1 / 30

Enterprise Data Security Directions 2007

Enterprise Data Security Directions 2007. Asim Ahmed Steve Moscarelli Members of ISSA and CSI. The Insider Threat ID Theft Tops FTC's List of Complaints . In 2006,for the 5 th straight year, identity theft ranked 1 st of all fraud complaints. 10 million cases of Identity Theft annually.

bisa
Download Presentation

Enterprise Data Security Directions 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise Data SecurityDirections 2007 Asim Ahmed Steve Moscarelli Members of ISSA and CSI

  2. The Insider ThreatID Theft Tops FTC's List of Complaints • In 2006,for the 5th straight year, identity theft ranked 1st of all fraud complaints. • 10 million cases of Identity Theft annually. • 59 percent of companies have detected some internal abuse of their networks

  3. Competitors Data Security and ComplianceNecessity of exposure, and the risk Customers Employees (remote workers, mobile workers) Hackers Business Partners(suppliers, outsourcers, consultants) Cyber-crime Digital Business -------C-O-R-P-O-R-A-T-E---N-E-T-W-O-R-K---B-O-U-N-D-A-R-Y------- Contractors Temporaries Visitors Employees Sensitive Data SOURCE: FORRESTER RESEARCH

  4. Customer Customer Service Finance Customer Data Confidential Information An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in violation of regulatory or company policies Patient (Client) Doctor (Lawyer) Patient Information Information Leaks, Spills, Theft, Loss or Extrusion: A Growing Challenge Sent by Customer Service Rep Company Info Sent Over Web-mail SSN, Salaries Marketing Plans Customer Name Patient Name Insurance Information Diagnosis

  5. An information leak occurs when sensitive customer data or company information is distributed within or outside the enterprise in violation of regulatory or company policies Information Leaks: How Do They Occur? Confidential Information Customer Data Customer Service R&D SSN, Salaries Customer Name Company Info Marketing Plans Your Data Sales Contractors Patient Information Financials Upcoming reports M&A Sent by Customer Service Rep Doctors Finance

  6. Unauthorized access to information and proprietary information theft are increasing 2-5X per year in cost to the affected company PRIVACY REGULATIONS SOX, HIPAA, GLBA, PIPEDA, FERPA, EU DPD Intellectual property, trade secrets, confidential plans COMPETITIVE EDGE Identity Theft, Brand Damage CUSTOMER PRESSURE SEC/NASD rules, legal liability Insurance rules BUSINESS GOVERNANCE Sources: 2005 CSI/FBI Computer Crime and Security Study Forrester Research, Inc.

  7. Data Security and ComplianceGrowing Problem with Exec Visibility • Executive Concern • California Data Privacy Act (SB-1386) • Pennsylvania, New York, Illinois, Wisconsin and 21 other states with regulations • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley (SOX) • Gramm-Leach-Bliley Act (GLBA) • Traditional Security does not address Data • Network security (FW, IPS) no knowledge of data • No 2 organizations have exactly the same data. • Database security not granular enough plus performance issues

  8. Increasing Business Impact of Information Leaks • Compliance requirements are increasing • Federal regulations such Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) • State regulations such as California Data Privacy Act (SB-1386) and 21 other states • High costs of data breaches: estimated at $140 per consumer record Intellectual property/confidential information losses can damage business and competitive advantage Total Costs $140/record Indirect Costs $1.5M $15/record Opportunity Costs $7.5M $75/record Direct Costs $5.0M $50/record Source: Ponemon Institute SVB Alliant

  9. Top 10 Most Frequent Incidents • Patient PHI sent to partner, again, and again • Employee 401k information sent outbound and inbound • Payroll data being sent to home email address • Draft press release to outside legal council • Financial and M&A postings to message boards • Source code sent with resume to competitor • SSNs…and thousands of them • Credit Card or account numbers….and thousands of them • Confidential patient information • Internal memos and confidential information

  10. Total cost : $140 per customer Costs Breakdown Average recovery costs by type Source: The Ponemon Institute

  11. Data Security and ComplianceWhy Data is a Priority? Cost of Data Breaches $140/record What do you consider to pose the biggest current threat to your organization’s overall security? Indirect Costs $1.5M $15/record (multiple responses) Leakage of confidential/proprietary information Unpatched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers 52% 24% 18% 14% 10% 4% 4% 4% 2% 2% Opportunity Costs $7.5M $75/record Direct Costs $5.0M $50/record Source: Ponemon Institute SVB Alliant Source: Merrill Lynch survey of 50 North American CISOs, July 2006

  12. Security Breaches Of Customers' Data Trigger Lawsuits July 21, 2005 (WSJ) Andrew Schultz was just one of many consumers whose banks notified them last month that computer hackers had filched their credit- and debit-card information… Card Center Hit by Thieves Agrees to Sale October 17, 2005, Monday By ERIC DASH (NYT); Business/Financial Desk FTC settles with CardSystems over data breach Company must adopt security measures, undergo audits February 24, 2006 Data Security and Compliance Implications of Data Breach • Brand damage • Service shut down • Partner Lost • Customer Lost • Lawsuits • Company shut down • Fire sale of assets • Government investigations • Fines & more regulations

  13. Endpoints – the Achilles heel of corporate securityDevices can connect to each PC – no visibility, no control • Over 26,000 different USB products exist, 1.4 billion shipped in 2005 • Storage devices • Networking adapters • Printers, scanners, webcams • Coffee warmers, hand massagers… • Over 1 billion devices have been sold to date • Over 32 million iPods sold in 2005 • Over 5 million Bluetooth devices are sold every week • Their capacity keeps growing – 10GB drive for $50 by 2010 • They are virtually impossible to trace

  14. Understanding the Threat • 39% of USB drive owners use it to transfer files between home & work • 37% of businesses reported the disclosure of company information via USB drive in the past 12 months. --Yankee Group (2005) • “Data theft accounted for over $50B in losses [in 2004] in America alone.” -- The Economist (6/18/2005) • “Poor information security has exposed personal information of over 50 million Americans so far in 2005” -- The Economist (6/18/2005) • “50% of security incidents originate from within an organization.” – 2005 FBI / CSI Computer Crime and Security Survey • “70% of security breaches that involve losses over $100,000 are perpetrated from inside the enterprise.” -- Vista Research • “HIPAA & GBLA mandate removable media controls. We must prevent copying of corporate data to plug-and-play storage devices of all types.” Consultancy Firm

  15. Bluetooth USB Serial WiFi IrDA GPRS FireWire Current Situation: Devices can connect to any endpoint – no visibility, no control Information Security Team Exposed Endpoints

  16. Recent End Point Security Incidents • USB Flash Drive with top-secret US military information about local spies and informants was sold for $40 at a bazaar in Afghanistan • A KPMG auditor forgot a CD with personal and financial data of thousands of McAfee employees in an airline seat pocket • A temporary employee of a French aircraft equipment manufacturer copied confidential data to USB Flash and sold it to a competitor in China • A hacker at the University of California exposed over 0.5M sensitive personal records (a professor had copied the records to USB Flash for research, without administrators’ knowledge) • A Postal Service Bank in Israel was robbed using a wireless modem connected by the thieves to the bank’s server • The Sumitomo Bank in London was attacked by insiders which connected hardware key logger to about 65 of the bank’s computers

  17. Industry Validation “Emerging technologies guarding against information leakage (whether intentional or not) appear to be garnering strong interest.” “Leakage of confidential/proprietary information was identified as the #1 issue facing CISOs.” Edward Maguire, Financial Analyst “The market has shifted from simply monitoring the network for outgoing sensitive data to requiring the prevention of communication of such data to unauthorized recipients.” Brian Burke , Research Analyst “Content monitoring and filtering products help organizations address the problem of sensitive data crossing the enterprise network boundary over multiple channels and protocols.” Rich Mogull, Research Analyst

  18. External Leak Prevention is Not Enough • “External” leaks occur at the network perimeter • When employees use email and web • Lost laptops and stolen servers can also result in data loss • “Internal” leaks can be equally damaging and costly • Printing of confidential information and customer information • Internal disclosure of information Source: PortAuthority Technologies Data Security Labs, based on reported data security breaches Three charged with stealing Coca-Cola trade secrets From James Bone, of the Times, in New York

  19. Where is my confidential data? Where is my data going? Who is using data? How can I protect it? What is the business and resource impact? How do I get started? How much does it cost? Data Security and ComplianceCommon Questions

  20. Impact Controls to protect confidential information Protect customer data and demonstrate compliance Business and Product Requirements and Impact Business Requirements • Reputational damage from security breaches: Cardsystems, BJs • Cost of data breach incident exceeds $140 per customer (based on independent survey) • Financial liability e.g. Fortune 500 retailer pays $60 million for privacy breach • Unplanned costs due to non-compliance • Financial – 2002 ASIS survey: loss of proprietary information and IP in the range of $53 – 59 billion • Loss of competitive advantage: leaks of confidential product, customer or pricing information By 2006, …privacy mismanagement recovery costs will be in the range of $ 5-20 million per incidentGartner Research

  21. Stop incoming threats; miss outgoing sensitive information Firewalls, VPNs, IDS/IPS are Ineffective

  22. Content Filtering is Ineffective • Very high false positives with keywords, patterns (“confidential”) • False negatives with data manipulation (cut and paste) • Limited support for all types of data (file attachments, formats) • Enforcement lacks flexibility; blocks legitimate communications

  23. Data Protection A Comprehensive View • Data classification using information fingerprinting • Protect Data In Motion • Monitor outbound and internal communications to identify data policy violations • Automated selective blocking/enforcement of information reaching unauthorized recipients • Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients • Protect Data At Rest • Discover sensitive data that violates regulatory or internal security policies • Automated selective enforcement of unauthorized transfer of files/documents • Automated encryption of critical information assets

  24. Employees(Honest & Rogue) Transaction Applications Accidental, Intentional and Malicious Leaks Data Storage (SAN and NAS) Customers& Criminals Employees(Honest & Rogue) Servers, Endpoints Databases Employees(Honest & Rogue) Data Security and ComplianceThe Landscape • Data In Motion • Outgoing communications • Internal communications • Databases and documents • Monitoring and enforcement • Transaction Data • Direct Database Access • Access via Applications • Web applications • Web services Communication Channels • Data At Rest • Data classification • Device control • Content control • Application control

  25. Data At Rest – Disk and TapeEncryption? • Problematic for Logical Access Control • Object accessible, even if contents protected • Does not eliminate need for access controls • "On or off" — once decrypted, user can transfer to unencrypted format • Group-, role- or user-based key management difficult • Database encryption complicated by indices and performance • Best suited for Physical Access Control • Media encryption less problematic Gartner

  26. Employees(Honest & Rogue) Transaction Applications Accidental, Intentional and Malicious Leaks Data Storage (SAN and NAS) Customers& Criminals Employees(Honest & Rogue) Servers, Endpoints Databases Employees(Honest & Rogue) Data Security and ComplianceThe Landscape • Data In Motion • Outgoing communications • Internal communications • Databases and documents • Monitoring and enforcement • Transaction Data • Direct Database Access • Access via Applications • Web applications • Web services Communication Channels • Data At Rest • Data classification • Device control • Content control • Application control

  27. Transactional Data Control Unauthorized Activity Transaction Data Internal Users External Users Privilege Abuse Privilege Abuse Web Servers Vulnerability Exploit Vulnerability Exploit Business Users Administrators Developers Customers Partners Internet Users Database Servers • Both Web Application and Database Tier • Both Internal and External Users • Privilege abuse • Usage of data outside authorized use • Vulnerability exploits • Exploiting vulnerabilities to gain unauthorized access

  28. Employees(Honest & Rogue) Transaction Applications Accidental, Intentional and Malicious Leaks Data Storage (SAN and NAS) Customers& Criminals Employees(Honest & Rogue) Databases Data Backup Employees(Honest & Rogue) Data Security and ComplianceThe Landscape • Data In Motion • Outgoing communications • Internal communications • Databases and documents • Monitoring and enforcement • Transaction Data • Direct Database Access • Access via Applications • Web applications • Web services Communication Channels • Data At Rest • Endpoints, Servers • Data classification • Device control • Content control • Application control

  29. Reduce Your Risk Learn Monitor Enforce Audit, Notify, Quarantine, Block Encrypt … Define Metrics Assess Risk Reduce Risk • Use pre-defined policies or create custom policies • Learn critical information using PortAuthority information fingerprinting service • Monitor communication channels • Reporting of matches against policies and information fingerprints • Tune PortAuthority policies • Enable enforcement policy • Quarantine suspicious messages • Create audit trail of all communications to substantiate compliance • Reduce violations to required levels

  30. Thank YouAsim AhmedAsim@PortAuthorityTech.comSteve Moscarelli SteveM@PortAuthorityTech.comwww.PortAuthorityTech.com

More Related