Welcome

Data-Driven Solutions to Security Challenges

# T C 1 8

Greg Alice

Information Security Engineer

Tableau Operations

Heather Kraus

Information Security Engineer

Tableau Operations

Discussion Points

Data, Measurement, Metrics, and Security

Identifying and Tracking Key Data and Assets

“Big Picture” Access Control

The Art of Managing Phishing

Visualizing Risk

Disclaimer: All data presented here is either example or anonymized data.

Data, Measurement, Metrics, and Security

Choosing Good Metrics

• Look to SLAs• Measure expectations of systems and/or service

• Key Indicators• Risk

• Goal

• Performance

• Start with the basics, then refine and expand• Iterate based on needs and new information

• Don’t stop collecting technical measurements!• Deepen your understanding of technical tool functionality

Choosing Good Metrics

• Compliance

• Awareness

• Productivity

• Technical Security Architecture

• Security Operational Performance

• Security Cost Efficiency

Get Creative with Connecting to Data

• Some data sources can be uncooperative• Limited capability to provide access to the data

• No export functions

• Reports only available as formatted content (Word, Excel, etc.) that is not easily parsed

• No API

• Inability to add fields needed to facilitate meaningful analysis

• Lots of data exists – challenge is connecting to the data in a meaningful way

• One solution is to create a taxonomy for an existing field• Also create queries to see if your taxonomy is working

• Use calculations to parse out meaningful data

Information Security User Tickets

Security Questionnaire Dashboard

Security Questions

What are our top risks?

How many phishing emails are reported each day? How often do people click through?

How often are our users logging in? From where?

Has access been deactivated for all terminated users?

What is My Risk of Data Loss?

<erno> hm. I’ve lost a machine..

literally _lost_, it responds to

ping, it works completely, I just

can’t figure out where in my

apartment it is.

I have an urgent request for gift cards. please reply back soonest.

Superstore CEO

Employee Acknowledgement

Identifying and Tracking Key Data and Assets

Finding Data and Assigning Value

• The power of robots and people

• How much is any one asset worth to you?• Remember tangible and intangible assets

• Total cost of replacement

• Impact of 100% loss

Visualizing Data Locations

Scoping

Reporting

“Big Picture” Access Control

Proper Access Control is Hard

• Core concepts: Separation of Duties and Least Privilege

• May not have enough people to effectively perform separation of duties

• It’s often easier to give more access than is required

Role-Based Access

• As much a business process as a technical one:

• Defining job description in terms of required access

• Verifying personnel during hiring

• Manager verification of required access change after hiring

• How does one define a role?• Job Duty or Title

• Manager’s Reports

• Company Internal

• Home Department

• Building

• Location

Pre-Defined Access Control Lists

Group/Application

Group 1 No Access Read Only No Access Read/Write

Group 2 No Access Read/Write Read Only Read/Write

Group 3 No Access Read/Write Read Only Read/Write

Group 4 Read/Write Read/Write Read Only Read/Write

Group 5 Read Only Audit Audit Read/Write

Group 6 Audit Read/Write Read/Write Read/Write

Calculated Baseline Field

Spotting Abnormalities

Create a Security Baseline with Tableau

1. Take a snapshot of expected values and place into a text file

2. Join live data to snapshot

3. Create a True/False calculated field for each value (field) you wish to monitor

4. Aggregate checks together in another calculated field to watch more than one value

5. Add calculated match field or aggregated calculation into criteria

If [Field1 Current Value] = [Field1 Baseline Value] ThenTrue

ElseFalse

End

If Field1Match AND Field2Match Then…

Calculated Baseline Field

Physical and Logical Access

The Art of Managing Phishing

Phishing Risk

• Phishing is still 98% of all social engineering incidents, with email being the most common vector at 96%

• Only 22% of people clicked on a phish!

• 4% of people will click on any given phishing campaign

• Only 17% of campaigns were reported

• Phishing is still used as an opening attack volley• Malware installation and ultimately data exfiltration follow a successful phish

• Timing is everything• Time until first click: 16 minutes

• Most clicks: within 90 minutes

• First report: 28 minutes

• Half of reports: 33 minutes

Source: Verizon DBIR 2018

Phishing Campaigns and Actors

• Actors can launch multiple campaigns over time

• Campaigns aren’t limited to a single organization

• Threat intelligence is critical • Open Source Intelligence is a powerful tool

• What campaigns and actors are affecting similar organizations?

• What campaigns and actors have affected YOU in the past?

Finding Phish Patterns

• Sender and Subject

• Email headers

• Body of message

Tracking Actors and Methods

C-Suite Fraud

Your Targets?

• Common types of targets:• 4% that will click anything

• Address that scammers think are part of that 4%

• Well-known group email lists or mailboxes

• Public email addresses

• Awareness: Train users to report!• Goal: Increase reporting percentage and decrease

click percentage

• Constant reinforcement is key

• Testing: Conduct phishing tests to identify your organizational 4%• Once identified, specialized awareness material can be crafted …

• … Or at least additional monitoring

Finding the Repeat Offenders

Visualizing Risk

What is Risk?

• Simply: Risk = Probability of a bad event occurring ✖️ Amount of loss incurred from the event

• Important to document inputs and reasoning behind how those values are decided

• Balance result with organization risk tolerance

Managing Risk

• Identify

• Assess

• Monitoring

• Mitigation

• Reporting

Rank, Rack & Stack, Prioritize Risk

Rank, Rack & Stack, Prioritize Risk

Rank, Rack & Stack, Prioritize Risk

Rank, Rack & Stack, Prioritize Risk

Risk Visualization

Visualizing Risk

Visualizing Risk

What’s My Risk of Data Loss?

• What kind of data do I have?

• Do I know where my data is?

• Have I labeled my data?

• Are employees aware of how to handle data?

• Who has access to the data?

• Are employees who have access to that data likely to be phished?

Security Meetup

R E L AT E D S E S S I O N S

Wed | 1:45 – 2:45 | MCCNO – L1 – Hall B2-1

Tableau Server Security in DepthThurs | 2:15 – 3:15 | MCCNO – L3 – 351

IT @ Tableau | Data-Driven Solutions to Security Challenges

S E S S I O N R E P E AT S

Tues | 10:45 – 11:45 | MCCNO – L2 - 263

IT @ Tableau | Data-Driven Solutions to Security Challenges

Wed | 10:45 – 11:45 | MCCNO – L2 - 263

Please complete the

session survey from the My

Evaluations menu

in your TC18 app

Thank you!

#TC18

Heather Kraus (hkraus@tableau.com)

Greg Alice (galice@tableau.com)