Post on 02-Jun-2020
Welcome
Data-Driven Solutions to Security Challenges
# T C 1 8
Greg Alice
Information Security Engineer
Tableau Operations
Heather Kraus
Information Security Engineer
Tableau Operations
Discussion Points
Data, Measurement, Metrics, and Security
Identifying and Tracking Key Data and Assets
“Big Picture” Access Control
The Art of Managing Phishing
Visualizing Risk
Disclaimer: All data presented here is either example or anonymized data.
Data, Measurement, Metrics, and Security
Choosing Good Metrics
• Look to SLAs• Measure expectations of systems and/or service
• Key Indicators• Risk
• Goal
• Performance
• Start with the basics, then refine and expand• Iterate based on needs and new information
• Don’t stop collecting technical measurements!• Deepen your understanding of technical tool functionality
Choosing Good Metrics
• Compliance
• Awareness
• Productivity
• Technical Security Architecture
• Security Operational Performance
• Security Cost Efficiency
Get Creative with Connecting to Data
• Some data sources can be uncooperative• Limited capability to provide access to the data
• No export functions
• Reports only available as formatted content (Word, Excel, etc.) that is not easily parsed
• No API
• Inability to add fields needed to facilitate meaningful analysis
• Lots of data exists – challenge is connecting to the data in a meaningful way
• One solution is to create a taxonomy for an existing field• Also create queries to see if your taxonomy is working
• Use calculations to parse out meaningful data
Information Security User Tickets
Security Questionnaire Dashboard
Security Questions
What are our top risks?
How many phishing emails are reported each day? How often do people click through?
How often are our users logging in? From where?
Has access been deactivated for all terminated users?
What is My Risk of Data Loss?
<erno> hm. I’ve lost a machine..
literally _lost_, it responds to
ping, it works completely, I just
can’t figure out where in my
apartment it is.
I have an urgent request for gift cards. please reply back soonest.
Superstore CEO
Employee Acknowledgement
Identifying and Tracking Key Data and Assets
Finding Data and Assigning Value
• The power of robots and people
• How much is any one asset worth to you?• Remember tangible and intangible assets
• Total cost of replacement
• Impact of 100% loss
Visualizing Data Locations
Scoping
Reporting
“Big Picture” Access Control
Proper Access Control is Hard
• Core concepts: Separation of Duties and Least Privilege
• May not have enough people to effectively perform separation of duties
• It’s often easier to give more access than is required
Role-Based Access
• As much a business process as a technical one:
• Defining job description in terms of required access
• Verifying personnel during hiring
• Manager verification of required access change after hiring
• How does one define a role?• Job Duty or Title
• Manager’s Reports
• Company Internal
• Home Department
• Building
• Location
Pre-Defined Access Control Lists
Group/Application
Group 1 No Access Read Only No Access Read/Write
Group 2 No Access Read/Write Read Only Read/Write
Group 3 No Access Read/Write Read Only Read/Write
Group 4 Read/Write Read/Write Read Only Read/Write
Group 5 Read Only Audit Audit Read/Write
Group 6 Audit Read/Write Read/Write Read/Write
Calculated Baseline Field
Spotting Abnormalities
Create a Security Baseline with Tableau
1. Take a snapshot of expected values and place into a text file
2. Join live data to snapshot
3. Create a True/False calculated field for each value (field) you wish to monitor
4. Aggregate checks together in another calculated field to watch more than one value
5. Add calculated match field or aggregated calculation into criteria
If [Field1 Current Value] = [Field1 Baseline Value] ThenTrue
ElseFalse
End
If Field1Match AND Field2Match Then…
Calculated Baseline Field
Physical and Logical Access
The Art of Managing Phishing
Phishing Risk
• Phishing is still 98% of all social engineering incidents, with email being the most common vector at 96%
• Only 22% of people clicked on a phish!
• 4% of people will click on any given phishing campaign
• Only 17% of campaigns were reported
• Phishing is still used as an opening attack volley• Malware installation and ultimately data exfiltration follow a successful phish
• Timing is everything• Time until first click: 16 minutes
• Most clicks: within 90 minutes
• First report: 28 minutes
• Half of reports: 33 minutes
Source: Verizon DBIR 2018
Phishing Campaigns and Actors
• Actors can launch multiple campaigns over time
• Campaigns aren’t limited to a single organization
• Threat intelligence is critical • Open Source Intelligence is a powerful tool
• What campaigns and actors are affecting similar organizations?
• What campaigns and actors have affected YOU in the past?
Finding Phish Patterns
• Sender and Subject
• Email headers
• Body of message
Tracking Actors and Methods
C-Suite Fraud
Your Targets?
• Common types of targets:• 4% that will click anything
• Address that scammers think are part of that 4%
• Well-known group email lists or mailboxes
• Public email addresses
• Awareness: Train users to report!• Goal: Increase reporting percentage and decrease
click percentage
• Constant reinforcement is key
• Testing: Conduct phishing tests to identify your organizational 4%• Once identified, specialized awareness material can be crafted …
• … Or at least additional monitoring
Finding the Repeat Offenders
Visualizing Risk
What is Risk?
• Simply: Risk = Probability of a bad event occurring ✖️ Amount of loss incurred from the event
• Important to document inputs and reasoning behind how those values are decided
• Balance result with organization risk tolerance
Managing Risk
• Identify
• Assess
• Monitoring
• Mitigation
• Reporting
Rank, Rack & Stack, Prioritize Risk
Rank, Rack & Stack, Prioritize Risk
Rank, Rack & Stack, Prioritize Risk
Rank, Rack & Stack, Prioritize Risk
Risk Visualization
Visualizing Risk
Visualizing Risk
What’s My Risk of Data Loss?
• What kind of data do I have?
• Do I know where my data is?
• Have I labeled my data?
• Are employees aware of how to handle data?
• Who has access to the data?
• Are employees who have access to that data likely to be phished?
Security Meetup
R E L AT E D S E S S I O N S
Wed | 1:45 – 2:45 | MCCNO – L1 – Hall B2-1
Tableau Server Security in DepthThurs | 2:15 – 3:15 | MCCNO – L3 – 351
IT @ Tableau | Data-Driven Solutions to Security Challenges
S E S S I O N R E P E AT S
Tues | 10:45 – 11:45 | MCCNO – L2 - 263
IT @ Tableau | Data-Driven Solutions to Security Challenges
Wed | 10:45 – 11:45 | MCCNO – L2 - 263
Please complete the
session survey from the My
Evaluations menu
in your TC18 app
Thank you!
#TC18
Heather Kraus (hkraus@tableau.com)
Greg Alice (galice@tableau.com)