UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Download as PPTX, PDF2 likes311 views
The document discusses the evolving landscape of data security in cloud, big data, and DevOps environments, highlighting the significant increase in data breaches and the shortage of cybersecurity skills. It emphasizes the importance of implementing data-centric security measures, such as encryption and tokenization, and the use of frameworks like the FFIEC Cybersecurity Assessment Tool to evaluate risk and maturity in financial institutions. The document also provides insights into best practices for identifying and mitigating data security blind spots.
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
- 1. UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com
- 2. Ulf Mattsson Inventor of more than 45 US Patents Industry Involvement: • PCI DDS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
- 3. My Work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Guidelines Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC Tokenization Products Task Force 3
- 4. 4 Evolving IT Risk – My ISACA Articles
- 5. 5 5
- 6. Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015 6
- 7. How Can I Find My Blind Spots? 7
- 8. 90% of the data in the world has been created in the past two years Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.html IBM
- 9. 9
- 10. 10 Verizon 2017 Data Breach Investigations Report Source: Verizon 2017 Data Breach Investigations Report 10
- 11. Verizon 2017 Data Breach Investigations Report – # of Records PII I&A
- 12. Source: Verizon 2017 Data Breach Investigations Report
- 13. Law Enforcement will Discover Your Breach—Not You. Source: Verizon 2016 Data Breach Investigations Report 13
- 14. Source: Verizon 2017 Data Breach Investigations Report Decreases in card skimming and POS crime sprees influence the massive decrease in law enforcement and fraud detection
- 15. Increasing Number of Breaches Source: Verizon 2016 Data Breach Investigations Report 15
- 16. Source: Verizon 2017 Data Breach Investigations Report
- 18. Incident Classification Patterns Across Confirmed Data Breaches Source: Verizon 2016 Data Breach Investigations Report Web Application Attacks 18
- 19. Worry Only About the Major Breach Patterns Source: Verizon 2016 Data Breach Investigations Report 19 Application Attacks
- 21. Problematic and Increasing Shortage of Cybersecurity Skills • 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 • 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015 • 18 percent year-over-year increase 21
- 22. Cybercriminal Sweet Spot Source: calnet Cybercrime Trends and Targets 22
- 23. Examples of Services That Can Fill The Gap Application Services • Application Hosting & Cloud Migration • IT Consulting & Information Architecture • Software Development & User Experience Design Security Services • Audit & Assessment Services • Application Security Consulting • Managed Vulnerability Scanning • Security Tools Implementation • Virtual CISO SecDevOps 23
- 24. DCAP Data Centric Audit and Protection - Centrally managed security Data Centric Security Lifecycle & PCI DSS UEBA User behavior analytics helps businesses detect targeted attacks PCI DSS Protect stored cardholder data YearI 2004 I 2014 I 2015 PCI DSS 3.2 SecDevOps I 2016 PCI DSS Security in the development process
- 25. SecDevOps vs DevSecOps SecDevOps (Securing DevOps) 1. Embed security into the DevOps style of operation 2. Ensuring "secure by design" discipline in the software delivery methodology using techniques such as automated security review of code, automated application security testing DevSecOps (Applying DevOps to Security Operations) 1. Developing and deploying a series of minimum viable products on security programs 2. In implementing security log monitoring, rather than have very large high value program with a waterfall delivery plan to design, implement, test 3. Operating a SIEM that monitors a large number of log sources 4. Onboard small sets of sources onto a cloud based platform and slowly evolve the monitoring capability Source: Capgemini 25
- 26. Security Tools for DevOps Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Fuzz testing is essentially throwing lots of random garbage Vulnerability Analysis Runtime Application Self Protection (RASP) Interactive Application Self- Testing (IAST) 26
- 27. Security Metrics from DevOps 27 # Vulnerabilities Time
- 28. Data Security On Prem Operating System Security Controls & Agents OS File System Database Application Framework Application Source Code Application Data Network External Network Internal Network Application Server SecDevOps 28
- 29. • Rather than making the protection platform based, the security is applied directly to the data • Protecting the data wherever it goes, in any environment • Cloud environments by nature have more access points and cannot be disconnected • Data-centric protection reduces the reliance on controlling the high number of access points Data-Centric Protection Increases Security in Cloud Computing 29
- 30. Protect Sensitive Cloud Data Internal Network Administrator Attacker Remote User Internal User Public Cloud Examples Each sensitive field is protected Each authorized field is in clear Cloud Gateway 30 Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) SecDevOps The issue is INTENTIONAL use of UNSANCTIONED public cloud storage for ease of use for corporate data
- 31. Securing Big Data - Examples of Security Agents Import de-identified data Export identifiable data Export audit for reporting Data protection at database, application, file Or in a staging area HDFS (Hadoop Distributed File System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS MapReduce (Job Scheduling/Execution System) OS File System Big Data Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) 31 SecDevOps
- 32. Generating Key Security Metrics 32 # Vulnerabilities Time
- 33. Visibility Into Third Party Risk Discover and thwart third party vulnerabilities and security gaps in real-time to better control the impact of breaches. Source: SecurityScoreCard # Vulnerabilities Time 33
- 34. Risk Management Are your security controls covering all sensitive data? Are your deployed security controls failing? Source: storm.innosec.com Are you prioritizing business asset risk? 34
- 35. Cyber Budgeting Source: storm.innosec.com Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost CRM High Medium $ 20,000 0 $ 20,000 HR High Medium $ 100,000 20,000 $ 120,000 Feed High Low $ 1,000 0 $ 1,000 Crossbow Medium Medium $ 5,000 50,00 $ 10,000 eTrader Low Low $ 1,000 0 $ 1,000 IT Alert Low Low $ 1,000 0 $ 1,000 SAP Low Low $ 1,000 0 $ 1,000 Total $ 129,000 $ 25,000 $ 154,000 35
- 37. Need for Masking Standards • Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de- identification standard, are not firmly rooted in theory. • There are no widely accepted standards for testing the effectiveness of a de- identification process or gauging the utility lost as a result of de- identification.
- 38. Cloud Gateway - Requirements Adjusted Protection Data Protection Methods Scalability Storage Security Transparency System without data protection Weak Encryption (1:1 mapping) Searchable Gateway Index (IV) Vaultless Tokenization Partial Encryption Data Type Preservation Encryption Strong Encryption (AES CBC, IV) Best Worst 38 38
- 39. Reduction of Pain with New Protection Techniques 39 1970 2000 2005 2010 High Low Pain & TCO Strong Encryption Output: AES, 3DES Format Preserving Encryption DTP, FPE Vault-based Tokenization Vaultless Tokenization Input Value: 3872 3789 1620 3675 !@#$%a^.,mhu7///&*B()_+!@ 8278 2789 2990 2789 8278 2789 2990 2789 Format Preserving Greatly reduced Key Management No Vault 8278 2789 2990 2789
- 41. Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY TokenizationEncryption 41
- 42. Examples of Protected Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de- identification 42
- 43. Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple – Complex – PCI PHI PII Encryption of Files Card Holder Data Tokenization of Fields Protected Health Information Personally Identifiable Information 43
- 44. FFIEC is a Formal U.S. Government Interagency Body It includes five banking regulators Source: WIKPEDIA 44 1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
- 45. FFIEC Cybersecurity Assessment Tool The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains: • Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 45
- 46. FFIEC Cybersecurity Assessment Tool – Part One Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk: • Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. • Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. • Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. • Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers. • External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 46
- 47. FFIEC Cybersecurity Assessment Tool – Risk Levels The following includes definitions of risk levels: • Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees. • Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. • Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. • Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. • Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 47
- 48. FFIEC Cybersecurity Assessment Tool – Part Two Cybersecurity Maturity Maturity level within each of the following five domains: • Domain 1: Cyber Risk Management and Oversight • Domain 2: Threat Intelligence and Collaboration • Domain 3: Cybersecurity Controls • Domain 4: External Dependency Management • Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 48
- 49. FFIEC Cybersecurity Assessment Tool – Maturity Levels Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes. Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf Definitions for each of the maturity levels The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level 49
- 50. FFIEC Cybersecurity Assessment Tool – 5 Domains: 1. Domain 1: Cyber Risk Management and Oversight 2. Domain 2: Threat Intelligence and Collaboration 3. Domain 3: Cybersecurity Controls 4. Domain 4: External Dependency Management 5. Domain 5: Cyber Incident Management and Resilience Source: https://www.ffiec.gov/pdf/cybersec urity/FFIEC_CAT_App_B_Map_to_NI ST_CSF_June_2015_PDF4.pdf 50
- 51. Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 51
- 52. FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results Source: https://www.ffiec.gov/pdf/cyb ersecurity/FFIEC_CAT_June_20 15_PDF2.pdf 52
- 53. FFIEC Cybersecurity Assessment Tool - Excel Template The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment. The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 53
- 54. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele
- 55. FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof. Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele 55
- 56. FFIEC Cybersecurity Assessment Tool – FAIR International Standard Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool Factor Analysis of Information Risk (FAIR) 56
- 57. FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC FSSCC Automated Cybersecurity Assessment Tool FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool: • No attempts were made to interpret or change any of the FFIEC’s stated expectations; and • Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool 57
- 59. UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT Ulf Mattsson, CTO Security Solutions Atlantic Business Technologies ulf.mattsson@atlanticbt.com