uncover data security blind spots in your cloud, big data & devops environment
TRANSCRIPT
UNCOVER DATA SECURITY
BLIND SPOTS IN YOUR CLOUD,
BIG DATA & DEVOPS
ENVIRONMENT
Ulf Mattsson, CTO Security Solutions
Atlantic Business Technologies
Ulf Mattsson
Inventor of more than 45 US Patents
Industry Involvement:
• PCI DDS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud & Virtualization SIGs
• IFIP - International Federation for Information Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group
• NIST - National Institute of Standards and TechnologyNIST Big Data Working Group
• User GroupsSecurity: ISACA & ISSADatabases: IBM & Oracle
2
My Work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
3
4
Evolving IT Risk – My ISACA Articles
55
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
6
How Can I Find My Blind Spots?
7
90% of the data in the world has been created in the past two years
Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.html
IBM
9
10
Verizon 2017 Data Breach Investigations Report
Source: Verizon 2017 Data Breach Investigations Report 10
Verizon 2017 Data Breach Investigations Report – # of Records
PII
I&A
Source: Verizon 2017 Data Breach Investigations Report
Law Enforcement will Discover Your Breach—Not You.
Source: Verizon
2016 Data
Breach
Investigations
Report
13
Source: Verizon 2017 Data Breach Investigations Report
Decreases in card
skimming and POS
crime
sprees influence the
massive decrease in
law
enforcement and fraud
detection
Increasing Number of Breaches
Source: Verizon
2016 Data Breach
Investigations
Report
15
Source: Verizon 2017 Data Breach Investigations Report
Incident Classification Patterns Across Confirmed Data Breaches
Source: Verizon 2016 Data Breach Investigations Report
Web
Application
Attacks
18
Worry Only About the Major Breach Patterns
Source: Verizon 2016 Data Breach Investigations Report19
Application
Attacks
Security Skills Shortage
20
Problematic and Increasing Shortage of Cybersecurity Skills
• 46 percent of organizations say they have
a “problematic shortage” of cybersecurity
skills in 2016
• 28 percent of organizations claimed to
have a “problematic shortage” of
cybersecurity skills in 2015
• 18 percent year-over-year increase
21
Cybercriminal
Sweet Spot
Source: calnet
Cybercrime Trends and Targets
22
Examples of Services That Can Fill The Gap
Application Services
• Application Hosting & Cloud
Migration
• IT Consulting & Information Architecture
• Software Development & User Experience
Design
Security Services
• Audit & Assessment Services
• Application Security Consulting
• Managed Vulnerability Scanning
• Security Tools Implementation
• Virtual CISO
SecDevOps
23
DCAP Data Centric Audit and
Protection -Centrally managed
security
Data Centric Security Lifecycle & PCI DSS
UEBA User behavior analytics helps
businesses detect targeted attacks
PCI DSS Protect stored
cardholder data
YearI
2004
I
2014I
2015
PCI DSS 3.2
SecDevOps
I
2016
PCI DSS Security in the development
process
SecDevOps vs DevSecOps
SecDevOps (Securing DevOps)
1. Embed security into the DevOps style of operation2. Ensuring "secure by design" discipline in the software delivery methodology using techniques such as
automated security review of code, automated application security testing
DevSecOps (Applying DevOps to Security Operations)
1. Developing and deploying a series of minimum viable products on security programs2. In implementing security log monitoring, rather than have very large high value program with a waterfall
delivery plan to design, implement, test 3. Operating a SIEM that monitors a large number of log sources4. Onboard small sets of sources onto a cloud based platform and slowly evolve the monitoring capability
Source: Capgemini
25
Security Tools for DevOps
Static
Application
Security
Testing
(SAST)
Dynamic Application Security Testing (DAST)
Fuzz testing is
essentially
throwing lots of
random garbage
Vulnerability
Analysis
Runtime Application
Self Protection
(RASP)
Interactive
Application Self-
Testing (IAST)
26
Security Metrics from DevOps
27
# Vulnerabilities
Time
Data Security On Prem
Operating System
Security Controls & Agents
OS File System
Database
Application Framework
Application Source Code
Application
Data
Network
External Network
Internal Network
Application Server
SecDevOps
28
• Rather than making the protection platform based, the security is applied directly to the data
• Protecting the data wherever it goes, in any environment
• Cloud environments by nature have more access points and cannot be disconnected
• Data-centric protection reduces the reliance on controlling the high number of access points
Data-Centric Protection Increases Security in Cloud Computing
29
Protect Sensitive Cloud Data
Internal NetworkAdministrator
Attacker
Remote
User
Internal User
Public Cloud ExamplesEach sensitive
field is protected
Each
authorized
field is in
clear
Cloud Gateway
30
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)SecDevOps
The issue is INTENTIONAL use of UNSANCTIONED public cloud storage
for ease of use for corporate data
Securing Big Data - Examples of Security Agents
Import de-identified
data
Export identifiable data
Export audit for
reporting
Data protection at
database,
application, file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
31
SecDevOps
Generating Key Security Metrics
32
# Vulnerabilities
Time
Visibility Into Third Party Risk
Discover and thwart third party vulnerabilities and security
gaps in real-time to better control the impact of breaches.
Source: SecurityScoreCard
# Vulnerabilities
Time
33
Risk Management
Are your security
controls covering
all sensitive data?
Are your deployed
security controls
failing?
Source: storm.innosec.com
Are you prioritizing
business asset
risk?
34
Cyber Budgeting
Source: storm.innosec.com
AssetRegulatory Risk Residual Risk FTE Cost Tool Cost Total Cost
CRM High Medium $ 20,000 0 $ 20,000
HR High Medium $ 100,000 20,000 $ 120,000
Feed High Low $ 1,000 0 $ 1,000
Crossbow Medium Medium $ 5,000 50,00 $ 10,000
eTrader Low Low $ 1,000 0 $ 1,000
IT Alert Low Low $ 1,000 0 $ 1,000
SAP Low Low $ 1,000 0 $ 1,000
Total $ 129,000 $ 25,000 $ 154,000
35
Comparing Data Protection
Methods
36 36
Need for Masking Standards
• Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory.
• There are no widely accepted standards for testing the effectiveness of a de-identification process or gauging the utility lost as a result of de-identification.
Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
38 38
Reduction of Pain with New Protection
Techniques
391970 2000 2005 2010
High
Low
Pain & TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced
Key Management
No Vault
8278 2789 2990 2789
40
What is Data Tokenization?
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
41
Examples of Protected DataField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
42
Type ofData
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple –
Complex –
PCI
PHI
PII
Encryption of Files
CardHolder Data
Tokenization of Fields
ProtectedHealth
Information
Personally Identifiable Information
43
FFIEC is a Formal U.S. Government Interagency Body
It includes five banking regulators
Source: WIKPEDIA
44
1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB).
It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
FFIEC Cybersecurity Assessment Tool
The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
• Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
• Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 45
FFIEC Cybersecurity Assessment Tool – Part One
Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk:
• Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services.
• Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered.
• Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered.
• Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.
• External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 46
FFIEC Cybersecurity Assessment Tool – Risk Levels
The following includes definitions of risk levels:
• Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It hasfew computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees.
• Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services.
• Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication.
• Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication.
• Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf47
FFIEC Cybersecurity Assessment Tool – Part Two
Cybersecurity Maturity
Maturity level within each of the following five domains:
• Domain 1: Cyber Risk Management and Oversight
• Domain 2: Threat Intelligence and Collaboration
• Domain 3: Cybersecurity Controls
• Domain 4: External Dependency Management
• Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf48
FFIEC Cybersecurity Assessment Tool –Maturity Levels
Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes.
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
Definitions for each of the maturity levels
The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level
49
FFIEC Cybersecurity Assessment Tool –5 Domains:
1. Domain 1: Cyber Risk Management and Oversight
2. Domain 2: Threat Intelligence and Collaboration
3. Domain 3: Cybersecurity Controls
4. Domain 4: External Dependency Management
5. Domain 5: Cyber Incident Management and Resilience
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
50
Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 51
FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf
52
FFIEC Cybersecurity Assessment Tool - Excel Template
The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment.
The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele53
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity
The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof.
Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
55
FFIEC Cybersecurity Assessment Tool – FAIR International Standard
Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool
Factor Analysis of Information Risk
(FAIR)
56
FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC
FSSCC Automated Cybersecurity Assessment Tool
FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool:
• No attempts were made to interpret or change any of the FFIEC’s stated expectations; and
• Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process
Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool57
FFIEC Cybersecurity Assessment
Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
Risk
Resources
Controls
58
UNCOVER DATA SECURITY
BLIND SPOTS IN YOUR CLOUD,
BIG DATA & DEVOPS
ENVIRONMENT
Ulf Mattsson, CTO Security Solutions
Atlantic Business Technologies