a breach carol: 2013 review, 2014 predictions
DESCRIPTION
How'd we do in 2013 from a data breach perspective? As we close out the year, are the cupboards / budgets bare and will it be a lean holiday season? Or should we be budgeting a holiday celebration with all of the trappings and a sumptuous New Year? Borrowing themes from the Charles Dickens holiday classic, this webinar will review industry statistics and other indicators to evaluate how we did in 2013 from a privacy breach and security incident response perspective. Will our mythical CSO and CPO get the Scrooge-like CFO to approve their budget increases? And what will 2014 hold from a security, privacy, and regulatory perspective? Register below to find out. Our featured speakers for this Dickensian webinar will be: - Ebenezer Scrooge, Chief Financial Officer, Acme Inc. played by Ted Julian, Chief Marketing Officer, Co3 Systems - Bob Cratchit, Chief Privacy Officer, Acme Inc. played by Gant Redmon, General Counsel, Co3 Systems - Tiny Tim, Chief Security Officer, Acme Inc. played by "Tiny" Tim Armstrong, Incident Response Specialist, Co3 SystemsTRANSCRIPT
A Breach Carol
2013 Recap, 2014 Predictions
Page 2
Agenda
• Introductions
• Ghosts of Security & Privacy Past
• Ghosts of Security & Privacy Future
• Q&A
Page 3
Introductions: Today’s Cast
Ted Julian, Chief Marketing Officer,
Co3 Systems
Gant Redmon, General Counsel,
Co3 Systems
“Tiny” Tim Armstrong, Incident
Response Specialist, Co3 Systems
Ebenezer Scrooge, Chief Financial
Officer, Acme Inc.
Bob Cratchit, Chief Privacy Officer,
Acme Inc.
Tiny Tim, Chief Security Officer,
Acme Inc
Page 4
SS
AE
16
TY
PE
II C
ER
TIF
IED
HO
ST
ING
FA
CIL
ITY
DA
SH
BO
AR
DS
& R
EP
OR
TIN
G
Co3’s Incident Response Management Platform
Automated Escalation Accelerate response by easily
creating incidents from the systems
you already have
Email Web Form Trouble Ticketing Entry Wizard SIEM
Instant Creation and
Streamlined Collaboration IR plans created instantly based on
regulations, best practices, and standard
operating procedure. Collaborate on plan
execution across multiple functions
Marketing
Legal &
Compliance IT
HR
Accelerated Mitigation Speed results by easily outputting results to your
management platforms
SIEM Trouble Ticketing GRC
Organizational
SOPs
Global
Privacy Breach
Regulations
Contractual
Requirements
Intelligent Correlation Determine related incidents
automatically to identify broader,
concerted attacks
Integrated Intelligence Gain valuable threat intelligence
instantly from multiple intelligence feeds
Community
Best
Practices
Industry
Standard
Frameworks
IR Plan
Page 5
Prologue
• Where: Acme Inc. HQ, Ebenezer Scrooge’s office
• Who: Ebenezer, Bob, and Tiny Tim
• What: 2014 Budget Review
Bob & Tim drowned their sorrows in egg nog at the
company holiday party. Ebenezer humbugged and went
home early.
Bob & Tim asked for modest budget increases. Scrooge
ordered them to return tomorrow (Christmas Eve) with a
plan that showed a 15% reduction.
Page 6
That night…
Scrooge is visited by the ghost of Jacob Marley, the
deceased former CFO of Acme. Marley tells Scrooge he’ll
be visited by two set of ghosts, the first are…
The Ghosts of
Security &
Privacy Past
Page 7
Security Past
• Snowden
• More use of encryption inside companies who possess
large amounts of data
• Lack of gov’t collaboration
• Increased amount of vigilante-style behavior (AJ)
• Adobe
• Security success story
• Even big guys get breached
• Silversky
• Malware as a business has been heating up
• More competition between malware “vendors”
Page 8
Security Past
• Breach Data
• VZ DBIR
• 92% of threat actors are external
• Collecting and sharing IOC’s and threat data leads to
increased response times
• 69% of breaches discovered by external parties
• 66% took months to discover
Page 9
Privacy Past
• Bloating of the privacy policy and Ts&Cs
• Paypal’s terms longer than Hamlet
• Privacy policies almost as long and are integrated into
Ts&Cs
• David Vladeck, former Director of the Bureau of Consumer
Protection of the Federal Trade Commission, was no fan
• Rule of thumb – longer they are, the less privacy you have
Page 10
Privacy Past
• Apps take on a bigger roll
• -FTC Mobile Privacy Disclosures report says the FTC
wants "timely, easy-to-understand disclosures about what
data they collect and how the data is used."
• FTC action against Path, Inc.
• California Attorney General’s Privacy Enforcement and
Protection Unit has prepared Privacy on the Go:
Recommendations for the Mobile Ecosystem.
Page 11
Privacy Past
• Snowden hands the EU a bat to beat the US cloud providers
- Safe harbor in dangerous waters
• This year saw three phases of the EU leveraging the
Snowden affair: Call for EU clouds, call for the end of Safe
Harbor, and finally the 13 recommendation for Safe Harbor
set forth by the European Commission.
• One of the recommendations looks like a cigarette-
warning label.
Page 12
Privacy Past
• Executive Order
• February 2013, President Obama issued Executive Order
13636, Improving Critical Infrastructure Cybersecurity
instructing NIST to lead the development of a framework
to reduce cyber risks to critical infrastructure.
• Fell short of Congressional action providing a litigation
shield to companies sharing attack information with the US
Government. No one seems to want to make it easier for
companies to share info with the government these days.
Page 13
Privacy Past
• HIPAA Final Rule
• When it comes to breach response, the two big stories are
business associates having direct reporting and
notification responsibilities and breaches assumed to have
caused harm.
• As for harm, now we have to dig our way out of a breach
with a risk assessment.
Page 14
Privacy Past
POLL
Page 16
Later That Night…
Scrooge receives another paranormal visit…
The Ghosts of
Security &
Privacy Future
Page 17
Security Future
• More breaches, more severe
• The rise of Breach as a Service
• CSO at a major enterprise is canned
• Tiny Tim: cost argument to CFO re: before v after
• The cost of a breach usually dwarfs that of training and tech
• Breaches impact more diverse verticals
• Moving away from mass malware to more industrial espionage
• Healthcare increases as a target
• Deadline for electronic patient records
• Mobile?
• Data leakage, apps with ad networks that leak
• Fed mandate for minimum security requirements (ex. NIST IR for critical infrastructure)
• Other verticals follow
• More certifications for hosting (like FedRAMP) and personnel
Page 18
Security Future
• IR disaster done right – Tylenol case study? Let’s say this doesn’t happen.
• the company pulled 31 million bottles of tablets back from retailers, making it
one of the first major recalls in American history. The crisis cost the company
more than $100 million, but Tylenol regained 100% of the market share it had
before the crisis. - Wikipedia
• Snowden fallout from a security perspective
• Lack of trust/sharing
• Industry hides from gov’t, over-encrypts data on internal as well as external
networks
• Rise of “NSA-proof” tech - AJ
• Model for best-of-breed IR begins to emerge: people, process, technology
• Long term strategy starts to develop based on awareness of danger
• IR professional services take off
Page 19
Privacy Future
• Unified Breach Notice
• US – No, maybe one more swing
• EU – Yes
• On October 21, 2013, the European Parliament
approved its compromise text of the Draft Regulation to
replace Directive 95/46/EC.
• Next comes approval by the Council of Ministers.
• Then the Parliament, the Council and the Commission
must agree on the final text. A vote is expected before
the parliamentary elections in May 2014.
• Worked for telcos
Page 20
Privacy Future
• Safe Harbor Alive and Well – The 13 Principles from the
European Commission are not too specific or onerous.
Page 21
Privacy Future
• Usernames and passwords
• May the country follow California…again
• S.B. 46, which amends Sections 1798.29 and 1798.82 of
the Civil Code to require businesses and state agencies to
notify consumers if their login credentials are
compromised by a data breach
Page 22
Privacy Future
• Greater personal awareness and responsibility
• Cybermilitia: A Citizen Strategy to Fight, Win, and End
War in Cyberspace
• Authors Siobhan MacDermott and J.R. Smith
POLL
Page 24
The Next Day
Bob & Tiny Tim head to Scrooge’s
office with their slashed budget
proposals.
They’re shocked when a
thoroughly changed Scrooge
awards them a 100% increase!
QUESTIONS
Happy Holidays!
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013