enterprise data security directions 2007 asim ahmed steve moscarelli members of issa and csi asim...

Enterprise Data SecurityDirections 2007

Enterprise Data SecurityDirections 2007

Asim Ahmed

Steve Moscarelli

Members of ISSA and CSI

2

The Insider ThreatID Theft Tops FTC's List of Complaints

The Insider ThreatID Theft Tops FTC's List of Complaints

• In 2006,for the 5th straight year, identity theft ranked 1st of all fraud complaints.

• 10 million cases of Identity Theft annually. • 59 percent of companies have detected some internal abuse of their networks

• In 2006,for the 5th straight year, identity theft ranked 1st of all fraud complaints.

• 10 million cases of Identity Theft annually. • 59 percent of companies have detected some internal abuse of their networks

3

Data Security and Compliance Necessity of exposure, and the riskData Security and Compliance Necessity of exposure, and the risk

Employees(remote workers,mobile workers)

Business Partners(suppliers, outsourcers, (suppliers, outsourcers,

consultantsconsultants)

CompetitorsCustomers

Hackers

ContractorsTemporaries

Visitors

Digital B

usiness

Digital B

usiness Cyber-crime

Cyber-crime

SOURCE: FORRESTER RESEARCH

Employees

Sensitive Data

4

Customer

Information Leaks, Spills, Theft, Loss or Extrusion: A Growing ChallengeInformation Leaks, Spills, Theft, Loss or Extrusion: A Growing Challenge

CustomerData

An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in

violation of regulatory or company policies



Company Info Sent Over Web-mail

Sent by Customer Service Rep

Patient (Client)

Patient Information

Confidential

Information

Finance

Doctor (Lawyer)

Patient NameInsurance Information

Diagnosis

Customer Service

SSN, SalariesMarketing Plans Customer Name

5

Information Leaks: How Do They Occur?Information Leaks: How Do They Occur?

Customer Data

Company Info Marketing Plans

Confidential Information

SSN, SalariesCustomer Name

Patient Information





Your Data

Customer Service

Sales

R&D

Doctors

Contractors

Finance

Sent by Customer Service Rep

FinancialsUpcoming reports

M&A

6

Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company

Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company

Sources: 2005 CSI/FBI Computer Crime and Security StudyForrester Research, Inc.

COMPETITIVE EDGE

CUSTOMER PRESSURE

PRIVACY REGULATIONS

BUSINESS GOVERNANCE

IdentityTheft, Brand Damage

Intellectual property, trade secrets, confidential plans

SEC/NASD rules, legal liability

Insurance rules

SOX, HIPAA, GLBA, PIPEDA, FERPA, EU DPD

7

Data Security and Compliance

Growing Problem with Exec VisibilityData Security and Compliance

Growing Problem with Exec Visibility

• Executive Concern Executive Concern

– California Data Privacy Act (SB-1386) California Data Privacy Act (SB-1386)

• Pennsylvania, New York, Illinois, Wisconsin and 21 other states with Pennsylvania, New York, Illinois, Wisconsin and 21 other states with

regulations regulations

– Health Insurance Portability and Accountability Act (HIPAA)Health Insurance Portability and Accountability Act (HIPAA)

– Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX)

– Gramm-Leach-Bliley Act (GLBA) Gramm-Leach-Bliley Act (GLBA)

• Traditional Security does not address DataTraditional Security does not address Data

– Network security (FW, IPS) no knowledge of dataNetwork security (FW, IPS) no knowledge of data

– No 2 organizations have exactly the same data.No 2 organizations have exactly the same data.

– Database security not granular enough plus performance issuesDatabase security not granular enough plus performance issues

• Executive Concern Executive Concern

– California Data Privacy Act (SB-1386) California Data Privacy Act (SB-1386)

• Pennsylvania, New York, Illinois, Wisconsin and 21 other states with Pennsylvania, New York, Illinois, Wisconsin and 21 other states with

regulations regulations

– Health Insurance Portability and Accountability Act (HIPAA)Health Insurance Portability and Accountability Act (HIPAA)

– Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX)

– Gramm-Leach-Bliley Act (GLBA) Gramm-Leach-Bliley Act (GLBA)

• Traditional Security does not address DataTraditional Security does not address Data

– Network security (FW, IPS) no knowledge of dataNetwork security (FW, IPS) no knowledge of data

– No 2 organizations have exactly the same data.No 2 organizations have exactly the same data.

– Database security not granular enough plus performance issuesDatabase security not granular enough plus performance issues

8

Increasing Business Impact of Information LeaksIncreasing Business Impact of Information Leaks• Compliance requirements are

increasing– Federal regulations such Gramm-

Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)

– State regulations such as California Data Privacy Act (SB-1386) and 21 other states

– High costs of data breaches: estimated at $140 per consumer record

Intellectual property/confidential information losses can damage business and competitive advantage

• Compliance requirements are increasing– Federal regulations such Gramm-

Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA)

– State regulations such as California Data Privacy Act (SB-1386) and 21 other states

– High costs of data breaches: estimated at $140 per consumer record

Intellectual property/confidential information losses can damage business and competitive advantage

Indirect Costs$1.5M$15/record

Opportunity Costs$7.5M$75/record

Direct Costs$5.0M$50/record

Total Costs$140/record

Source: Ponemon InstituteSVB Alliant

9

Top 10 Most Frequent IncidentsTop 10 Most Frequent Incidents

1. Patient PHI sent to partner, again, and again

2. Employee 401k information sent outbound and inbound

3. Payroll data being sent to home email address

4. Draft press release to outside legal council

5. Financial and M&A postings to message boards

6. Source code sent with resume to competitor

7. SSNs…and thousands of them

8. Credit Card or account numbers….and thousands of them

9. Confidential patient information

10. Internal memos and confidential information

1. Patient PHI sent to partner, again, and again

2. Employee 401k information sent outbound and inbound

3. Payroll data being sent to home email address

4. Draft press release to outside legal council

5. Financial and M&A postings to message boards

6. Source code sent with resume to competitor

7. SSNs…and thousands of them

8. Credit Card or account numbers….and thousands of them

9. Confidential patient information

10. Internal memos and confidential information

10

Total cost : $140 per customerTotal cost : $140 per customer

Average recovery costs by type Costs Breakdown

Source: The Ponemon Institute

11

Data Security and Compliance Why Data is a Priority?Data Security and Compliance Why Data is a Priority?

Indirect Costs$1.5M$15/record

Opportunity Costs$7.5M$75/record

Direct Costs$5.0M$50/record

Cost of Data Breaches$140/record

Source: Ponemon Institute SVB Alliant

Leakage of confidential/proprietary information Unpatched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers

52%

24%18%14%10%

4%4%4%2%2%

What do you consider to pose the biggest current threat to your organization’s overall security? (multiple responses)

Source: Merrill Lynch survey of 50 North American CISOs, July 2006

12

– Partner Lost

– Customer Lost

– Partner Lost

– Customer Lost

Data Security and Compliance Implications of Data BreachData Security and Compliance Implications of Data Breach

Card Center Hit by Thieves Agrees to SaleOctober 17, 2005, MondayBy ERIC DASH (NYT); Business/Financial Desk

FTC settles with CardSystems over data breachCompany must adopt security measures, undergo audits February 24, 2006

Security Breaches Of Customers' Data Trigger LawsuitsJuly 21, 2005 (WSJ)Andrew Schultz was just one of many consumers whose banks notified them last month that computer hackers had filched their credit- and debit-card information…

– Brand damage

– Service shut down

– Brand damage

– Service shut down

– Lawsuits– Lawsuits

– Government investigations

– Fines & more regulations

– Government investigations

– Fines & more regulations

– Company shut down

– Fire sale of assets

– Company shut down

– Fire sale of assets

13

Endpoints – the Achilles heel of corporate security Devices can connect to each PC – no visibility, no controlEndpoints – the Achilles heel of corporate security Devices can connect to each PC – no visibility, no control

• Over 26,000 different USB products exist, 1.4 billion shipped in 2005 – Storage devices

– Networking adapters

– Printers, scanners, webcams

– Coffee warmers, hand massagers…

• Over 26,000 different USB products exist, 1.4 billion shipped in 2005 – Storage devices

– Networking adapters

– Printers, scanners, webcams

– Coffee warmers, hand massagers…

• Over 1 billion devices have been sold to date– Over 32 million iPods sold in

2005

– Over 5 million Bluetooth devices are sold every week

– Their capacity keeps growing – 10GB drive for $50 by 2010

– They are virtually impossible to trace

14

Understanding the ThreatUnderstanding the Threat

• 39% of USB drive owners use it to transfer files between home & work

• 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. --Yankee Group (2005)

• “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005)

• “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005)

• “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey

• “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research

• “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm

• 39% of USB drive owners use it to transfer files between home & work

• 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. --Yankee Group (2005)

• “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005)

• “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005)

• “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey

• “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research

• “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm

15

Current Situation: Devices can connect to any endpoint – no visibility, no control Current Situation: Devices can connect to any endpoint – no visibility, no control

Information Security Team Exposed Endpoints

BluetoothBluetoothUSBUSB

FireWireFireWire

IrDAIrDA

WiFiWiFi

GPRSGPRS

SerialSerial

16

Recent End Point Security Incidents Recent End Point Security Incidents

• USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan

• A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket

• A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China

• A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators’ knowledge)

• A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank’s server

• The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank’s computers

• USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan

• A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket

• A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China

• A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators’ knowledge)

• A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank’s server

• The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank’s computers

17

Industry Validation Industry Validation

“Emerging technologies guarding against information leakage (whether intentional or not) appear to be garnering strong interest.”

“Leakage of confidential/proprietary information was identified as the #1 issue facing CISOs.”

“The market has shifted from simply monitoring the network for outgoing sensitive data to requiring the prevention of communication of such data to unauthorized recipients.”

“Content monitoring and filtering products help organizations address the problem of sensitive data crossing the enterprise network boundary over multiple channels and protocols.”

Edward Maguire, Financial Analyst

Brian Burke , Research Analyst

Rich Mogull, Research Analyst

18

External Leak Prevention is Not EnoughExternal Leak Prevention is Not Enough• “External” leaks occur at

the network perimeter – When employees use email

and web

• Lost laptops and stolen servers can also result in data loss

• “Internal” leaks can be equally damaging and costly

– Printing of confidential information and customer information

– Internal disclosure of information

• “External” leaks occur at the network perimeter

– When employees use email and web

• Lost laptops and stolen servers can also result in data loss

• “Internal” leaks can be equally damaging and costly

– Printing of confidential information and customer information

– Internal disclosure of information

Three charged with stealing Coca-Cola trade secrets

From James Bone, of the Times, in New York

Email (17.17%)

HTTP (44.44%)

IM (2.02%)

Internal Mail (2.02%)

Networked Printer(17.17%)

Other (10.1%)

Webmail (7.07%)

Source: PortAuthority Technologies Data Security Labs, based on reported data security breaches

19

• Where is my confidential data?

• Where is my data going?

• Who is using data?

• How can I protect it?

• What is the business and resource impact?

• How do I get started?

• How much does it cost?

• Where is my confidential data?

• Where is my data going?

• Who is using data?

• How can I protect it?

• What is the business and resource impact?

• How do I get started?

• How much does it cost?


Common QuestionsData Security and Compliance

Common Questions

20

• Reputational damage from security breaches: Cardsystems, BJs

• Cost of data breach incident exceeds $140 per customer (based on independent survey)

• Financial liability e.g. Fortune 500 retailer pays $60 million for privacy breach

• Unplanned costs due to non-compliance

• Financial – 2002 ASIS survey: loss of proprietary information and IP in the range of $53 – 59 billion

• Loss of competitive advantage: leaks of confidential product, customer or pricing information

Business and Product Requirements and ImpactBusiness and Product Requirements and Impact

By 2006, …privacy mismanagement recovery costs will be in the range of $ 5-20 million per incident

Gartner Research

Business Requirements Impact

Controls to protect confidential information

Protect customer data and demonstrate compliance

21

Firewalls, VPNs, IDS/IPS are IneffectiveFirewalls, VPNs, IDS/IPS are Ineffective

Stop incoming threats; miss outgoing sensitive information Stop incoming threats; miss outgoing sensitive information

22

Content Filtering is Ineffective Content Filtering is Ineffective

• Very high false positives with keywords, patterns (“confidential”)

• False negatives with data manipulation (cut and paste)

• Limited support for all types of data (file attachments, formats)

• Enforcement lacks flexibility; blocks legitimate communications

• Very high false positives with keywords, patterns (“confidential”)

• False negatives with data manipulation (cut and paste)

• Limited support for all types of data (file attachments, formats)

• Enforcement lacks flexibility; blocks legitimate communications

23

Data Protection

A Comprehensive ViewData Protection

A Comprehensive View

• Data classification using information fingerprinting

• Protect Data In Motion– Monitor outbound and internal communications to identify data policy

violations

– Automated selective blocking/enforcement of information reaching unauthorized recipients

– Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients

• Protect Data At Rest– Discover sensitive data that violates regulatory or internal security

policies

– Automated selective enforcement of unauthorized transfer of files/documents

– Automated encryption of critical information assets

• Data classification using information fingerprinting

• Protect Data In Motion– Monitor outbound and internal communications to identify data policy

violations

– Automated selective blocking/enforcement of information reaching unauthorized recipients

– Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients

• Protect Data At Rest– Discover sensitive data that violates regulatory or internal security

policies

– Automated selective enforcement of unauthorized transfer of files/documents

– Automated encryption of critical information assets

24

Databases

Transaction

Applications


The LandscapeData Security and Compliance

The Landscape

Data At Rest• Data classification• Device control• Content control• Application control

Transaction Data• Direct Database Access• Access via Applications

• Web applications• Web services

Data Storage

(SAN and NAS)Servers,

Endpoints

Communication

Channels

Data In Motion• Outgoing communications• Internal communications• Databases and documents• Monitoring and enforcement

Employees(Honest & Rogue)

Customers& Criminals

Accidental, Intentional and Malicious Leaks



25

Data At Rest – Disk and Tape

Encryption?Data At Rest – Disk and Tape

Encryption?

• Problematic for Logical Access Control– Object accessible, even if contents protected

• Does not eliminate need for access controls

– "On or off" — once decrypted, user can transfer to unencrypted format

– Group-, role- or user-based key management difficult– Database encryption complicated by indices and performance

• Best suited for Physical Access Control– Media encryption less problematic

• Problematic for Logical Access Control– Object accessible, even if contents protected

• Does not eliminate need for access controls

– "On or off" — once decrypted, user can transfer to unencrypted format

– Group-, role- or user-based key management difficult– Database encryption complicated by indices and performance

• Best suited for Physical Access Control– Media encryption less problematic

Gartner

26

Databases

Transaction

Applications



The Landscape

Data At Rest• Data classification• Device control• Content control• Application control



Data Storage

(SAN and NAS)Servers,

Endpoints

Communication

Channels







27

Transactional Data

Control Unauthorized ActivityTransactional Data

Control Unauthorized Activity

Business Users

Administrators

Developers

Internal Users

Customers

Partners

Internet Users

External UsersTransaction Data

Privilege Abuse

Vulnerability ExploitVulnerability Exploit

Privilege Abuse

Database Servers

Web Servers

• Both Web Application and Database Tier• Both Internal and External Users• Privilege abuse

– Usage of data outside authorized use

• Vulnerability exploits– Exploiting vulnerabilities to gain unauthorized access

• Both Web Application and Database Tier• Both Internal and External Users• Privilege abuse

– Usage of data outside authorized use

• Vulnerability exploits– Exploiting vulnerabilities to gain unauthorized access

28

Databases

Transaction

Applications



The Landscape

Data At RestEndpoints, Servers

• Data classification• Device control• Content control• Application control



Data Storage

(SAN and NAS)Data Backup

Communication

Channels







29

Reduce Your RiskReduce Your Risk

Audit, Notify,

Quarantine, Block

Encrypt

…

Reduce Risk

• Enable enforcement policy• Quarantine suspicious

messages• Create audit trail of all

communications to substantiate compliance

• Reduce violations to required levels

EnforceLearn

Define Metrics

• Use pre-defined policies or create custom policies

• Learn critical information using PortAuthority information fingerprinting service

Monitor

• Monitor communication channels

• Reporting of matches against policies and information fingerprints

• Tune PortAuthority policies

Assess Risk

30

Thank YouAsim Ahmed

[email protected]

Steve Moscarelli [email protected]

www.PortAuthorityTech.com

Thank YouAsim Ahmed

[email protected]

Steve Moscarelli [email protected]

www.PortAuthorityTech.com

enterprise data security directions 2007 asim ahmed steve moscarelli members of issa and csi asim...

Documents

company information

sensitive customer data

customer information

knowledge of data

proprietary information

salaries customer

data network security

cases of identity theft