SaleOctober 17, 2005, MondayBy ERIC DASH (NYT); Business/Financial Desk
FTC settles with CardSystems over data breachCompany must adopt security measures, undergo audits February 24, 2006
Security Breaches Of Customers' Data Trigger LawsuitsJuly 21, 2005 (WSJ)Andrew Schultz was just one of many consumers whose banks notified them last month that computer hackers had filched their credit- and debit-card information…
– Brand damage
– Service shut down
– Brand damage
– Service shut down
– Lawsuits– Lawsuits
– Government investigations
– Fines & more regulations
– Government investigations
– Fines & more regulations
– Company shut down
– Fire sale of assets
– Company shut down
– Fire sale of assets
13
Endpoints – the Achilles heel of corporate security Devices can connect to each PC – no visibility, no controlEndpoints – the Achilles heel of corporate security Devices can connect to each PC – no visibility, no control
• Over 26,000 different USB products exist, 1.4 billion shipped in 2005 – Storage devices
– Networking adapters
– Printers, scanners, webcams
– Coffee warmers, hand massagers…
• Over 26,000 different USB products exist, 1.4 billion shipped in 2005 – Storage devices
– Networking adapters
– Printers, scanners, webcams
– Coffee warmers, hand massagers…
• Over 1 billion devices have been sold to date– Over 32 million iPods sold in
2005
– Over 5 million Bluetooth devices are sold every week
– Their capacity keeps growing – 10GB drive for $50 by 2010
– They are virtually impossible to trace
14
Understanding the ThreatUnderstanding the Threat
• 39% of USB drive owners use it to transfer files between home & work
• 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. --Yankee Group (2005)
• “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005)
• “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005)
• “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey
• “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research
• “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm
• 39% of USB drive owners use it to transfer files between home & work
• 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. --Yankee Group (2005)
• “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005)
• “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005)
• “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey
• “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research
• “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm
15
Current Situation: Devices can connect to any endpoint – no visibility, no control Current Situation: Devices can connect to any endpoint – no visibility, no control
Information Security Team Exposed Endpoints
BluetoothBluetoothUSBUSB
FireWireFireWire
IrDAIrDA
WiFiWiFi
GPRSGPRS
SerialSerial
16
Recent End Point Security Incidents Recent End Point Security Incidents
• USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan
• A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket
• A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China
• A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators’ knowledge)
• A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank’s server
• The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank’s computers
• USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan
• A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket
• A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China
• A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators’ knowledge)
• A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank’s server
• The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank’s computers
17
Industry Validation Industry Validation
“Emerging technologies guarding against information leakage (whether intentional or not) appear to be garnering strong interest.”
“Leakage of confidential/proprietary information was identified as the #1 issue facing CISOs.”
“The market has shifted from simply monitoring the network for outgoing sensitive data to requiring the prevention of communication of such data to unauthorized recipients.”
“Content monitoring and filtering products help organizations address the problem of sensitive data crossing the enterprise network boundary over multiple channels and protocols.”
Edward Maguire, Financial Analyst
Brian Burke , Research Analyst
Rich Mogull, Research Analyst
18
External Leak Prevention is Not EnoughExternal Leak Prevention is Not Enough• “External” leaks occur at
the network perimeter – When employees use email
and web
• Lost laptops and stolen servers can also result in data loss
• “Internal” leaks can be equally damaging and costly
– Printing of confidential information and customer information
– Internal disclosure of information
• “External” leaks occur at the network perimeter
– When employees use email and web
• Lost laptops and stolen servers can also result in data loss
• “Internal” leaks can be equally damaging and costly
– Printing of confidential information and customer information
– Internal disclosure of information
Three charged with stealing Coca-Cola trade secrets
From James Bone, of the Times, in New York
Email (17.17%)
HTTP (44.44%)
IM (2.02%)
Internal Mail (2.02%)
Networked Printer(17.17%)
Other (10.1%)
Webmail (7.07%)
Source: PortAuthority Technologies Data Security Labs, based on reported data security breaches
19
• Where is my confidential data?
• Where is my data going?
• Who is using data?
• How can I protect it?
• What is the business and resource impact?
• How do I get started?
• How much does it cost?
• Where is my confidential data?
• Where is my data going?
• Who is using data?
• How can I protect it?
• What is the business and resource impact?
• How do I get started?
• How much does it cost?
Data Security and Compliance
Common QuestionsData Security and Compliance
Common Questions
20
• Reputational damage from security breaches: Cardsystems, BJs
• Cost of data breach incident exceeds $140 per customer (based on independent survey)
• Financial liability e.g. Fortune 500 retailer pays $60 million for privacy breach
• Unplanned costs due to non-compliance
• Financial – 2002 ASIS survey: loss of proprietary information and IP in the range of $53 – 59 billion
• Loss of competitive advantage: leaks of confidential product, customer or pricing information
Business and Product Requirements and ImpactBusiness and Product Requirements and Impact
By 2006, …privacy mismanagement recovery costs will be in the range of $ 5-20 million per incident
Gartner Research
Business Requirements Impact
Controls to protect confidential information
Protect customer data and demonstrate compliance
21
Firewalls, VPNs, IDS/IPS are IneffectiveFirewalls, VPNs, IDS/IPS are Ineffective
Stop incoming threats; miss outgoing sensitive information Stop incoming threats; miss outgoing sensitive information
22
Content Filtering is Ineffective Content Filtering is Ineffective
• Very high false positives with keywords, patterns (“confidential”)
• False negatives with data manipulation (cut and paste)
• Limited support for all types of data (file attachments, formats)
• Enforcement lacks flexibility; blocks legitimate communications
• Very high false positives with keywords, patterns (“confidential”)
• False negatives with data manipulation (cut and paste)
• Limited support for all types of data (file attachments, formats)
• Enforcement lacks flexibility; blocks legitimate communications
23
Data Protection
A Comprehensive ViewData Protection
A Comprehensive View
• Data classification using information fingerprinting
• Protect Data In Motion– Monitor outbound and internal communications to identify data policy
violations
– Automated selective blocking/enforcement of information reaching unauthorized recipients
– Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients
• Protect Data At Rest– Discover sensitive data that violates regulatory or internal security
policies
– Automated selective enforcement of unauthorized transfer of files/documents
– Automated encryption of critical information assets
• Data classification using information fingerprinting
• Protect Data In Motion– Monitor outbound and internal communications to identify data policy
violations
– Automated selective blocking/enforcement of information reaching unauthorized recipients
– Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients
• Protect Data At Rest– Discover sensitive data that violates regulatory or internal security
policies
– Automated selective enforcement of unauthorized transfer of files/documents
– Automated encryption of critical information assets
24
Databases
Transaction
Applications
Data Security and Compliance
The LandscapeData Security and Compliance
The Landscape
Data At Rest• Data classification• Device control• Content control• Application control
Transaction Data• Direct Database Access• Access via Applications
• Web applications• Web services
Data Storage
(SAN and NAS)Servers,
Endpoints
Communication
Channels
Data In Motion• Outgoing communications• Internal communications• Databases and documents• Monitoring and enforcement
Employees(Honest & Rogue)
Customers& Criminals
Accidental, Intentional and Malicious Leaks
Employees(Honest & Rogue)
Employees(Honest & Rogue)
25
Data At Rest – Disk and Tape
Encryption?Data At Rest – Disk and Tape
Encryption?
• Problematic for Logical Access Control– Object accessible, even if contents protected
• Does not eliminate need for access controls
– "On or off" — once decrypted, user can transfer to unencrypted format
– Group-, role- or user-based key management difficult– Database encryption complicated by indices and performance
• Best suited for Physical Access Control– Media encryption less problematic
• Problematic for Logical Access Control– Object accessible, even if contents protected
• Does not eliminate need for access controls
– "On or off" — once decrypted, user can transfer to unencrypted format
– Group-, role- or user-based key management difficult– Database encryption complicated by indices and performance
• Best suited for Physical Access Control– Media encryption less problematic
Gartner
26
Databases
Transaction
Applications
Data Security and Compliance
The LandscapeData Security and Compliance
The Landscape
Data At Rest• Data classification• Device control• Content control• Application control
Transaction Data• Direct Database Access• Access via Applications
• Web applications• Web services
Data Storage
(SAN and NAS)Servers,
Endpoints
Communication
Channels
Data In Motion• Outgoing communications• Internal communications• Databases and documents• Monitoring and enforcement
Employees(Honest & Rogue)
Customers& Criminals
Accidental, Intentional and Malicious Leaks
Employees(Honest & Rogue)
Employees(Honest & Rogue)
27
Transactional Data
Control Unauthorized ActivityTransactional Data
Control Unauthorized Activity
Business Users
Administrators
Developers
Internal Users
Customers
Partners
Internet Users
External UsersTransaction Data
Privilege Abuse
Vulnerability ExploitVulnerability Exploit
Privilege Abuse
Database Servers
Web Servers
• Both Web Application and Database Tier• Both Internal and External Users• Privilege abuse
– Usage of data outside authorized use
• Vulnerability exploits– Exploiting vulnerabilities to gain unauthorized access
• Both Web Application and Database Tier• Both Internal and External Users• Privilege abuse
– Usage of data outside authorized use
• Vulnerability exploits– Exploiting vulnerabilities to gain unauthorized access
28
Databases
Transaction
Applications
Data Security and Compliance
The LandscapeData Security and Compliance
The Landscape
Data At RestEndpoints, Servers
• Data classification• Device control• Content control• Application control
Transaction Data• Direct Database Access• Access via Applications
• Web applications• Web services
Data Storage
(SAN and NAS)Data Backup
Communication
Channels
Data In Motion• Outgoing communications• Internal communications• Databases and documents• Monitoring and enforcement
Employees(Honest & Rogue)
Customers& Criminals
Accidental, Intentional and Malicious Leaks
Employees(Honest & Rogue)
Employees(Honest & Rogue)
29
Reduce Your RiskReduce Your Risk
Audit, Notify,
Quarantine, Block
Encrypt
…
Reduce Risk
• Enable enforcement policy• Quarantine suspicious
messages• Create audit trail of all
communications to substantiate compliance
• Reduce violations to required levels
EnforceLearn
Define Metrics
• Use pre-defined policies or create custom policies
• Learn critical information using PortAuthority information fingerprinting service
Monitor
• Monitor communication channels
• Reporting of matches against policies and information fingerprints
• Tune PortAuthority policies
Assess Risk
30
Thank YouAsim Ahmed
Steve Moscarelli [email protected]
www.PortAuthorityTech.com
Thank YouAsim Ahmed
Steve Moscarelli [email protected]
www.PortAuthorityTech.com