UNCOVER DATA SECURITY

BLIND SPOTS IN YOUR CLOUD,

BIG DATA & DEVOPS

ENVIRONMENT

Ulf Mattsson, CTO Security Solutions

Atlantic Business Technologies

ulf.mattsson@atlanticbt.com

Ulf Mattsson

Inventor of more than 45 US Patents

Industry Involvement:

• PCI DDS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud & Virtualization SIGs

• IFIP - International Federation for Information Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute

ANSI X9 Tokenization Work Group

• NIST - National Institute of Standards and TechnologyNIST Big Data Working Group

• User GroupsSecurity: ISACA & ISSADatabases: IBM & Oracle

2

My Work with PCI DSS Standards

Payment Card Industry Security Standards Council (PCI SSC)

1. PCI SSC Tokenization Guidelines Task Force

2. PCI SSC Encryption Task Force

3. PCI SSC Point to Point Encryption Task Force

4. PCI SSC Risk Assessment SIG

5. PCI SSC eCommerce SIG

6. PCI SSC Cloud SIG

7. PCI SSC Virtualization SIG

8. PCI SSC Pre-Authorization SIG

9. PCI SSC Scoping SIG Working Group

10. PCI SSC Tokenization Products Task Force

3

4

Evolving IT Risk – My ISACA Articles

55

Not Knowing Where Sensitive Data Is

Source: The State of Data Security Intelligence, Ponemon Institute, 2015

6

How Can I Find My Blind Spots?

7

90% of the data in the world has been created in the past two years

Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.html

IBM

9

10

Verizon 2017 Data Breach Investigations Report

Source: Verizon 2017 Data Breach Investigations Report 10

Verizon 2017 Data Breach Investigations Report – # of Records

PII

I&A

Source: Verizon 2017 Data Breach Investigations Report

Law Enforcement will Discover Your Breach—Not You.

Source: Verizon

2016 Data

Breach

Investigations

Report

13

Source: Verizon 2017 Data Breach Investigations Report

Decreases in card

skimming and POS

crime

sprees influence the

massive decrease in

law

enforcement and fraud

detection

Increasing Number of Breaches

Source: Verizon

2016 Data Breach

Investigations

Report

15

Source: Verizon 2017 Data Breach Investigations Report

Incident Classification Patterns Across Confirmed Data Breaches

Source: Verizon 2016 Data Breach Investigations Report

Web

Application

Attacks

18

Worry Only About the Major Breach Patterns

Source: Verizon 2016 Data Breach Investigations Report19

Application

Attacks

Security Skills Shortage

20

Problematic and Increasing Shortage of Cybersecurity Skills

• 46 percent of organizations say they have

a “problematic shortage” of cybersecurity

skills in 2016

• 28 percent of organizations claimed to

have a “problematic shortage” of

cybersecurity skills in 2015

• 18 percent year-over-year increase

21

Cybercriminal

Sweet Spot

Source: calnet

Cybercrime Trends and Targets

22

Examples of Services That Can Fill The Gap

Application Services

• Application Hosting & Cloud

Migration

• IT Consulting & Information Architecture

• Software Development & User Experience

Design

Security Services

• Audit & Assessment Services

• Application Security Consulting

• Managed Vulnerability Scanning

• Security Tools Implementation

• Virtual CISO

SecDevOps

23

DCAP Data Centric Audit and

Protection -Centrally managed

security

Data Centric Security Lifecycle & PCI DSS

UEBA User behavior analytics helps

businesses detect targeted attacks

PCI DSS Protect stored

cardholder data

YearI

2004

I

2014I

2015

PCI DSS 3.2

SecDevOps

I

2016

PCI DSS Security in the development

process

SecDevOps vs DevSecOps

SecDevOps (Securing DevOps)

1. Embed security into the DevOps style of operation2. Ensuring "secure by design" discipline in the software delivery methodology using techniques such as

automated security review of code, automated application security testing

DevSecOps (Applying DevOps to Security Operations)

1. Developing and deploying a series of minimum viable products on security programs2. In implementing security log monitoring, rather than have very large high value program with a waterfall

delivery plan to design, implement, test 3. Operating a SIEM that monitors a large number of log sources4. Onboard small sets of sources onto a cloud based platform and slowly evolve the monitoring capability

Source: Capgemini

25

Security Tools for DevOps

Static

Application

Security

Testing

(SAST)

Dynamic Application Security Testing (DAST)

Fuzz testing is

essentially

throwing lots of

random garbage

Vulnerability

Analysis

Runtime Application

Self Protection

(RASP)

Interactive

Application Self-

Testing (IAST)

26

Security Metrics from DevOps

27

# Vulnerabilities

Time

Data Security On Prem

Operating System

Security Controls & Agents

OS File System

Database

Application Framework

Application Source Code

Application

Data

Network

External Network

Internal Network

Application Server

SecDevOps

28

• Rather than making the protection platform based, the security is applied directly to the data

• Protecting the data wherever it goes, in any environment

• Cloud environments by nature have more access points and cannot be disconnected

• Data-centric protection reduces the reliance on controlling the high number of access points

Data-Centric Protection Increases Security in Cloud Computing

29

Protect Sensitive Cloud Data

Internal NetworkAdministrator

Attacker

Remote

User

Internal User

Public Cloud ExamplesEach sensitive

field is protected

Each

authorized

field is in

clear

Cloud Gateway

30

Data Security Agents, including encryption, tokenization or

masking of fields or files (at transit and rest)SecDevOps

The issue is INTENTIONAL use of UNSANCTIONED public cloud storage

for ease of use for corporate data

Securing Big Data - Examples of Security Agents

Import de-identified

data

Export identifiable data

Export audit for

reporting

Data protection at

database,

application, file

Or in a

staging area

HDFS (Hadoop Distributed File System)

Pig (Data Flow) Hive (SQL) Sqoop

ETL Tools BI Reporting RDBMS

MapReduce

(Job Scheduling/Execution System)

OS File System

Big Data

Data Security Agents, including encryption, tokenization or

masking of fields or files (at transit and rest)

31

SecDevOps

Generating Key Security Metrics

32

# Vulnerabilities

Time

Visibility Into Third Party Risk

Discover and thwart third party vulnerabilities and security

gaps in real-time to better control the impact of breaches.

Source: SecurityScoreCard

# Vulnerabilities

Time

33

Risk Management

Are your security

controls covering

all sensitive data?

Are your deployed

security controls

failing?

Source: storm.innosec.com

Are you prioritizing

business asset

risk?

34

Cyber Budgeting

Source: storm.innosec.com

AssetRegulatory Risk Residual Risk FTE Cost Tool Cost Total Cost

CRM High Medium $ 20,000 0 $ 20,000

HR High Medium $ 100,000 20,000 $ 120,000

Feed High Low $ 1,000 0 $ 1,000

Crossbow Medium Medium $ 5,000 50,00 $ 10,000

eTrader Low Low $ 1,000 0 $ 1,000

IT Alert Low Low $ 1,000 0 $ 1,000

SAP Low Low $ 1,000 0 $ 1,000

Total $ 129,000 $ 25,000 $ 154,000

35

Comparing Data Protection

Methods

36 36

Need for Masking Standards

• Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory.

• There are no widely accepted standards for testing the effectiveness of a de-identification process or gauging the utility lost as a result of de-identification.

Cloud Gateway - Requirements Adjusted Protection

Data Protection Methods Scalability Storage Security Transparency

System without data protection

Weak Encryption (1:1 mapping)

Searchable Gateway Index (IV)

Vaultless Tokenization

Partial Encryption

Data Type Preservation Encryption

Strong Encryption (AES CBC, IV)

Best Worst

38 38

Reduction of Pain with New Protection

Techniques

391970 2000 2005 2010

High

Low

Pain & TCO

Strong Encryption Output:

AES, 3DES

Format Preserving Encryption

DTP, FPE

Vault-based Tokenization

Vaultless Tokenization

Input Value: 3872 3789 1620 3675

!@#$%a^.,mhu7///&*B()_+!@

8278 2789 2990 2789

8278 2789 2990 2789

Format Preserving

Greatly reduced

Key Management

No Vault

8278 2789 2990 2789

40

What is Data Tokenization?

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

TokenizationEncryption

41

Examples of Protected DataField Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

42

Type ofData

Use Case

IStructured

How Should I Secure Different Data?

IUn-structured

Simple –

Complex –

PCI

PHI

PII

Encryption of Files

CardHolder Data

Tokenization of Fields

ProtectedHealth

Information

Personally Identifiable Information

43

FFIEC is a Formal U.S. Government Interagency Body

It includes five banking regulators

Source: WIKPEDIA

44

1. Federal Reserve Board of Governors (FRB), 2. Federal Deposit Insurance Corporation (FDIC), 3. National Credit Union Administration (NCUA), 4. Office of the Comptroller of the Currency (OCC), and 5. Consumer Financial Protection Bureau (CFPB).

It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"

FFIEC Cybersecurity Assessment Tool

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.

To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:

• Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:

• Cyber Risk Management and Oversight • Threat Intelligence and Collaboration • Cybersecurity Controls • External Dependency Management • Cyber Incident Management and Resilience

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 45

FFIEC Cybersecurity Assessment Tool – Part One

Inherent Risk Profile Part one of the Assessment identifies the institution’s inherent risk:

• Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services.

• Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered.

• Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered.

• Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.

• External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure.

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf 46

FFIEC Cybersecurity Assessment Tool – Risk Levels

The following includes definitions of risk levels:

• Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It hasfew computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees.

• Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services.

• Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication.

• Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication.

• Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services.

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf47

FFIEC Cybersecurity Assessment Tool – Part Two

Cybersecurity Maturity

Maturity level within each of the following five domains:

• Domain 1: Cyber Risk Management and Oversight

• Domain 2: Threat Intelligence and Collaboration

• Domain 3: Cybersecurity Controls

• Domain 4: External Dependency Management

• Domain 5: Cyber Incident Management and Resilience Domains, Assessment Factors, Components, and Declarative Statements Within each domain are assessment factors and contributing components.

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf48

FFIEC Cybersecurity Assessment Tool –Maturity Levels

Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes.

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf

Definitions for each of the maturity levels

The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level

49

FFIEC Cybersecurity Assessment Tool –5 Domains:

1. Domain 1: Cyber Risk Management and Oversight

2. Domain 2: Threat Intelligence and Collaboration

3. Domain 3: Cybersecurity Controls

4. Domain 4: External Dependency Management

5. Domain 5: Cyber Incident Management and Resilience

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf

50

Mapping FFIEC Cybersecurity Assessment Tool to NIST Cybersecurity Framework

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf 51

FFIEC Cybersecurity Assessment Tool - Interpreting and Analyzing Assessment Results

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf

52

FFIEC Cybersecurity Assessment Tool - Excel Template

The linked FFIEC Cybersecurity Assessment Tool Excel Template was created to assist in the assessment process. It includes worksheets to complete the Inherent Risk Profile Assessment and Cybersecurity Maturity Assessment.

The Assessment Summary worksheet calculates an Inherent Risk Score and reflects percentage of Cybersecurity Maturity achieved against defined targets based on the completed assessment worksheets.

Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele53

FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity

Each of the Cybersecurity Domains is dashboarded to illustrate the percentage of maturity achieved against targets selected for each domain.

Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele

FFIEC Cybersecurity Assessment Tool - Cybersecurity Maturity

The calculated Cybersecurity Maturity is plotted on the dashboard against the Inherent Risk, highlighting alignment or lack thereof.

Source: FFIEC Cybersecurity Assessment Tool Excel Template by Tony DiMichele

55

FFIEC Cybersecurity Assessment Tool – FAIR International Standard

Source: http://www.risklens.com/blog/how-to-effectively-leverage-the-ffiec-cybersecurity-assessment-tool

Factor Analysis of Information Risk

(FAIR)

56

FFIEC Cybersecurity Assessment Tool – Tool by FS-ISAC & FSSCC

FSSCC Automated Cybersecurity Assessment Tool

FS-ISAC collaborated with members of the Financial Services Sector Coordinating Council (FSSCC) on an ”automated” tool:

• No attempts were made to interpret or change any of the FFIEC’s stated expectations; and

• Some FFIEC agencies are using the results of the Cybersecurity Assessment Tool as part of the examination and supervisory process

Source: https://www.fsisac.com/article/fsscc-automated-cybersecurity-assessment-tool57

FFIEC Cybersecurity Assessment

Source: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf

Risk

Resources

Controls

58

UNCOVER DATA SECURITY

BLIND SPOTS IN YOUR CLOUD,

BIG DATA & DEVOPS

ENVIRONMENT

Ulf Mattsson, CTO Security Solutions

Atlantic Business Technologies

ulf.mattsson@atlanticbt.com