It s About the Data, Stupid.

Size: px

Start display at page:

Download "It s About the Data, Stupid."

Edith Farmer
5 years ago
Views:

1 Next Presentation Begins at 16:40 It s About the Data, Stupid. Salo Fajer, Chief Technology Officer

2 It s About the Data, Stupid. Salo Fajer, Chief Technology Officer

3 First, allow me to explain my session title The definition of insanity is repeating the same actions and expecting a different result. Albert Einstein

4 Data/Records Exposed Year #1 Threat Action # Records Exposed 2010 Tampering (Physical) 96M 2011 Brute Force (Hacking) 413M 2012 Spyware/Keylogger (Malware) 265M 2013 Stolen Credentials (Social Engineering) 815M 2014 set new records: 1.1 billion sensitive records were compromised across 3,014 incidents. 22.3% increase over 2013 in the number of records lost. 28.5% increase in the number of data breaches disclosed.

5 Global Security Spend For Same Period Total Security Spend Technology Layer Network Security 32% $16,190,720,000 30% $17,222,400,000 32% $19,667,200,000 30% $19,771,800,000 29% $20,631,180,000 Security Operations 14% $7,083,440,000 13% $7,463,040,000 14% $8,604,400,000 14% $9,226,840,000 12% $8,537,040,000 Database Security & Encryption 16% $8,095,360,000 17% $9,759,360,000 17% $10,448,200,000 16% $10,544,960,000 12% $8,537,040,000 Risk and Compliance Management 10% $5,059,600,000 9% $5,166,720,000 9% $5,531,400,000 10% $6,590,600,000 11% $7,825,620,000 Application Security 10% $5,059,600,000 11% $6,314,880,000 11% $6,760,600,000 12% $7,908,720,000 12% $8,537,040,000 Endpoint Security/Antivirus 10% $5,059,600,000 11% $6,314,880,000 10% $6,146,000,000 9% $5,931,540,000 13% $9,248,460,000 Identity & Access Management 7% $3,541,720,000 8% $4,592,640,000 6% $3,687,600,000 8% $5,272,480,000 10% $7,114,200,000 Data Security (DLP & DRM) 1% $436,000,000 1% $458,000,000 1% $481,000,000 1% $555,000,000 1% $661,000,000 TOTAL ANNUAL SECURITY SPEND 100% $50,526,040, % $57,291,920, % $61,326,400, % $65,801,940, % $71,091,580,000 *Source: Gartner Forecast: Information Security, Worldwide, , 3Q14 Update *Source: Understand The State Of Data Security And Privacy: 2010 To 2015 By Heidi Shey, Kelley Mak with Stephanie Balaouras, Jennie Duong

6 In Case You Missed It Year Spending on Data Security % of Total Global Security Spend 2010 $436M 1% 2011 $458M 1% 2012 $481M 1% 2013 $555M 1% 2014 $661M 1% *Source: Gartner Forecast: Information Security, Worldwide, , 3Q14 Update *Source: Understand The State Of Data Security And Privacy: 2010 To 2015 By Heidi Shey, Kelley Mak with Stephanie Balaouras, Jennie Duong

7 Why We Must Start Protecting Data

New Market Dynamics Hacking for Profit: Counterfeit Credentials for Sale: New Identities, Passports, Drivers Licenses and Social Security cards.

8 New Market Dynamics Hacking for Profit: Counterfeit Credentials for Sale: New Identities, Passports, Drivers Licenses and Social Security cards. $150 - $500 Hacker Training tutorials: $1 - $30 Premium Credit Cards for Sale: $17 - $35 (bundle prices offered) Online bank accounts for sale: 6% of the account balance $4,200 for an account with $70, % Satisfaction Guarantee with customer service included Malware $20 - $250 9

9 Evolving Threats SOCIAL ENGINEERING SUPPLY CHAIN CONNECTIONS WEB 10 USB STICKS INSIDER TCP/135 OPEN PORTS

10 Plagued by Malware 300M 250M MALWARE GROWTH 200M 150M 100M 50M Source: AV Test.org

11 Plagued by Malware M 250M 200M 150M 100M 50M Over 1B Source: AV Test.org

12 Defense Alone Isn t Working Web Gateway Firewall Network IPS Mail Gateway Host AV Host IPS 13

13 And Attacks Are Costly 64% Weeks COMPROMISE TO DISCOVERY 12% Months 4% Years 9% Hours 11% Days DISCOVERY TO CONTAINMENT 23% Months 2% Minutes 19% Hours 14 14% Weeks 42% Days Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model 14 $8,769 / Incident $3,840,988 / Year 1.2 incidents / Day

14 Direct and Indirect Damages Downtime Brand Impact Data Loss Priceless DATA LEAKAGE 16 16

15 Example: Sony Pictures Sony faces four class action lawsuits related to the breach. Sony allocated $15M to deal with on-going damages of the incident. Sony Co-Chairperson, Amy Pascal, steps down in May 2015.

Employee PII and health info including 47,000 SSNs James Bond s Spectre Script, Employee

16 Example: Sony Pictures 100 TB of data leaked in 2014 Unstructured Data: Yet-to-be released movies like Annie, and Still Alice, or Fury (was in theaters) Structured Data: Employee PII and health info including 47,000 SSNs James Bond s Spectre Script, Employee salary data in Excel spreadsheets HR, Sr. Executive and employee s on private subjects

17 How to Start Protecting Data

18 Technical Considerations Recalibrate your security spend Data vs. Infrastructure Improve visibility Minimize surprises Evolve to data-aware security Observe what matters the data 20

19 3 Practical Steps to Data Protection STEP 1 STEP 2 STEP 3 Identify Your Sensitive Data Classify That Data Ensure the Secure Use of Sensitive Data

HIPAA regulated data Personal Credit Information

20 Step 1: Identify Your Sensitive Data Intellectual Property (IP) Trade Secrets Merger & Acquisition Financial Statements Sales & Revenue Data Personal Health Information (PHI) HIPAA regulated data Personal Credit Information (PCI) PCI-DSS regulated data Personally Identifiable Information (PII)

21 Step 2: Classify That Data Restricted Data Private Data Public Data Source:

22 Step 3: Ensure the Secure Use of Sensitive Data Three Components: 1. People 2. Process 3. Technology

23 People Employee Awareness & Training What is sensitive data and how should your employees handle it?

24 Process Define your policies around safeguards for sensitive data

Engage users at the time of risk (i.e. real-time prompts).

25 Technology Enforce Policies In a seamless manner that doesn t negatively impact your employees ability to get the job done. Engage users at the time of risk (i.e. real-time prompts). Protects from outsider data egress as well.

47,000 SSNs, James Bond s Spectre Script, employee salary data in Excel spreadsheets Policy: Cannot leave

26 Sony Pictures Case Study (Applied) Restricted Data Unstructured Data: Yet-to-be released movies like Annie, and Still Alice, or Fury (was playing in theaters) Structured Data: Employee PII and health info including 47,000 SSNs, James Bond s Spectre Script, employee salary data in Excel spreadsheets Policy: Cannot leave the corporate network without approval and encryption. Block egress otherwise. POLICY APPLIED >> EGRESS BLOCKED

27 As we say at Digital Guardian

28 Thank You Questions? Come See Me At Our Stand STAND# B181 Salo Fajer, CTO, Digital Guardian,

Protecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com

Protecting Your Data in the Cloud Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and