A Breach Carol

2013 Recap, 2014 Predictions

Page 2

Agenda

• Introductions

• Ghosts of Security & Privacy Past

• Ghosts of Security & Privacy Future

• Q&A

Page 3

Introductions: Today’s Cast

Ted Julian, Chief Marketing Officer,

Co3 Systems

Gant Redmon, General Counsel,

Co3 Systems

“Tiny” Tim Armstrong, Incident

Response Specialist, Co3 Systems

Ebenezer Scrooge, Chief Financial

Officer, Acme Inc.

Bob Cratchit, Chief Privacy Officer,

Acme Inc.

Tiny Tim, Chief Security Officer,

Acme Inc

Page 4

SS

AE

16

TY

PE

II C

ER

TIF

IED

HO

ST

ING

FA

CIL

ITY

DA

SH

BO

AR

DS

& R

EP

OR

TIN

G

Co3’s Incident Response Management Platform

Automated Escalation Accelerate response by easily

creating incidents from the systems

you already have

Email Web Form Trouble Ticketing Entry Wizard SIEM

Instant Creation and

Streamlined Collaboration IR plans created instantly based on

regulations, best practices, and standard

operating procedure. Collaborate on plan

execution across multiple functions

Marketing

Legal &

Compliance IT

HR

Accelerated Mitigation Speed results by easily outputting results to your

management platforms

SIEM Trouble Ticketing GRC

Organizational

SOPs

Global

Privacy Breach

Regulations

Contractual

Requirements

Intelligent Correlation Determine related incidents

automatically to identify broader,

concerted attacks

Integrated Intelligence Gain valuable threat intelligence

instantly from multiple intelligence feeds

Community

Best

Practices

Industry

Standard

Frameworks

IR Plan

Page 5

Prologue

• Where: Acme Inc. HQ, Ebenezer Scrooge’s office

• Who: Ebenezer, Bob, and Tiny Tim

• What: 2014 Budget Review

Bob & Tim drowned their sorrows in egg nog at the

company holiday party. Ebenezer humbugged and went

home early.

Bob & Tim asked for modest budget increases. Scrooge

ordered them to return tomorrow (Christmas Eve) with a

plan that showed a 15% reduction.

Page 6

That night…

Scrooge is visited by the ghost of Jacob Marley, the

deceased former CFO of Acme. Marley tells Scrooge he’ll

be visited by two set of ghosts, the first are…

The Ghosts of

Security &

Privacy Past

Page 7

Security Past

• Snowden

• More use of encryption inside companies who possess

large amounts of data

• Lack of gov’t collaboration

• Increased amount of vigilante-style behavior (AJ)

• Adobe

• Security success story

• Even big guys get breached

• Silversky

• Malware as a business has been heating up

• More competition between malware “vendors”

Page 8

Security Past

• Breach Data

• VZ DBIR

• 92% of threat actors are external

• Collecting and sharing IOC’s and threat data leads to

increased response times

• 69% of breaches discovered by external parties

• 66% took months to discover

Page 9

Privacy Past

• Bloating of the privacy policy and Ts&Cs

• Paypal’s terms longer than Hamlet

• Privacy policies almost as long and are integrated into

Ts&Cs

• David Vladeck, former Director of the Bureau of Consumer

Protection of the Federal Trade Commission, was no fan

• Rule of thumb – longer they are, the less privacy you have

Page 10

Privacy Past

• Apps take on a bigger roll

• -FTC Mobile Privacy Disclosures report says the FTC

wants "timely, easy-to-understand disclosures about what

data they collect and how the data is used."

• FTC action against Path, Inc.

• California Attorney General’s Privacy Enforcement and

Protection Unit has prepared Privacy on the Go:

Recommendations for the Mobile Ecosystem.

Page 11

Privacy Past

• Snowden hands the EU a bat to beat the US cloud providers

- Safe harbor in dangerous waters

• This year saw three phases of the EU leveraging the

Snowden affair: Call for EU clouds, call for the end of Safe

Harbor, and finally the 13 recommendation for Safe Harbor

set forth by the European Commission.

• One of the recommendations looks like a cigarette-

warning label.

Page 12

Privacy Past

• Executive Order

• February 2013, President Obama issued Executive Order

13636, Improving Critical Infrastructure Cybersecurity

instructing NIST to lead the development of a framework

to reduce cyber risks to critical infrastructure.

• Fell short of Congressional action providing a litigation

shield to companies sharing attack information with the US

Government. No one seems to want to make it easier for

companies to share info with the government these days.

Page 13

Privacy Past

• HIPAA Final Rule

• When it comes to breach response, the two big stories are

business associates having direct reporting and

notification responsibilities and breaches assumed to have

caused harm.

• As for harm, now we have to dig our way out of a breach

with a risk assessment.

Page 14

Privacy Past

POLL

Page 16

Later That Night…

Scrooge receives another paranormal visit…

The Ghosts of

Security &

Privacy Future

Page 17

Security Future

• More breaches, more severe

• The rise of Breach as a Service

• CSO at a major enterprise is canned

• Tiny Tim: cost argument to CFO re: before v after

• The cost of a breach usually dwarfs that of training and tech

• Breaches impact more diverse verticals

• Moving away from mass malware to more industrial espionage

• Healthcare increases as a target

• Deadline for electronic patient records

• Mobile?

• Data leakage, apps with ad networks that leak

• Fed mandate for minimum security requirements (ex. NIST IR for critical infrastructure)

• Other verticals follow

• More certifications for hosting (like FedRAMP) and personnel

Page 18

Security Future

• IR disaster done right – Tylenol case study? Let’s say this doesn’t happen.

• the company pulled 31 million bottles of tablets back from retailers, making it

one of the first major recalls in American history. The crisis cost the company

more than $100 million, but Tylenol regained 100% of the market share it had

before the crisis. - Wikipedia

• Snowden fallout from a security perspective

• Lack of trust/sharing

• Industry hides from gov’t, over-encrypts data on internal as well as external

networks

• Rise of “NSA-proof” tech - AJ

• Model for best-of-breed IR begins to emerge: people, process, technology

• Long term strategy starts to develop based on awareness of danger

• IR professional services take off

Page 19

Privacy Future

• Unified Breach Notice

• US – No, maybe one more swing

• EU – Yes

• On October 21, 2013, the European Parliament

approved its compromise text of the Draft Regulation to

replace Directive 95/46/EC.

• Next comes approval by the Council of Ministers.

• Then the Parliament, the Council and the Commission

must agree on the final text. A vote is expected before

the parliamentary elections in May 2014.

• Worked for telcos

Page 20

Privacy Future

• Safe Harbor Alive and Well – The 13 Principles from the

European Commission are not too specific or onerous.

Page 21

Privacy Future

• Usernames and passwords

• May the country follow California…again

• S.B. 46, which amends Sections 1798.29 and 1798.82 of

the Civil Code to require businesses and state agencies to

notify consumers if their login credentials are

compromised by a data breach

Page 22

Privacy Future

• Greater personal awareness and responsibility

• Cybermilitia: A Citizen Strategy to Fight, Win, and End

War in Cyberspace

• Authors Siobhan MacDermott and J.R. Smith

POLL

Page 24

The Next Day

Bob & Tiny Tim head to Scrooge’s

office with their slashed budget

proposals.

They’re shocked when a

thoroughly changed Scrooge

awards them a 100% increase!

QUESTIONS

Happy Holidays!

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013