Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Data Security Directions 2007 Asim Ahmed Steve Moscarelli Members of ISSA and CSI Asim Ahmed Steve Moscarelli Members of ISSA and CSI.

Similar presentations


Presentation on theme: "Enterprise Data Security Directions 2007 Asim Ahmed Steve Moscarelli Members of ISSA and CSI Asim Ahmed Steve Moscarelli Members of ISSA and CSI."— Presentation transcript:

1 Enterprise Data Security Directions 2007 Asim Ahmed Steve Moscarelli Members of ISSA and CSI Asim Ahmed Steve Moscarelli Members of ISSA and CSI

2 2 The Insider Threat ID Theft Tops FTC's List of Complaints In 2006,for the 5 th straight year, identity theft ranked 1 st of all fraud complaints. 10 million cases of Identity Theft annually. 59 percent of companies have detected some internal abuse of their networks In 2006,for the 5 th straight year, identity theft ranked 1 st of all fraud complaints. 10 million cases of Identity Theft annually. 59 percent of companies have detected some internal abuse of their networks

3 3 Data Security and Compliance Necessity of exposure, and the risk Employees (remote workers, mobile workers) (suppliers, outsourcers, consultants Business Partners (suppliers, outsourcers, consultants) Competitors Customers Hackers Contractors Temporaries Visitors Digital Business Cyber-crime SOURCE: FORRESTER RESEARCH Employees Sensitive Data

4 4 Customer Information Leaks, Spills, Theft, Loss or Extrusion: A Growing Challenge Customer Data An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in violation of regulatory or company policies Company Info Sent Over Web-mail Sent by Customer Service Rep Patient (Client) Patient Information Confidential Information Finance Doctor (Lawyer) Patient Name Insurance Information Diagnosis Customer Service SSN, Salaries Marketing Plans Customer Name

5 5 Information Leaks: How Do They Occur? Customer Data Company Info Marketing Plans Confidential Information SSN, Salaries Customer Name Patient Information An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in violation of regulatory or company policies Your Data Customer Service Sales R&D Doctors Contractors Finance Sent by Customer Service Rep Financials Upcoming reports M&A

6 6 Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company Sources: 2005 CSI/FBI Computer Crime and Security Study Forrester Research, Inc. COMPETITIVE EDGE CUSTOMER PRESSURE PRIVACY REGULATIONS BUSINESS GOVERNANCE Identity Theft, Brand Damage Intellectual property, trade secrets, confidential plans SEC/NASD rules, legal liability Insurance rules SOX, HIPAA, GLBA, PIPEDA, FERPA, EU DPD

7 7 Data Security and Compliance Growing Problem with Exec Visibility Executive ConcernExecutive Concern –California Data Privacy Act (SB-1386) Pennsylvania, New York, Illinois, Wisconsin and 21 other states with regulationsPennsylvania, New York, Illinois, Wisconsin and 21 other states with regulations –Health Insurance Portability and Accountability Act (HIPAA) –Sarbanes-Oxley (SOX) –Gramm-Leach-Bliley Act (GLBA) Traditional Security does not address DataTraditional Security does not address Data –Network security (FW, IPS) no knowledge of data –No 2 organizations have exactly the same data. –Database security not granular enough plus performance issues Executive ConcernExecutive Concern –California Data Privacy Act (SB-1386) Pennsylvania, New York, Illinois, Wisconsin and 21 other states with regulationsPennsylvania, New York, Illinois, Wisconsin and 21 other states with regulations –Health Insurance Portability and Accountability Act (HIPAA) –Sarbanes-Oxley (SOX) –Gramm-Leach-Bliley Act (GLBA) Traditional Security does not address DataTraditional Security does not address Data –Network security (FW, IPS) no knowledge of data –No 2 organizations have exactly the same data. –Database security not granular enough plus performance issues

8 8 Increasing Business Impact of Information Leaks Compliance requirements are increasing –Federal regulations such Gramm- Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) –State regulations such as California Data Privacy Act (SB-1386) and 21 other states –High costs of data breaches: estimated at $140 per consumer record Intellectual property/confidential information losses can damage business and competitive advantage Compliance requirements are increasing –Federal regulations such Gramm- Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) –State regulations such as California Data Privacy Act (SB-1386) and 21 other states –High costs of data breaches: estimated at $140 per consumer record Intellectual property/confidential information losses can damage business and competitive advantage Indirect Costs $1.5M $15/record Opportunity Costs $7.5M $75/record Direct Costs $5.0M $50/record Total Costs $140/record Source: Ponemon Institute SVB Alliant

9 9 Top 10 Most Frequent Incidents 1.Patient PHI sent to partner, again, and again 2.Employee 401k information sent outbound and inbound 3.Payroll data being sent to home address 4.Draft press release to outside legal council 5.Financial and M&A postings to message boards 6.Source code sent with resume to competitor 7.SSNs…and thousands of them 8.Credit Card or account numbers….and thousands of them 9.Confidential patient information 10.Internal memos and confidential information 1.Patient PHI sent to partner, again, and again 2.Employee 401k information sent outbound and inbound 3.Payroll data being sent to home address 4.Draft press release to outside legal council 5.Financial and M&A postings to message boards 6.Source code sent with resume to competitor 7.SSNs…and thousands of them 8.Credit Card or account numbers….and thousands of them 9.Confidential patient information 10.Internal memos and confidential information

10 10 Total cost : $140 per customer Average recovery costs by type Costs Breakdown Source: The Ponemon Institute

11 11 Data Security and Compliance Why Data is a Priority? Indirect Costs $1.5M $15/record Opportunity Costs $7.5M $75/record Direct Costs $5.0M $50/record Cost of Data Breaches $140/record Source: Ponemon Institute SVB Alliant Leakage of confidential/ proprietary information Unpatched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers 52% 24% 18% 14% 10% 4% 2% What do you consider to pose the biggest current threat to your organization’s overall security? (multiple responses) Source: Merrill Lynch survey of 50 North American CISOs, July 2006

12 12 –Partner Lost –Customer Lost –Partner Lost –Customer Lost Data Security and Compliance Implications of Data Breach Card Center Hit by Thieves Agrees to Sale October 17, 2005, Monday By ERIC DASH (NYT); Business/Financial Desk FTC settles with CardSystems over data breach Company must adopt security measures, undergo audits February 24, 2006 Security Breaches Of Customers' Data Trigger Lawsuits July 21, 2005 (WSJ) Andrew Schultz was just one of many consumers whose banks notified them last month that computer hackers had filched their credit- and debit-card information… –Brand damage –Service shut down –Brand damage –Service shut down –Lawsuits –Government investigations –Fines & more regulations –Government investigations –Fines & more regulations –Company shut down –Fire sale of assets –Company shut down –Fire sale of assets

13 13 Endpoints – the Achilles heel of corporate security Devices can connect to each PC – no visibility, no control Over 26,000 different USB products exist, 1.4 billion shipped in 2005 –Storage devices –Networking adapters –Printers, scanners, webcams –Coffee warmers, hand massagers … Over 26,000 different USB products exist, 1.4 billion shipped in 2005 –Storage devices –Networking adapters –Printers, scanners, webcams –Coffee warmers, hand massagers … Over 1 billion devices have been sold to date –Over 32 million iPods sold in 2005 –Over 5 million Bluetooth devices are sold every week –Their capacity keeps growing – 10GB drive for $50 by 2010 –They are virtually impossible to trace

14 14 Understanding the Threat 39% of USB drive owners use it to transfer files between home & work 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. -- Yankee Group (2005) “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005) “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005) “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm 39% of USB drive owners use it to transfer files between home & work 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. -- Yankee Group (2005) “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005) “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005) “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm

15 15 Current Situation: Devices can connect to any endpoint – no visibility, no control Information Security Team Exposed Endpoints Bluetooth USB FireWire IrDA WiFi GPRS Serial

16 16 Recent End Point Security Incidents USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators ’ knowledge) A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank ’ s server The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank ’ s computers USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators ’ knowledge) A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank ’ s server The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank ’ s computers

17 17 Industry Validation “Emerging technologies guarding against information leakage (whether intentional or not) appear to be garnering strong interest.” “Leakage of confidential/proprietary information was identified as the #1 issue facing CISOs.” “The market has shifted from simply monitoring the network for outgoing sensitive data to requiring the prevention of communication of such data to unauthorized recipients.” “Content monitoring and filtering products help organizations address the problem of sensitive data crossing the enterprise network boundary over multiple channels and protocols.” Edward Maguire, Financial Analyst Brian Burke, Research Analyst Rich Mogull, Research Analyst

18 18 External Leak Prevention is Not Enough “External” leaks occur at the network perimeter –When employees use and web Lost laptops and stolen servers can also result in data loss “Internal” leaks can be equally damaging and costly –Printing of confidential information and customer information –Internal disclosure of information “External” leaks occur at the network perimeter –When employees use and web Lost laptops and stolen servers can also result in data loss “Internal” leaks can be equally damaging and costly –Printing of confidential information and customer information –Internal disclosure of information Three charged with stealing Coca-Cola trade secrets From James Bone, of the Times, in New York Source: PortAuthority Technologies Data Security Labs, based on reported data security breaches

19 19 Where is my confidential data? Where is my data going? Who is using data? How can I protect it? What is the business and resource impact? How do I get started? How much does it cost? Data Security and Compliance Common Questions

20 20 Reputational damage from security breaches: Cardsystems, BJs Cost of data breach incident exceeds $140 per customer (based on independent survey) Financial liability e.g. Fortune 500 retailer pays $60 million for privacy breach Unplanned costs due to non-compliance Financial – 2002 ASIS survey: loss of proprietary information and IP in the range of $53 – 59 billion Loss of competitive advantage: leaks of confidential product, customer or pricing information Business and Product Requirements and Impact By 2006, …privacy mismanagement recovery costs will be in the range of $ 5-20 million per incident Gartner Research Business Requirements Impact Controls to protect confidential information Protect customer data and demonstrate compliance

21 21 Firewalls, VPNs, IDS/IPS are Ineffective Stop incoming threats; miss outgoing sensitive information

22 22 Content Filtering is Ineffective Very high false positives with keywords, patterns (“confidential”) False negatives with data manipulation (cut and paste) Limited support for all types of data (file attachments, formats) Enforcement lacks flexibility; blocks legitimate communications Very high false positives with keywords, patterns (“confidential”) False negatives with data manipulation (cut and paste) Limited support for all types of data (file attachments, formats) Enforcement lacks flexibility; blocks legitimate communications

23 23 Data Protection A Comprehensive View Data classification using information fingerprinting Protect Data In Motion –Monitor outbound and internal communications to identify data policy violations –Automated selective blocking/enforcement of information reaching unauthorized recipients –Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients Protect Data At Rest –Discover sensitive data that violates regulatory or internal security policies –Automated selective enforcement of unauthorized transfer of files/documents –Automated encryption of critical information assets Data classification using information fingerprinting Protect Data In Motion –Monitor outbound and internal communications to identify data policy violations –Automated selective blocking/enforcement of information reaching unauthorized recipients –Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients Protect Data At Rest –Discover sensitive data that violates regulatory or internal security policies –Automated selective enforcement of unauthorized transfer of files/documents –Automated encryption of critical information assets

24 24 Databases Transaction Applications Data Security and Compliance The Landscape Data At Rest Data classification Device control Content control Application control Transaction Data Direct Database Access Access via Applications Web applications Web services Data Storage (SAN and NAS) Servers, Endpoints Communication Channels Data In Motion Outgoing communications Internal communications Databases and documents Monitoring and enforcement Employees (Honest & Rogue) Customers & Criminals Accidental, Intentional and Malicious Leaks Employees (Honest & Rogue)

25 25 Data At Rest – Disk and Tape Encryption? Problematic for Logical Access Control –Object accessible, even if contents protected Does not eliminate need for access controls –"On or off" — once decrypted, user can transfer to unencrypted format –Group-, role- or user-based key management difficult –Database encryption complicated by indices and performance Best suited for Physical Access Control –Media encryption less problematic Problematic for Logical Access Control –Object accessible, even if contents protected Does not eliminate need for access controls –"On or off" — once decrypted, user can transfer to unencrypted format –Group-, role- or user-based key management difficult –Database encryption complicated by indices and performance Best suited for Physical Access Control –Media encryption less problematic Gartner

26 26 Databases Transaction Applications Data Security and Compliance The Landscape Data At Rest Data classification Device control Content control Application control Transaction Data Direct Database Access Access via Applications Web applications Web services Data Storage (SAN and NAS) Servers, Endpoints Communication Channels Data In Motion Outgoing communications Internal communications Databases and documents Monitoring and enforcement Employees (Honest & Rogue) Customers & Criminals Accidental, Intentional and Malicious Leaks Employees (Honest & Rogue)

27 27 Transactional Data Control Unauthorized Activity Business Users Administrators Developers Internal Users Customers Partners Internet Users External Users Transaction Data Privilege Abuse Vulnerability Exploit Privilege Abuse Database Servers Web Servers Both Web Application and Database Tier Both Internal and External Users Privilege abuse –Usage of data outside authorized use Vulnerability exploits –Exploiting vulnerabilities to gain unauthorized access Both Web Application and Database Tier Both Internal and External Users Privilege abuse –Usage of data outside authorized use Vulnerability exploits –Exploiting vulnerabilities to gain unauthorized access

28 28 Databases Transaction Applications Data Security and Compliance The Landscape Data At Rest Endpoints, Servers Data classification Device control Content control Application control Transaction Data Direct Database Access Access via Applications Web applications Web services Data Storage (SAN and NAS) Data Backup Communication Channels Data In Motion Outgoing communications Internal communications Databases and documents Monitoring and enforcement Employees (Honest & Rogue) Customers & Criminals Accidental, Intentional and Malicious Leaks Employees (Honest & Rogue)

29 29 Reduce Your Risk Audit, Notify, Quarantine, Block Encrypt … Reduce Risk Enable enforcement policy Quarantine suspicious messages Create audit trail of all communications to substantiate compliance Reduce violations to required levels EnforceLearn Define Metrics Use pre-defined policies or create custom policies Learn critical information using PortAuthority information fingerprinting service Monitor Monitor communication channels Reporting of matches against policies and information fingerprints Tune PortAuthority policies Assess Risk

30 30 Thank You Asim Ahmed Steve Moscarelli Thank You Asim Ahmed Steve Moscarelli


Download ppt "Enterprise Data Security Directions 2007 Asim Ahmed Steve Moscarelli Members of ISSA and CSI Asim Ahmed Steve Moscarelli Members of ISSA and CSI."

Similar presentations


Ads by Google