The Darker Value of Your

Corporate Data

What Cyber Criminals are After and a Collaborative Approach

for Protecting it

This Photo by Unknown Author is licensed under CC BY-NC

2

Average Number of Days an Advanced Persistent Threat (APT) spends on a company network before being detected.

2017 Verizon Data Breach Investigations Report3

And Then Someone Gets One of These

4

Information Security – It’s Personal

5

National Security Agency• (Edward Snowden) Classified DATA loss

Office of Personnel Management• Highly Sensitive Security Clearance DATA loss• SF86 – 136 pages

Once Inside The Network Bubble We’re Safe!

6

Firewall

IPS

Antivirus

But… Boundaries Are Expanding

7

Work from Home

BYOD

Cloud

Vendors

Satellite Offices

Once Inside the Network We’re Safe! … Said the APT

Who Are The Threats?

8 2017 Verizon Data Breach Investigations Report

Collusion3%

Internal25%

Nation States18%

Business Partners

2%

Organized Crime52%

• Well Organized• Well Funded• Smart• Dedicated• Fully Staffed

How Does an Intrusion Occur?

• Reconnaissance

• Initial Exploitation

• Establish Persistence

• Install Tools

• Move Laterally

• Exploit

• Collect

• Exfiltrate

9

180 days

Finding and extracting your company’s most valuable information!

This is when an Incident becomes a Data Breach! Company Cost is $225 per record!

2017 Ponemon Report

Threat Attack Chain Sequence

Costs of Crimeware Sold on the Dark Web

Product Price

Keylogger US $1-5

Xena RAT builder US $1-50 (Silver/Gold Tech Support)

Exploit US $1+

Botnet and/or Botnet builder US $5-50

Worm US $5-15

Ransomware US $10

Betabot DDoS tool US $75

10 2017 Verizon Data Breach Investigations Report

Theft Targets and Motivation

11

Financial24%

Healthcare15%

Public Sector12%

All Other34%

Retail and Hospitality

15%

2017 Verizon Data Breach Investigations Report

• Personal Information/Medical Records• Identity Theft

• Tax Return Fraud

• Gossip Value

• Insider and Privilege Misuse• Data for cash

• Curiosity

• Espionage • Start a Competing Company

• Bring to New Employer

Cyber Crime Is A Business

12

Espionage27%

Financial70%

Fun, Ideology, Grudge (FIG)

3%

2017 Verizon Data Breach Investigations Report

Data Type Value

Website Management Credentials: $3–5

Remote Desktop Credentials: $10–25

Credit Cards with CVV2:Plus Bank ID Number:Plus Full Card Owner details:

$5-$8$15$30

Bank Account Credentials with Balance of:$400-$1,000:$1,000-$2,500 Balance:$2,500-$5,000 Balance: $5,000-$8,000 Balance:

$20-$50$50-$120$120-$200$200-$300

Bundle of 10 Medicare numbers: $4700

The Purpose of Information Security“The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability”… Using People, Process and Technology.

• Confidentiality – protecting information from unauthorized access and disclosure.

• Integrity – protecting information from unauthorized modification.

• Availability – preventing disruption in information access.

13

Castle Approach to Information Security

14

A Day in the Life of a Security Analyst

1. SIEM (Security Information and Event Monitor)

2. Network IDS/IPS

3. Email Gateway security

4. Web proxy

5. Application White/Black List

6. Risk Management

7. RSA Token Manager

8. Endpoint protection

9. Patch Management

10. Vulnerability Scanning

11. DNS

12. Encryption (SSL Decrypt)

13. Firewall monitoring

14. Antivirus

15. Malware 15

RiskDashboard

Detail

Drill to Detial

EndpointDashboard

Detail

Drill to Detial

Net monitorDashboard

Detail

Drill to Detial

MEGDashboard

Detail

Drill to Detial

NSMDashboard

Detail

Drill to Detial

SIEMDashboard

SIEM Detail

Drill to Detial

AntivirusDashboard

Detail

Drill to Detial

Web proxyDashboard

Detail

Drill to Detial

White listDashboard

Detail

Drill to Detial

MalwareDashboard

Detail

Drill to Detial

FirewallDashboard

Detail

Drill to Detial

VADashboard

Detail

Drill to Detial

Security Analyst

Information Security Concerns

People• Limited number of resources – 1 or 2 Security Analysts• In 2017 there were 780,000 cybersecurity jobs and approximately 350,000

open cybersecurity positions

Process• Overwhelmed by number of security incidents• Hard to prioritize what’s important

Technology• Lots of technology from many vendors• Little integration

Data• It’s all over the place

16Cybersecurity Business Report, 6/8/17

Here is Our Corporate Data, Protect it!

17

EnterpriseData

Level of Protection

DATA

Valu

e/R

isk

Current Data Protection Model -Treat All Data the Same

18

The Castle Approach

Customer Credit Card Data

Today’s Lunch Menu Specials

Oh Look, a free pizza offer in my e-mail!…Click

19

“The key to our success is knowing that network better

than the people who set it up”

“You know what technologies you intended to use. We

know the technologies actually in use.”

“Don't assume a crack is too small to be noticed or too

small to be exploited"

20 Usenix Enigma Security Conference 2016

Rob Joyce –Chief, Tailored Access Operations (TAO) NSA

Twitter: @Hart_Jason

Jason Hart –World Visionary in Cyber Security and Ex Ethical Hacker

“Attack prevention is a broken model.”

“To me, prevention techniques like firewalls are just ‘speed bumps’…

…you’re just slowing me down”

21

“You must locate your sensitive data and protect it.”

Castle Approach to Information Security is flawed

Museum Approach to Information Security

22

Monitor and Protect Data Based on Its Value and Risk To The Business

Enterprise Data

Level of Protection

Valu

e/R

isk

Museum Approach

23

Restricted

Confidential

Everything Else

Discover and Classify based on Value to company and threats

Monitor and Protect based on Risk and Policy

Customer Credit Card Data

Today’s Lunch Menu Specials

DATA

What Data Deserves to be Protected?

Information that can be used• To identify, contact, or locate a single person

• Identify an individual in context

• Distinguish or trace an individual's identity• name, social security number, date and place of birth, mother's maiden

name, or biometric records

• Other information that is linked or linkable to an individual• medical, educational, financial, and employment information.

24

Personally Identifiable Information (PII), or Sensitive Personal Information (SPI).

Examples of Corporate Restricted versus Confidential Information

Restricted• Trade Secrets

• Intellectual Property

• Mergers and Acquisitions

• Social Security Number (SSN)

• Driver's license/state ID numbers

• Financial account numbers

• Credit card numbers

• Personal medical and medical insurance information

• Passwords

Confidential• Sales Projections

• Marketing Plans

• Home address and phone

• Birth date

• Gender

• Religious orientation

• Evaluations

• Sensitive research

25

26

Change the Information Security View of Corporate Data

…To This

27

Data Architects Know Data

They know for each area of the business:

• What data is important

• Who is the owner

• Where it is located

• How it’s accessed

Throughout the enterprise

28

Monitor

Protect

Fin

ance

Hu

man

Re

sou

rce

s

IT

Pat

ien

t Sa

fety

Un

de

rwri

tin

g

Business Units

Discover

Classify

Sensitive Information

Define Acceptable

RiskPosture

Data Architects role in Information Security: Find and Protect Valuable Data Assets• Discover and Classify sensitive data

assets

• What data is out there?

• How sensitive is it?

• Document the flow

• What data is being accessed?

• How often is the data accessed?

• Who’s using the data?

• Determine the risk

• How exposed is it?

• What data is being extracted?

• How secure is the repository?

• Is it fully patched?

• Are configuration best practices being used?

• Reduce the risk

• Is the data protected at the right level based on value/risk?

29

Leverage Existing Knowledge

Utilize the information you already have to help improve security:

• Business Requirements

• Documents provide intelligence and insight into what’s information is valuable to a given business unit

• Source to Target Mappings

• Provides location of important and valuable information

• Databases, flat files, landing areas, 3rd party info

• Provides target location for sensitive and valuable information

• ETL Flows

• Provides intermediate landing areas where sensitive data resides for short periods of time –Advanced Persistent Threats

• Data lineage

• Reporting

• Sensitive data in reports that can be masked or redacted for specific groups

30

Source To Target Mapping

Data Source ETL Target

System Name

Table Name

Column Name Data Type

Sensitive Data InfoSec Transform Table Column Data Type

Sensitive Data InfoSec Access Rights

CRM Cust fname char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER First_Name varchar2(80) Y PII Sales Role

Cust lname char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER Last_Name varchar2(80) Y PII Sales Role

Cust addr1 char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER Address_Ln1 varchar2(180) Y PII Sales Role

Cust addr2 char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER Address_Ln2 varchar2(180) Y PII Sales Role

Cust city char(80) Y PIITrim Leading/Trailing spaces DIM_CUSTOMER City varchar2(180) Y PII Sales Role

Cust state char(2) Y PII Uppercase DIM_CUSTOMER State varchar2(2) Y PII Sales Role

Cust zip char(10) Y PII Left(5) DIM_CUSTOMER Zip_Code varchar2(5) Y PII Sales Role

Cust zip char(10) Y PIICheck for '-'; 4 digits after DIM_CUSTOMER Zip_4 varchar2(4) Y PII Sales Role

Cust ssn char(11) Y PII format as xx-xxx-xxxx DIM_CUSTOMER SSN varchar2(11) Y PII Sales Role

OM CustCC cc_num varchar2(80) Y PCI Remove white space DIM CREDIT_CARD Card_Number varchar2(16) Y PCI Sales Order Role

CustCC cvv varchar2(10) Y PCI DIM_CREDIT_CARD CVV_CODE varchar2(10) Y PCI Sales Order Role

31

Provide Data Lineage

32

Rob Joyce –Chief, Tailored Access Operations (TAO) NSA

“Enable those logs but also look at those logs.”

“One of our worst nightmares is that ‘out of band’ network tap that really is capturing all the data”

33 Usenix Enigma Security Conference 2016

SIEMDashboard

SIEM Detail

Drill to Detial

DAMDashboard

SIEM Detail

Drill to Detial

RiskDashboard

Detail

Drill to Detial

EndpointDashboard

Detail

Drill to Detial

Net monitorDashboard

Detail

Drill to Detial

MEGDashboard

Detail

Drill to Detial

NSMDashboard

Detail

Drill to Detial

AntivirusDashboard

Detail

Drill to Detial

Web proxyDashboard

Detail

Drill to Detial

White listDashboard

Detail

Drill to Detial

MalwareDashboard

Detail

Drill to Detial

FirewallDashboard

Detail

Drill to Detial

VADashboard

Detail

Drill to Detial

Museum Approach Plus Castle Approach

34Security Analyst

Efficiency InsightUser Behavior Analytics

Museum Approach Advantages

• Data Access Control• Data Classification• Define Roles • Fine Grained Data Access based on need

• Audit Trails• Who • What • When • Where

• Enables Actions on Data• Alert• Block/Terminate• Redact• Filter

35

Protect Data through blocking, masking and alerting based on role based security policy models

36

Protect Databases and BigData platforms

Row-Level Masking (only dept #20)

Column-Level Masking (only dept#)

Museum Approach Breaks the Attack Chain

• Reconnaissance

• Initial Exploitation

• Establish Persistence

• Install Tools

• Move Laterally

• Exploit

• Collect

• Exfiltrate

37

180 daysWandering around your network…

But not taking your sensitive information!

Just Today’s Lunch Specials.

Information Security and Compliance Leadership and Staff• CISO - responsible for establishing and maintaining the enterprise vision, strategy, and

program to ensure information assets and technologies are adequately protected.

• Information Risk Manager – assess and identify the potential risks that may hinder the reputation, safety, security, and financial prosperity of a company.

• Compliance Officer – responsible for ensuring the company complies with its outside regulatory requirements and internal policies.

• Security Engineer – responsible for building security architecture and engineering security systems.

• Security Analyst – detect, investigate, and respond to incidents.

38

Information Security Legal and Regulatory RequirementsCompliance

• Payment Card Industry Data Security Standard (PCI-DSS)

• SOX

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Health Information Technology for Economic and Clinical Health Act (HITEC)

• FFIEC, CAT

• NERC CIP

• NIST SP 800-37 and 800-53

• NY DFS 23 NYCRR Part 500

Privacy

• Privacy Shield

• EU GDPR

Audit

• SSAE 16

• SOC 2

• ISO 27001

• FISMA and FedRAMP

• NIST SP 800-53A

• COSO

39

General Data Protection Regulation (GDPR)

• Protect any information related to a natural person or ‘Data Subject’ residing in the EU, that can be used to directly or indirectly identify the person.

• It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

• Provides the right to be forgotten

• Provides the right to ask for an individuals information

• Data Subjects must consent by ‘OPT IN’ for each specific use

• Data Breach notification within 72 hours

• Privacy violations can result in fines of €20M or up to 4% of Global Sales Revenue whichever is higher

Must be compliant by May 25, 2018

40

NY DFS23 NYCRR Part 500 Requirements

• Utilize Audit Trails – 500.06

• Develop Access Privileges – 500.07

• Implement Application Development Security – 500.08

• Perform periodic Risk Assessments – 500.09

• Dedicated Cybersecurity Personnel and Intelligence – 500.10

• Implement Data Retention Policy – 500.13

• Train and Monitor Users – 500.14

• Notify Superintendent within 72 hours of ‘reportable’ Cybersecurity event – 500.17

First Deadline September 3, 2018

41

Call To Action

• Remember not all data has the same value.• Discover • Classify• Monitor• Protect

• Gain an understanding of Compliance and Regulations your company needs to meet.

• Annotate Sensitive Information when developing source to target data• Document Information Flow• Get to know and share information with Information Security Team

42

Average Number of Days and Advanced Persistent Threat (APT) spends on a company network before being detected.

2017 Verizon Data Breach Investigations Report

And those were the ones that were reported!

43

Thank YouMike Czerniawski

DataCraft Partners

Mike.Czerniawski@datacraftpartners.com

@mikeczern

44