SlideShare a Scribd company logo

Key note in nyc the next breach target and how oracle can help - nyoug

Ulf Mattsson, profile picture
Ulf Mattsson

The document discusses the shifting landscape of cybersecurity threats, particularly focused on the risks faced by enterprises regarding data breaches and the effectiveness of current security measures. It highlights the increasing prevalence of targeted malware, the lessons learned from incidents like the Target breach, and the role of innovations in data protection technologies such as tokenization. Additionally, it emphasizes the need for proactive security approaches and the use of big data analytics for detecting anomalies and improving security response.

Technology
1 of 66
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
TheTheTheThe Next Breach Target andNext Breach Target andNext Breach Target andNext Breach Target and HowHowHowHow Oracle can helpOracle can helpOracle can helpOracle can help Ulf Mattsson CTO, Protegrity Ulf.Mattsson AT protegrity.com
Working in Task Forces at Payment Card Industry Security Standards Council (PCI SSC): 1. PCI SSC Tokenization Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG Ulf Mattsson & PCI Data Security Standards 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 2 10. PCI SSC 2013 – 2014 Tokenization Task Force (TkTF) 2
3
Mary Ann Davidson, Chief Security Officer, Oracle Corporation 4
5
Target Data Breach, U.S. Secret Service & iSIGHT Target CIO Beth Jacob resigned 6
$ Data Protection Breach Detection $ Threat Landscape 7 Regulatory $ Compliance Big Data $ Cyber Insurance $
Threat Landscape $ Data Protection Breach Detection $ 8 Regulatory $ Compliance Big Data $ Cyber Insurance $
THE CHANGING THREAT LANDSCAPETHREAT LANDSCAPE 9 How have the methods of attack shifted?
The 2014 Verizon Data Breach Investigations Report 10 Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening The 2014 DBIR is expected to be released this spring
Security Improving but We Are Losing Ground 11
360 million email accounts 1.25 billion email addresses without passwords 105 million records were stolen in a single data breach The email addresses came from • All the major providers, including Google, Microsoft and Yahoo. The Biggest Cyber Attack Detected in Feb 2014 Yahoo. • Non-profit organizations • Almost all Fortune 500 companies were affected by the attacks • Some have not made their security breaches public According to the cybersecurity firm Hold Security LLC 12
New Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 13
Total Malware Samples in McAfee Labs Database Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 14
Total Malicious Signed Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 15
Targeted Malware Topped the Threats 16 62% said that the pressure to protect from data breaches also increased over the past year. Source: 2014 Trustwave Security Pressures Report
US and Canada - Targeted Malware Top Threat 17 In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure. Source: 2014 Trustwave Security Pressures Report
Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident Fallout – FBI Memory-Scraping Malware Warning "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it." Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping- malware-in-wake-of-Target-breach 18
Data Loss Worries IT Pros Most 19 Source: 2014 Trustwave Security Pressures Report
July 2012 - June 2013: 74 targeted cyber attacks/day • #1: Government/Public sector – 25.4% • #2: Energy sector - 16.3% Oct. 2012 - May 2013: The U.S. government's Industrial Control Systems Cyber Emergency Response Team responded to more than 200 incidents — 53% aimed at the energy sector. Energy Sector a Prime Target for Cyber Attacks energy sector. So far, there have not been any successful catastrophic attacks on the US energy grid, but there is ongoing debate about the risk of a "cyber Pearl Harbor" attack. Source: www.csoonline.com/article/748580/energy-sector-a-prime-target-for-cyber-attacks 20
UK Energy Companies Refused Insurance 21 www.itproportal.com/2014/02/27/uk-energy-companies-refused-insurance-due-to-inadequate-cyber-defences/#ixzz2ud7g2hmO
$ Data Protection Breach Detection $ Threat Landscape 22 Regulations $ & Compliance Big Data $ Cyber Insurance $
Cyber Insurance Increases 5x Globally Companies view on cyber risk http://www.strategic-risk-global.com/popularity-of-cyber-insurance-increases-five-fold-in-eight-years/1407324.article23 76% (up 19%)
Organizations worldwide are not "sufficiently protected" against cyber attack Cyber attack fallout could cost the global economy $3 trillion by 2020 The report states that if "attackers continue to get Cyber Attacks are a Real and Growing Threat better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization." 24 Source: McKinsey report on enterprise IT security implications released in January 2014.
TARGET DATA BREACHBREACH 25 What can we learn from the Target breach?
Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 26
Credentials were stolen from Fazio Mechanical in a malware- injecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers. The data theft was caused by the installation of malware on How The Breach at Target Went Down the firm's point of sale machines • Free version of Malwarebytes Anti-Malware was used by Target The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit- card-records-from-target-7000026299/ 27
It’s not like other businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet. No number of traps, bars, or alarms will keep out the determined thief. 28
$ Data Protection Breach Detection $ Threat Landscape 29 Regulations $ & Compliance Big Data $ Cyber Insurance $
THINKING LIKE A HACKERHACKER How can we shift from reactive to proactive thinking? 30
What if a Social Security number or Credit Card NumberCredit Card Number in the Hands of a Criminal was Useless? 31
TURNING THE TIDE 32 What new technologies and techniques can be used to prevent future attacks?
Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods Time Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 33
Old and flawed: Minimal access levels so people can only carry Access Control Risk High – can only carry out their jobs 34 Access Privilege Level I High I Low Low –
Applying the Protection Profile to the Structure of each Sensitive Data Fields allows forSensitive Data Fields allows for a Wider Range of Granular Authority Options 35
Risk High – Old: Minimal access levels – Least New : Much greater The New Data Protection - Tokenization Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 36
Reduction of Pain with New Protection Techniques High Pain & TCO Strong Encryption AES, 3DES Format Preserving Encryption DTP, FPE Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 37 1970 2000 2005 2010 Low Vault-based Tokenization Vaultless Tokenization 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault 8278 2789 2990 2789
Research Brief Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non- users 38 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
Security of Different Protection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 39 Low
Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 40 Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Different Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 41
Different Tokenization Approaches Property Dynamic Pre-generated Vaultless Vault-based 42
$ Data Protection Breach Detection $ Threat Landscape 43 Regulations $ & Compliance Big Data $ Cyber Insurance $
Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 44 Personally Identifiable Information
Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 45
USA law, originally passed in 1996 Defines “Protected Health Information” (PHI) Updated by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 Health Information Portability and Accountability Act (HIPAA) Most recently, the Omnibus final rule came into effect September 2013 Now requires both organizations that handle PHI and their business partners to protect sensitive information 46
1. Names 2. All geographical subdivisions smaller than a State 3. All elements of dates (except year) related to individual 4. Phone numbers 5. Fax numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) US Heath Information Portability and Accountability Act – HIPAA 6. Electronic mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 47 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger prints 17. Full face photographic images 18. Any other unique identifying number
$ Data Protection Breach Detection $ Threat Landscape 48 Regulations $ & Compliance Big Data $ Cyber Insurance $
THE CHANGING TECHNOLOGYTECHNOLOGY LANDSCAPE What effect, if any, does the rise of “Big Data” have on breaches? 49
Holes in Big Data… 50 Source: Gartner
Many Ways to Hack Big Data 51 Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
Many Ways to Hack Big Data MapReduce (Job Scheduling/Execution System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Unvetted Applications Or Ad Hoc Processes Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 52 HDFS (Hadoop Distributed File System) Hbase (Column DB) Avro(Serialization) Zookeeper(Coordination) Privileged Users
Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Big Data Vulnerabilities and Concerns Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 53
BIG DATA 54 Protecting the data flow & Catching attackers
$ Data Protection Breach Detection $ Threat Landscape 55 Regulations $ & Compliance Big Data $ Cyber Insurance $
Oracle’s Big Data Platform 056 123456 123456 1234 123456 999999 1234
Tokenization Reducing Attack Surface 123456 123456 1234 Tokenization on Each Node 57
$ Data Protection Breach Detection $ Threat Landscape 58 Regulations $ & Compliance Big Data $ Cyber Insurance $
Current Breach Discovery Methods 59 Verizon 2013 Data-breach-investigations-report & 451 Research
Use Big Data to Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia Big Data Analytics ?
You must assume the systems will be breached. Once breached, how do you know you've been compromised? You have to baseline and understand what 'goodness' looks like and look for deviations from goodness McAfee and Symantec can't tell you what normal looks like in your own systems. CISOs say SIEM Not Good for Security Analytics own systems. Only monitoring anomalies can do that Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 61
$ Data Protection Breach Detection $ Threat Landscape 62 Regulations $ & Compliance Big Data $ Cyber Insurance $
Open Security Analytics Framework & Big Data 63 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture Enterprise Data Lake
Conclusions What happened at Target? • Modern customized malware can be very hard to detect • They were compliant, but not secure Changing threat landscape & challenges to secure data: • Attackers are looking for not just payment data – a more serious problem. • IDS systems are lacking context needed to catch data theft 64 • SIEM detection is too slow in handling large amounts of events. How can we prevent what happened to Target and the next attack against our sensitive data? • Assume that we are under attack - proactive protection of the data itself • We need to analyze event information and context to catch modern attackers • The Oracle Big Data Appliance can provide the foundation for solving this problem
Protegrity Summary Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Cross-industry applicability • Retail, Hospitality, Travel and TransportationTransportation • Financial Services, Insurance, Banking • Healthcare • Telecommunications, Media and Entertainment • Manufacturing and Government 65
Thank you!Thank you! Questions? Please contact us for more information http://www.protegrity.com/news-resources/collateral/ Ulf.Mattsson AT protegrity.com

More Related Content

PPTX
New york oracle users group 2013 spring general meeting ulf mattsson
Ulf Mattsson
 
PDF
Isaca new delhi india privacy and big data
Ulf Mattsson
 
PDF
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
PPTX
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
PPTX
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
PPTX
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
PPTX
Privacy preserving computing and secure multi party computation
Ulf Mattsson
 
PPTX
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 
New york oracle users group 2013 spring general meeting ulf mattsson
Ulf Mattsson
 
Isaca new delhi india privacy and big data
Ulf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
Securing data today and in the future - Oracle NYC
Ulf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Ulf Mattsson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
Privacy preserving computing and secure multi party computation
Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Ulf Mattsson
 

What's hot (20)

PDF
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
PPTX
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
PPTX
New technologies for data protection
Ulf Mattsson
 
PPTX
Data protection on premises, and in public and private clouds
Ulf Mattsson
 
PDF
The past, present, and future of big data security
Ulf Mattsson
 
PPTX
New regulations and the evolving cybersecurity technology landscape
Ulf Mattsson
 
PPTX
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
PPT
Protecting Your Data in the Cloud - CSO - Conference 2011
Ulf Mattsson
 
PPTX
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
PPTX
Unlock the potential of data security 2020
Ulf Mattsson
 
PPTX
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
PPTX
Protecting Data Privacy in Analytics and Machine Learning
Ulf Mattsson
 
PPT
Future data security ‘will come from several sources’
John Davis
 
PPTX
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
PPT
BigData and Privacy webinar at Brighttalk
Ulf Mattsson
 
PDF
Who is the next target proactive approaches to data security
Ulf Mattsson
 
PPTX
Next generation data protection and security for oracle users - gdpr blockc...
Ulf Mattsson
 
PPT
RSA大会2009-2010分析
Jordan Pan
 
PPTX
What I Learned at RSAC 2020
Ulf Mattsson
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Ulf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
New technologies for data protection
Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Ulf Mattsson
 
The past, present, and future of big data security
Ulf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
Ulf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Ulf Mattsson
 
Isaca atlanta - practical data security and privacy
Ulf Mattsson
 
Unlock the potential of data security 2020
Ulf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Ulf Mattsson
 
Future data security ‘will come from several sources’
John Davis
 
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
BigData and Privacy webinar at Brighttalk
Ulf Mattsson
 
Who is the next target proactive approaches to data security
Ulf Mattsson
 
Next generation data protection and security for oracle users - gdpr blockc...
Ulf Mattsson
 
RSA大会2009-2010分析
Jordan Pan
 
What I Learned at RSAC 2020
Ulf Mattsson
 
Ad

Viewers also liked (6)

PDF
314 The Open Access Education Revolution Richard Baraniuk
SURFfoundation
 
PDF
Mpibook1
guest30f850
 
PPT
414 Meerwaarde Web 2.0, Van Vliet, Onstenk
SURFfoundation
 
PPTX
718 Lichtpaden Hbo En Mbo Rutten En Van Der Vorst
SURFfoundation
 
PDF
Beurs Slim Gebruik Van Acrobat En Pdf In Het Onderwijs, Colin Van Oosterhout
SURFfoundation
 
PDF
Target Breach Analysis
Tal Be'ery
 
314 The Open Access Education Revolution Richard Baraniuk
SURFfoundation
 
Mpibook1
guest30f850
 
414 Meerwaarde Web 2.0, Van Vliet, Onstenk
SURFfoundation
 
718 Lichtpaden Hbo En Mbo Rutten En Van Der Vorst
SURFfoundation
 
Beurs Slim Gebruik Van Acrobat En Pdf In Het Onderwijs, Colin Van Oosterhout
SURFfoundation
 
Target Breach Analysis
Tal Be'ery
 
Ad

Similar to Key note in nyc the next breach target and how oracle can help - nyoug (20)

PDF
The good, the bad and the ugly of the target data breach
Ulf Mattsson
 
PDF
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
PPTX
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 
PDF
IBM 2015 Cyber Security Intelligence Index
Andreanne Clarke
 
PPTX
Baker Tilly Presents: Emerging Trends in Cybersecurity
BakerTillyConsulting
 
PPTX
How secure are you?
Joe Morris
 
PDF
How Vulnerable Is Your Industry to Cyber Crime?
David Hunt
 
PDF
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
Ulf Mattsson
 
PDF
IBM X Force threat intelligence quarterly 1Q 2014
IBM Software India
 
PDF
IBM X-Force Threat Intelligence Report 2016
thinkASG
 
PDF
wp-analyzing-breaches-by-industry
Numaan Huq
 
PPTX
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Ulf Mattsson
 
PDF
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
PDF
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
PPTX
Moving to the Cloud: A Security and Hosting Introduction
Blackbaud
 
PPTX
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Ulf Mattsson
 
PPTX
IT & Network Security Awareness
The Network Support Company
 
PPTX
Cyber security # Lec 1
Kabul Education University
 
PPTX
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
PDF
cyber attacks In-depth Report on five organizations affected by cyber attacks
pinterestjos
 
The good, the bad and the ugly of the target data breach
Ulf Mattsson
 
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
Who is the next target and how is big data related ulf mattsson
Ulf Mattsson
 
IBM 2015 Cyber Security Intelligence Index
Andreanne Clarke
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
BakerTillyConsulting
 
How secure are you?
Joe Morris
 
How Vulnerable Is Your Industry to Cyber Crime?
David Hunt
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
Ulf Mattsson
 
IBM X Force threat intelligence quarterly 1Q 2014
IBM Software India
 
IBM X-Force Threat Intelligence Report 2016
thinkASG
 
wp-analyzing-breaches-by-industry
Numaan Huq
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Ulf Mattsson
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
Moving to the Cloud: A Security and Hosting Introduction
Blackbaud
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Ulf Mattsson
 
IT & Network Security Awareness
The Network Support Company
 
Cyber security # Lec 1
Kabul Education University
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
cyber attacks In-depth Report on five organizations affected by cyber attacks
pinterestjos
 

More from Ulf Mattsson (18)

PPTX
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
PPTX
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
PPTX
Book
Ulf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
PPTX
Qubit conference-new-york-2021
Ulf Mattsson
 
PDF
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
PDF
Data encryption and tokenization for international unicode
Ulf Mattsson
 
PPTX
The future of data security and blockchain
Ulf Mattsson
 
PPTX
GDPR and evolving international privacy regulations
Ulf Mattsson
 
PPTX
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
PPTX
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
PPTX
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
PPTX
What is tokenization in blockchain?
Ulf Mattsson
 
Jun 29 new privacy technologies for unicode and international data standards ...
Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
Book
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Qubit conference-new-york-2021
Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Ulf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Ulf Mattsson
 
Data encryption and tokenization for international unicode
Ulf Mattsson
 
The future of data security and blockchain
Ulf Mattsson
 
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
What is tokenization in blockchain - BCS London
Ulf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Ulf Mattsson
 
What is tokenization in blockchain?
Ulf Mattsson
 

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
A Presentation on Artificial Intelligence
memembruh336
 
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation theory and applications.pdf
gurumoop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Key note in nyc the next breach target and how oracle can help - nyoug

  • 1. TheTheTheThe Next Breach Target andNext Breach Target andNext Breach Target andNext Breach Target and HowHowHowHow Oracle can helpOracle can helpOracle can helpOracle can help Ulf Mattsson CTO, Protegrity Ulf.Mattsson AT protegrity.com
  • 2. Working in Task Forces at Payment Card Industry Security Standards Council (PCI SSC): 1. PCI SSC Tokenization Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG Ulf Mattsson & PCI Data Security Standards 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 2 10. PCI SSC 2013 – 2014 Tokenization Task Force (TkTF) 2
  • 3. 3
  • 4. Mary Ann Davidson, Chief Security Officer, Oracle Corporation 4
  • 5. 5
  • 6. Target Data Breach, U.S. Secret Service & iSIGHT Target CIO Beth Jacob resigned 6
  • 7. $ Data Protection Breach Detection $ Threat Landscape 7 Regulatory $ Compliance Big Data $ Cyber Insurance $
  • 8. Threat Landscape $ Data Protection Breach Detection $ 8 Regulatory $ Compliance Big Data $ Cyber Insurance $
  • 9. THE CHANGING THREAT LANDSCAPETHREAT LANDSCAPE 9 How have the methods of attack shifted?
  • 10. The 2014 Verizon Data Breach Investigations Report 10 Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening The 2014 DBIR is expected to be released this spring
  • 11. Security Improving but We Are Losing Ground 11
  • 12. 360 million email accounts 1.25 billion email addresses without passwords 105 million records were stolen in a single data breach The email addresses came from • All the major providers, including Google, Microsoft and Yahoo. The Biggest Cyber Attack Detected in Feb 2014 Yahoo. • Non-profit organizations • Almost all Fortune 500 companies were affected by the attacks • Some have not made their security breaches public According to the cybersecurity firm Hold Security LLC 12
  • 14. Total Malware Samples in McAfee Labs Database Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 14
  • 15. Total Malicious Signed Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 15
  • 16. Targeted Malware Topped the Threats 16 62% said that the pressure to protect from data breaches also increased over the past year. Source: 2014 Trustwave Security Pressures Report
  • 17. US and Canada - Targeted Malware Top Threat 17 In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure. Source: 2014 Trustwave Security Pressures Report
  • 18. Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident Fallout – FBI Memory-Scraping Malware Warning "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it." Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping- malware-in-wake-of-Target-breach 18
  • 19. Data Loss Worries IT Pros Most 19 Source: 2014 Trustwave Security Pressures Report
  • 20. July 2012 - June 2013: 74 targeted cyber attacks/day • #1: Government/Public sector – 25.4% • #2: Energy sector - 16.3% Oct. 2012 - May 2013: The U.S. government's Industrial Control Systems Cyber Emergency Response Team responded to more than 200 incidents — 53% aimed at the energy sector. Energy Sector a Prime Target for Cyber Attacks energy sector. So far, there have not been any successful catastrophic attacks on the US energy grid, but there is ongoing debate about the risk of a "cyber Pearl Harbor" attack. Source: www.csoonline.com/article/748580/energy-sector-a-prime-target-for-cyber-attacks 20
  • 21. UK Energy Companies Refused Insurance 21 www.itproportal.com/2014/02/27/uk-energy-companies-refused-insurance-due-to-inadequate-cyber-defences/#ixzz2ud7g2hmO
  • 22. $ Data Protection Breach Detection $ Threat Landscape 22 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 23. Cyber Insurance Increases 5x Globally Companies view on cyber risk http://www.strategic-risk-global.com/popularity-of-cyber-insurance-increases-five-fold-in-eight-years/1407324.article23 76% (up 19%)
  • 24. Organizations worldwide are not "sufficiently protected" against cyber attack Cyber attack fallout could cost the global economy $3 trillion by 2020 The report states that if "attackers continue to get Cyber Attacks are a Real and Growing Threat better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization." 24 Source: McKinsey report on enterprise IT security implications released in January 2014.
  • 25. TARGET DATA BREACHBREACH 25 What can we learn from the Target breach?
  • 26. Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 26
  • 27. Credentials were stolen from Fazio Mechanical in a malware- injecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers. The data theft was caused by the installation of malware on How The Breach at Target Went Down the firm's point of sale machines • Free version of Malwarebytes Anti-Malware was used by Target The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit- card-records-from-target-7000026299/ 27
  • 28. It’s not like other businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet. No number of traps, bars, or alarms will keep out the determined thief. 28
  • 29. $ Data Protection Breach Detection $ Threat Landscape 29 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 30. THINKING LIKE A HACKERHACKER How can we shift from reactive to proactive thinking? 30
  • 31. What if a Social Security number or Credit Card NumberCredit Card Number in the Hands of a Criminal was Useless? 31
  • 32. TURNING THE TIDE 32 What new technologies and techniques can be used to prevent future attacks?
  • 33. Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods Time Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 33
  • 34. Old and flawed: Minimal access levels so people can only carry Access Control Risk High – can only carry out their jobs 34 Access Privilege Level I High I Low Low –
  • 35. Applying the Protection Profile to the Structure of each Sensitive Data Fields allows forSensitive Data Fields allows for a Wider Range of Granular Authority Options 35
  • 36. Risk High – Old: Minimal access levels – Least New : Much greater The New Data Protection - Tokenization Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 36
  • 37. Reduction of Pain with New Protection Techniques High Pain & TCO Strong Encryption AES, 3DES Format Preserving Encryption DTP, FPE Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 37 1970 2000 2005 2010 Low Vault-based Tokenization Vaultless Tokenization 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault 8278 2789 2990 2789
  • 38. Research Brief Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non- users 38 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
  • 39. Security of Different Protection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 39 Low
  • 40. Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 40 Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
  • 41. 10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Different Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 41
  • 42. Different Tokenization Approaches Property Dynamic Pre-generated Vaultless Vault-based 42
  • 43. $ Data Protection Breach Detection $ Threat Landscape 43 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 44. Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 44 Personally Identifiable Information
  • 45. Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 45
  • 46. USA law, originally passed in 1996 Defines “Protected Health Information” (PHI) Updated by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 Health Information Portability and Accountability Act (HIPAA) Most recently, the Omnibus final rule came into effect September 2013 Now requires both organizations that handle PHI and their business partners to protect sensitive information 46
  • 47. 1. Names 2. All geographical subdivisions smaller than a State 3. All elements of dates (except year) related to individual 4. Phone numbers 5. Fax numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) US Heath Information Portability and Accountability Act – HIPAA 6. Electronic mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 47 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger prints 17. Full face photographic images 18. Any other unique identifying number
  • 48. $ Data Protection Breach Detection $ Threat Landscape 48 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 49. THE CHANGING TECHNOLOGYTECHNOLOGY LANDSCAPE What effect, if any, does the rise of “Big Data” have on breaches? 49
  • 50. Holes in Big Data… 50 Source: Gartner
  • 51. Many Ways to Hack Big Data 51 Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
  • 52. Many Ways to Hack Big Data MapReduce (Job Scheduling/Execution System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Unvetted Applications Or Ad Hoc Processes Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 52 HDFS (Hadoop Distributed File System) Hbase (Column DB) Avro(Serialization) Zookeeper(Coordination) Privileged Users
  • 53. Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Big Data Vulnerabilities and Concerns Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 53
  • 54. BIG DATA 54 Protecting the data flow & Catching attackers
  • 55. $ Data Protection Breach Detection $ Threat Landscape 55 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 56. Oracle’s Big Data Platform 056 123456 123456 1234 123456 999999 1234
  • 57. Tokenization Reducing Attack Surface 123456 123456 1234 Tokenization on Each Node 57
  • 58. $ Data Protection Breach Detection $ Threat Landscape 58 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 59. Current Breach Discovery Methods 59 Verizon 2013 Data-breach-investigations-report & 451 Research
  • 60. Use Big Data to Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia Big Data Analytics ?
  • 61. You must assume the systems will be breached. Once breached, how do you know you've been compromised? You have to baseline and understand what 'goodness' looks like and look for deviations from goodness McAfee and Symantec can't tell you what normal looks like in your own systems. CISOs say SIEM Not Good for Security Analytics own systems. Only monitoring anomalies can do that Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 61
  • 62. $ Data Protection Breach Detection $ Threat Landscape 62 Regulations $ & Compliance Big Data $ Cyber Insurance $
  • 63. Open Security Analytics Framework & Big Data 63 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture Enterprise Data Lake
  • 64. Conclusions What happened at Target? • Modern customized malware can be very hard to detect • They were compliant, but not secure Changing threat landscape & challenges to secure data: • Attackers are looking for not just payment data – a more serious problem. • IDS systems are lacking context needed to catch data theft 64 • SIEM detection is too slow in handling large amounts of events. How can we prevent what happened to Target and the next attack against our sensitive data? • Assume that we are under attack - proactive protection of the data itself • We need to analyze event information and context to catch modern attackers • The Oracle Big Data Appliance can provide the foundation for solving this problem
  • 65. Protegrity Summary Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Cross-industry applicability • Retail, Hospitality, Travel and TransportationTransportation • Financial Services, Insurance, Banking • Healthcare • Telecommunications, Media and Entertainment • Manufacturing and Government 65
  • 66. Thank you!Thank you! Questions? Please contact us for more information http://www.protegrity.com/news-resources/collateral/ Ulf.Mattsson AT protegrity.com