identifying the value of informational assets before you move them to the cloud
Post on 19-Jun-2015
757 Views
Preview:
DESCRIPTION
TRANSCRIPT
1 © Copyright 2013 EMC Corporation. All rights reserved.
Identifying the Value of Informational Assets Before You Move Them to the Cloud Jason Rader Chief Security Strategist RSA, the Security Division of EMC
2 © Copyright 2013 EMC Corporation. All rights reserved.
Roadmap Information Disclaimer EMC makes no representation and undertakes no obligations with
regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”).
Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby.
Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC Non-Disclosure Agreement in place with your organization.
3 © Copyright 2013 EMC Corporation. All rights reserved.
How do we value information?
4 © Copyright 2013 EMC Corporation. All rights reserved.
Bits vs Bits
On one hand, we have bits of data
On the other, we have MANY “bits” of money
5 © Copyright 2013 EMC Corporation. All rights reserved.
What’s the Conversion Rate?
10 Bits = €10?
1 Gigabit = £1,000?
1 Byte = 2 bits?
Where is this rate? How do I use it? – Doesn’t exist! – Too many factors affect it to map globally.
6 © Copyright 2013 EMC Corporation. All rights reserved.
A Scholar’s Definition
“Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.”
This works for theft, but what about copy? – China/Mr. Pibb Problem – Once copied, is it a race to the bottom?
Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research.
7 © Copyright 2013 EMC Corporation. All rights reserved.
How do we classify info today?
8 © Copyright 2013 EMC Corporation. All rights reserved.
Why is information classification broken? Typical classification systems
are problematic – Lack definition (what
constitutes info of this kind?)
– And automation (teach systems to handle)
– Don’t address individual data value (is a vault required?)
9 © Copyright 2013 EMC Corporation. All rights reserved.
Four Dumb* Classification Schemes
Structuralist (Focusing on regulatory compliance)
Realist (Stuff we care about, stuff we don’t)
Broker (risk-based, three tiers, soft chewy middle)
Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation)
Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner
11 © Copyright 2013 EMC Corporation. All rights reserved.
Opportunities for Attack
Attackers and companies never value data the same. There are reasons for this:
– The data itself isn’t valuable without the knowledge/hardware to monetize it
– Secondary/unused business data is ignored – Differing interpretation of value lifecycle
12 © Copyright 2013 EMC Corporation. All rights reserved.
How do we identify these opportunities? The value of information to us (Vc) varies widely As does the payoff for an adversary (Pa) Where those differ, we have opportunity (O)
– This could also be described as inefficiency
This opportunity can be expressed as:
O = Vc - Pa
13 © Copyright 2013 EMC Corporation. All rights reserved.
How do we identify these opportunities?
O = Vc - Pa Positive values of O suggest we know and understand the
value, and attackers cannot monetize Negative values of O suggest we have high risk data that
attackers want, but we devalue Small values of O indicate matched intent Large values of O indicate inefficiency
14 © Copyright 2013 EMC Corporation. All rights reserved.
Examples of how this works:
O = Vc - Pa Credit Card Information, 30m HQ Numbers
– Low value to company, transactions settled – HIGH payoff to adversary ($1/card = $30m) – Hugely negative Opportunity value
Manufacturing process for IP, control SC – Payoff is low to adversary due to supply chain – If high spend on security, could be reallocated to other areas.
15 © Copyright 2013 EMC Corporation. All rights reserved.
The Value of Information Over Time
Time
Valu
e Max Value
Area under this curve = money for
information owner
Information eventually becomes a
liability
16 © Copyright 2013 EMC Corporation. All rights reserved.
Events Occur, changes the curve
Time
Valu
e Max Value
Information is now copied, breach occurs
The loot becomes divided among holders.
17 © Copyright 2013 EMC Corporation. All rights reserved.
What’s interesting about these curves?
This one is a sample, but somewhat representative
Curve notes: – Each ACTOR has their own curve – Curves can be steeper or flatter – Curves can converge/diverge with actor action – Curves only represent value for the ACTOR (i.e., unrealized
value may not be represented) – Eventually, information becomes a liability – Impending threat mirrors value curve – Think about a zero day exploit on its own curve
18 © Copyright 2013 EMC Corporation. All rights reserved.
Beginning to translate these curves
Information’s value varies over time – We need to consider malicious actors when planning
information security defenses – Blanket controls cause inefficiency
When curves converge/diverge… – Values can dramatically consolidate/divide
Curves represent potential value to the actor – Pent up value may exist without realization
19 © Copyright 2013 EMC Corporation. All rights reserved.
We need a new model Minimum model requirements:
– Information grouped by value ▪ To ME ▪ To Competitor/Military ▪ Only if LOST
– Address information value over time ▪ Information changes in value over time ▪ Usually depreciating, some more rapidly than others
– Reflect # of actors and motivation – Reflect change in motivation based on payoff
▪ Market forces can dramatically alter this ▪ Large data stores are more attractive than small ones
20 © Copyright 2013 EMC Corporation. All rights reserved.
Moreover: The model needs to be simple
No industry jargon
No dictionary required
Not dozens of pages
21 © Copyright 2013 EMC Corporation. All rights reserved.
Simple, Yet flexible Must be able to adjust with value changes Must rely on accurate inputs
– Numbers of actors – Projected payoffs with data theft – Strength of perimeter defenses – Number of business processes using the data – Amount of data sprawl – Account for amount of data as a change in payoff
Must be able to affect security posture
21
22 © Copyright 2013 EMC Corporation. All rights reserved.
How SHOULD we view the world?
Valuable to me
Valuable if Lost
Valuable to Competitors or Military
Customer Analytics IT Configs
Biz Processes
Derivative Data Analytics for Sale Medical Records
Old Source Code Old IP
Old/Retired Encryption Keys
Secret Sauce Intellectual Property
Software Vuln DB Corp Strategy
Crown Jewels Easily Transferrable IP
Actionable IP Encryption Keys
CC Data PII/PHI Data
Unused Biz Data Disinformation
COMPINT Defense Information
23 © Copyright 2013 EMC Corporation. All rights reserved.
The Model
Value to You
Value to Comp.
Value if Lost Examples
Breach Prob. Biz Impact ACTION
1 50 2.3B* Number of Potential Actors
Y N N Customer Analytics IT Configs Business Processes
Low A/I Secured, but not vaulted
Y Y N
Intellectual Property Secret Sauce Software Vuln DB Corp Strategy
Med C–Delayed
Risk A/I Immediate
Protect (Vault)
N Y Y?
Old Source Code Old IP (where new IP is derived) Old encryption keys
Med C/I
C: Destroy I: Secure Archive
24 © Copyright 2013 EMC Corporation. All rights reserved.
The Model (part 2)
Value to You
Value to Comp.
Value if Lost Examples
Breach Prob. Biz Impact ACTION
1 50 2.3B* Number of Potential Actors
N N Y Credit Card Numbers PII/PHI Unused Biz Data
High (# Actors) C
Outsource Destroy Obfuscate
Y N Y
Sec. Data Analytics (revenue) Medical Records High roller customers Proprietary Algorithms Financial Results
Low (High Impact) C
Protect IP (Vault) Secure Data
Y Y Y Crown Jewels Easily transferrable IP High C
Protect (Vault)
25 © Copyright 2013 EMC Corporation. All rights reserved.
The Relevance of Data Mass
Amount of data
Payo
ff
26 © Copyright 2013 EMC Corporation. All rights reserved.
Combating Risk from Data Growth
Reduce data stores – Truncation – De-value options (tokens) – DESTROY
Reduce the effective size – 1M records / 10 keys =
100K recs! – Multiple algorithms
27 © Copyright 2013 EMC Corporation. All rights reserved.
How to apply the model Look at the kinds of data your business controls
– Try to define what it is, then relate it to the model – Be sure to find information NOT IN USE – Understand flow and sprawl of data – Look for large values of O
Add values where you can – Valuing information is personal – Use your own data – Don’t rely on external sources to define data value
Remember CONFIDENCE factor! Take Action Per the Model!
top related