Download presentation
Presentation is loading. Please wait.
1
Enterprise Data Security Directions 2007
Asim Ahmed Steve Moscarelli Members of ISSA and CSI
2
The Insider Threat ID Theft Tops FTC's List of Complaints
In 2006,for the 5th straight year, identity theft ranked 1st of all fraud complaints. 10 million cases of Identity Theft annually. 59 percent of companies have detected some internal abuse of their networks (*) You can run through the numbers here. (*) Key take aways: Data loss is on the rise, ID theft is becoming a national crisis. Healcare companies are targets (*)Costing consumers $5 billion and businesses $48 billion annually. Terror ties: About 5 percent of identity thieves are tied to terrorist organizations. Violent crimes: About 15 percent used identity theft to facilitate a violent crime. Drug trafficking: Drugs were related to at least 15 percent of the cases. (*) Over 23 States have drafted or approved notification laws (*) There are over 6 NATIONAL notification laws in House and Senate committees. Most likely a national notification standard will happen this year. (*) Are you ready?
3
Data Security and Compliance Necessity of exposure, and the risk
Competitors Customers Employees (remote workers, mobile workers) Hackers Business Partners (suppliers, outsourcers, consultants) Cyber-crime Digital Business C-O-R-P-O-R-A-T-E---N-E-T-W-O-R-K---B-O-U-N-D-A-R-Y Contractors Temporaries Visitors Employees Sensitive Data SOURCE: FORRESTER RESEARCH
4
Confidential Information
Information Leaks, Spills, Theft, Loss or Extrusion: A Growing Challenge Customer Customer Service Finance Sent by Customer Service Rep Company Info Sent Over Web-mail Customer Data Confidential Information SSN, Salaries Marketing Plans Customer Name An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in violation of regulatory or company policies Doctor (Lawyer) Patient (Client) Patient Information Patient Name Insurance Information Diagnosis
5
Information Leaks: How Do They Occur?
Confidential Information Customer Data R&D Customer Service Company Info Marketing Plans SSN, Salaries Customer Name Your Data Sales Contractors Patient Information Financials Upcoming reports M&A Sent by Customer Service Rep Doctors Finance An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in violation of regulatory or company policies
6
Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company PRIVACY REGULATIONS SOX, HIPAA, GLBA, PIPEDA, FERPA, EU DPD Intellectual property, trade secrets, confidential plans COMPETITIVE EDGE Identity Theft, Brand Damage CUSTOMER PRESSURE SEC/NASD rules, legal liability Insurance rules BUSINESS GOVERNANCE Sources: CSI/FBI Computer Crime and Security Study Forrester Research, Inc.
7
Data Security and Compliance Growing Problem with Exec Visibility
Executive Concern California Data Privacy Act (SB-1386) Pennsylvania, New York, Illinois, Wisconsin and 21 other states with regulations Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Gramm-Leach-Bliley Act (GLBA) Traditional Security does not address Data Network security (FW, IPS) no knowledge of data No 2 organizations have exactly the same data. Database security not granular enough plus performance issues
8
Increasing Business Impact of Information Leaks
Compliance requirements are increasing Federal regulations such Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) State regulations such as California Data Privacy Act (SB-1386) and 21 other states High costs of data breaches: estimated at $140 per consumer record Intellectual property/confidential information losses can damage business and competitive advantage Total Costs $140/record Indirect Costs $1.5M $15/record Opportunity Costs $7.5M $75/record Direct Costs $5.0M $50/record Source: Ponemon Institute SVB Alliant
9
Top 10 Most Frequent Incidents
Patient PHI sent to partner, again, and again Employee 401k information sent outbound and inbound Payroll data being sent to home address Draft press release to outside legal council Financial and M&A postings to message boards Source code sent with resume to competitor SSNs…and thousands of them Credit Card or account numbers….and thousands of them Confidential patient information Internal memos and confidential information (*) So what are the most common incidents that happen every day, hundreds of times a day? Any guesses (make a joke about we won’t assume its from your company just because you said it…we’ll go with the “a friend told me” rule here) (*) Any guesses? (*) Build the list NPI - Non Public Information
10
Total cost : $140 per customer
Average recovery costs by type Costs Breakdown Source: The Ponemon Institute
11
Data Security and Compliance Why Data is a Priority?
Cost of Data Breaches $140/record What do you consider to pose the biggest current threat to your organization’s overall security? Indirect Costs $1.5M $15/record (multiple responses) Leakage of confidential/ proprietary information Unpatched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers 52% 24% 18% 14% 10% 4% 2% Opportunity Costs $7.5M $75/record Direct Costs $5.0M $50/record Source: Merrill Lynch survey of 50 North American CISOs, July 2006 Source: Ponemon Institute SVB Alliant
12
Data Security and Compliance Implications of Data Breach
Brand damage Service shut down Partner Lost Customer Lost Security Breaches Of Customers' Data Trigger Lawsuits July 21, 2005 (WSJ) Andrew Schultz was just one of many consumers whose banks notified them last month that computer hackers had filched their credit- and debit-card information… Lawsuits Company shut down Fire sale of assets Card Center Hit by Thieves Agrees to Sale October 17, 2005, Monday By ERIC DASH (NYT); Business/Financial Desk Government investigations Fines & more regulations FTC settles with CardSystems over data breach Company must adopt security measures, undergo audits February 24, 2006
13
Endpoints – the Achilles heel of corporate security Devices can connect to each PC – no visibility, no control Over 26,000 different USB products exist, 1.4 billion shipped in 2005 Storage devices Networking adapters Printers, scanners, webcams Coffee warmers, hand massagers… Over 1 billion devices have been sold to date Over 32 million iPods sold in 2005 Over 5 million Bluetooth devices are sold every week Their capacity keeps growing – 10GB drive for $50 by 2010 They are virtually impossible to trace
14
Understanding the Threat
39% of USB drive owners use it to transfer files between home & work 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. --Yankee Group (2005) “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005) “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005) “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” Vista Research “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm
15
Information Security Team
Current Situation: Devices can connect to any endpoint – no visibility, no control Bluetooth USB FireWire IrDA WiFi GPRS Serial Information Security Team Exposed Endpoints
16
Recent End Point Security Incidents
USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators’ knowledge) A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank’s server The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank’s computers
17
Industry Validation “Emerging technologies guarding against information leakage (whether intentional or not) appear to be garnering strong interest.” “Leakage of confidential/proprietary information was identified as the #1 issue facing CISOs.” Edward Maguire, Financial Analyst “The market has shifted from simply monitoring the network for outgoing sensitive data to requiring the prevention of communication of such data to unauthorized recipients.” Brian Burke , Research Analyst “Content monitoring and filtering products help organizations address the problem of sensitive data crossing the enterprise network boundary over multiple channels and protocols.” Rich Mogull, Research Analyst
18
External Leak Prevention is Not Enough
“External” leaks occur at the network perimeter When employees use and web Lost laptops and stolen servers can also result in data loss “Internal” leaks can be equally damaging and costly Printing of confidential information and customer information Internal disclosure of information Source: PortAuthority Technologies Data Security Labs, based on reported data security breaches Three charged with stealing Coca-Cola trade secrets From James Bone, of the Times, in New York
19
Data Security and Compliance Common Questions
Where is my confidential data? Where is my data going? Who is using data? How can I protect it? What is the business and resource impact? How do I get started? How much does it cost?
20
Business and Product Requirements and Impact
Business Requirements Protect customer data and demonstrate compliance Financial – 2002 ASIS survey: loss of proprietary information and IP in the range of $53 – 59 billion Loss of competitive advantage: leaks of confidential product, customer or pricing information Reputational damage from security breaches: Cardsystems, BJs Cost of data breach incident exceeds $140 per customer (based on independent survey) Financial liability e.g. Fortune 500 retailer pays $60 million for privacy breach Unplanned costs due to non-compliance Controls to protect confidential information Requirement: Protect customer data and demonstrate compliance Drivers: Federal and state regulations such as GLBA, HIPAA, SB1386, Sarbanes-Oxley, PIPEDA Impact: Reputational damage from security breaches: Cardsystems, BJs Average cost of identity theft notification exceeds $30 per customer Financial liability e.g. Fortune 500 retailer pays $60 million for privacy breach Requirement: Controls to protect confidential information Drivers Protect competitive advantage Financial – 2002 ASIS survey: loss of proprietary information and IP in the range of $53 – 59 billion Competitive advantage – loss of source code sets product launch back by one year National security – information leak increases risks for critical infrastructure By 2006, …privacy mismanagement recovery costs will be in the range of $ 5-20 million per incident Gartner Research
21
Firewalls, VPNs, IDS/IPS are Ineffective
Stop incoming threats; miss outgoing sensitive information
22
Content Filtering is Ineffective
Very high false positives with keywords, patterns (“confidential”) False negatives with data manipulation (cut and paste) Limited support for all types of data (file attachments, formats) Enforcement lacks flexibility; blocks legitimate communications
23
Data Protection A Comprehensive View
Data classification using information fingerprinting Protect Data In Motion Monitor outbound and internal communications to identify data policy violations Automated selective blocking/enforcement of information reaching unauthorized recipients Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients Protect Data At Rest Discover sensitive data that violates regulatory or internal security policies Automated selective enforcement of unauthorized transfer of files/documents Automated encryption of critical information assets
24
Data Security and Compliance The Landscape
Data In Motion Outgoing communications Internal communications Databases and documents Monitoring and enforcement Transaction Data Direct Database Access Access via Applications Web applications Web services Employees (Honest & Rogue) Accidental, Intentional and Malicious Leaks Communication Channels Transaction Applications Data At Rest Data classification Device control Content control Application control Customers & Criminals Databases Employees (Honest & Rogue) Data Storage (SAN and NAS) Servers, Endpoints Employees (Honest & Rogue)
25
Data At Rest – Disk and Tape Encryption?
Problematic for Logical Access Control Object accessible, even if contents protected Does not eliminate need for access controls "On or off" — once decrypted, user can transfer to unencrypted format Group-, role- or user-based key management difficult Database encryption complicated by indices and performance Best suited for Physical Access Control Media encryption less problematic Gartner
26
Data Security and Compliance The Landscape
Data In Motion Outgoing communications Internal communications Databases and documents Monitoring and enforcement Transaction Data Direct Database Access Access via Applications Web applications Web services Employees (Honest & Rogue) Accidental, Intentional and Malicious Leaks Communication Channels Transaction Applications Data At Rest Data classification Device control Content control Application control Customers & Criminals Databases Employees (Honest & Rogue) Data Storage (SAN and NAS) Servers, Endpoints Employees (Honest & Rogue)
27
Transactional Data Control Unauthorized Activity
Transaction Data Internal Users External Users Privilege Abuse Privilege Abuse Web Servers Business Users Administrators Developers Vulnerability Exploit Vulnerability Exploit Customers Partners Internet Users Database Servers Both Web Application and Database Tier Both Internal and External Users Privilege abuse Usage of data outside authorized use Vulnerability exploits Exploiting vulnerabilities to gain unauthorized access
28
Data Security and Compliance The Landscape
Data In Motion Outgoing communications Internal communications Databases and documents Monitoring and enforcement Transaction Data Direct Database Access Access via Applications Web applications Web services Employees (Honest & Rogue) Accidental, Intentional and Malicious Leaks Communication Channels Transaction Applications Data At Rest Endpoints, Servers Data classification Device control Content control Application control Customers & Criminals Databases Employees (Honest & Rogue) Data Storage (SAN and NAS) Data Backup Employees (Honest & Rogue)
29
Reduce Your Risk Learn Monitor Enforce Define Metrics Assess Risk
Audit, Notify, Quarantine, Block Encrypt … Define Metrics Assess Risk Reduce Risk Use pre-defined policies or create custom policies Learn critical information using PortAuthority information fingerprinting service Monitor communication channels Reporting of matches against policies and information fingerprints Tune PortAuthority policies Enable enforcement policy Quarantine suspicious messages Create audit trail of all communications to substantiate compliance Reduce violations to required levels Key Point: Explain the process of setting up and delivering real-time campaigns into operational environments using Real-Time. This diagram depicts a “process view” of using the E.piphany Real-Time system. Typical steps are to: Set up the system. A technical analyst will using tools to install the software and to hook up data sources, and to do whatever modeling is required. A technical person is only needed intermittently for set-up and changes. Define and refine campaign, offers, and other activities. The marketing staff gets an easy-to-use tool for define, refining, and tracking activities on a day-to-day basis. Make real-time decisions. A single 4-CPU NT Personalization Server can deliver over 250,000 decisions per hour, or 6 million decisions per day. Deliver decisions to the touch points in real-time, and get real-time feedback on acceptance or rejection. The touch point managers deliver decisions and collect feedback for closing the loop and for self-learning.
30
Thank You Asim Ahmed Asim@PortAuthorityTech
Thank You Asim Ahmed Steve Moscarelli
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.