Post on 15-Jan-2015
description
Big Data Security - The Perfect Storm
The Perfect Storm 1991It was the storm of the century, boasting waves over one hundred feet high a tempest created by so rare a combination of factors that meteorologists deemed it "the perfect storm."
When it struck in October 1991, there was virtually no warning.
*: http://books.wwnorton.com/books/detail.aspx?ID=5102
2
The Perfect Storm
3
SecurityAnalysis
CustomerSupport
CustomerProfiles
Sales &Marketing
SocialMedia
BusinessImprovement
Big Data
Regulations& Breaches Increased
profits
Increased profits
Increased profits
Increased profits
Increased profits
Increased profits
Perfect storm
4
More DataWeakerSecurity
IncreasedRegulations
Breach orAudit Fail
($$$)
The Perfect Storm
Big Data is a Time Bomb based on how things are coming together
Big Data deployment is growing fast, rushing into it
• ROI in focus
• Security is not part of Strategy
Shortage in Big Data skills• People don’t know what they are doing
Big Data Security solutions are not effective
General shortage in Security skills
5
Mankind Created Data
Source: IBM
0
5000
10000
15000
20000
25000
30000
35000
40000
2005 2010 2015 2020 Year
Data(exabyte)
6
What is Big Data?
7
What is Big Data?
Source: IBM 0307_Guardium_Final-.pdf
8
What Happens in an Internet Minute?
9
Source: Intel
Four Dimensions of Big Data
Source: IBM 0307_Guardium_Final-.pdf
10
Big Data Sources
Source: IBM
11
Business-driven Outcomes
Source: IBM
12
How is Big Data Different?
13
How is Big Data Different?
Why It’s Different Architecturally: • Shared’ data
• Inter-node communication
• No separate archive – all data is online
• No Security – breaches go undetected
Why It’s Different Operationally: • Insider data access
• Authentication of applications and nodes
• Audit and logging
Source: Securosis SecuringBigData_FINAL.pdf
14
What is The Problem Big Data Security?
15
Big Data and The Insider Threat
16
17
Many Ways to Hack Big Data
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
18
HDFS(Hadoop Distributed File System)
MapReduce (Job Scheduling/Execution System)
Hbase (Column DB)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avr
o (S
eria
lizat
ion)
Zoo
keep
er
(Coo
rdin
atio
n)
Hackers
PrivilegedUsers
UnvettedApplications
OrAd Hoc
Processes
The Big Data platform may not
be secure,but your
Informationcan be secure.19
A Changing Threat
Landscape
20
21
New York Times about China Attack on US
*: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
22
One Single Sample: The Chinese APT1 group Compromised 141 companies in 20 industries
Stole hundreds of terabytes of data
Technology blueprints, Proprietary manufacturing processes,
Test results, Business plans, Pricing documents, Partnership agreements, Emails
23
Source: http://www.verizonbusiness.com/Products/security/dbir/, http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous
Dominating “hacktivism”
Attacks by Anonymous include• 2012: CIA and Interpol • 2011: Sony, Stratfor and HBGary Federal
24
http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03027usen/WGL03027USEN.PDF
25
DataLossBD - Incidents Over Time - Increasing
http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03027usen/WGL03027USEN.PDF
26 http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03027usen/WGL03027USEN.PDF
Breakout of Security Incidents by Country
27
*: % of Escalated Alerts
http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03027usen/WGL03027USEN.PDF
Ranking Volume and Type of Security Incidents*
28
*: % of Escalated Alerts
http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03027usen/WGL03027USEN.PDF
Security Incidents - Malicious Code*
What is the Cost of A Breach?
29
Cost of Data Breach per RecordIndependently Conducted by Ponemon Institute LLC March 2012
30
http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf
31
How are Breaches Discovered?
Unusual system behavior or performance
Log analysis and/or review process
Financial audit and reconciliation process
Internal fraud detection mechanism
Other(s)
Witnessed and/or reported by employee
Unknown
Brag or blackmail by perpetrator
Reported by customer/partner affected
Third-party fraud detection (e.g., CPP)
Notified by law enforcement
0 10 20 30 40 50 60 70
By percent of breaches . Source: 2012, http://www.verizonbusiness.com/Products/security/dbir/
%
What is the Trend in
Regulations?
32
Regulations: Be Proactive in Protecting Data
33
HIPAA Omnibus - Penalties if PHI isn’t encrypted
34
http://www.diagnosticimaging.com/physicians-experts-make-case-secure-data-exchange-himss13
Regulations: Be Proactive in Protecting Data
Big Data must prepare for the changing landscape
• Trend: Encryption requirements are increasing
PCI DSS, US State Laws
Health Data Regulations • Need for Data Segmentation (tokenization,
encryption or masking)
• Extra Sensitive Data (drug abuse, HIV codes, sex abuse and more)
Ponemon Institute “Big Data Analytics in Cyber Defense”
• 61 percent will solve pressing security issues
• Only 35 percent currently have security solutions
35
Balancing security and data insight
Tug of war between security and data insight
Big Data is designed for access, not security
Privacy regulations require de-identification which creates problems with privileged users in an access control security model
Only way to truly protect data is to provide data-level protection
Traditional means of security don’t offer granular protection that allows for seamless data use
36
The Solution is
Finally Here37
38
The Solution - Preventing Misuse of Data
Hackers
PrivilegedUsers
UnvettedApplications
Ad Hoc
Processes
Application
DataProtection
Policy
User
Data Misuse Prevention
Attackers
Administrators
Issued Patents
Selective Data Protection
39
Support Business Applications
2 %
8%
90%
PAN
6 digits clear
4 digits clear
6 digits encoded
98 %Applicationtransparent
2 % Applicationchanges
AccessRight Level
Risk
TraditionalAccessControl
IMore
ILess
High
Low
How can we handle the Risk with Big Data?
40
Data Tokens
CreativityHappens
At the edge
Small Data Big Data
41
Securing the Data Flow
HDFS(Hadoop Distributed File System)
MapReduce (Job Scheduling/Execution System)
Hbase (Column DB)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Legacy Systems Big Data Legacy Systems
42
Support Data Classification and Analytics
Secured Data Fields (encoded)
Encrypted FileData in Clear
Application
43
Big Data
The Process of Automating Security for Big Data
Discover sensitive data
ImplementSolution
Control usage of sensitive
data
Understand
Secure
Monitor
Lock down sensitive data
Integrate
SUMMARY
44
Big Data Security Problem - Summary
Traditional security solutions cannot bridge the gaps between
1. Data breach protection and compliance
2. Provide powerful analysis and data insight
3. Utilize the power of a big data environment.
45
Proactive Data Protection for Big Data
Know your data flow• Protect the data flow - including legacy systems
Protecting your data now could save big time and $ in retroactive security later
• Breaches and audits are on the rise – Organizations that fail to act now risk losing their hard earned investments.
Granular data protection is cost effective • Addressing regulations and data breaches• Data available for analytics and other usage
• Provide separation of duties for administrative functions
Catch abnormal access to data• Including (compromised) insider accounts
46