cyber security by design - etda · –rsa, gartner, issa, owasp, isaca, ians, cdm, nlit, the...
TRANSCRIPT
© 2018 Imperva, Inc. All rights reserved.
Cyber Security by Design
Terry Ray – CTO – Imperva Inc.
July 22, 2018
© 2018 Imperva, Inc. All rights reserved.
Who is Imperva?
– Imperva is a leading provider of data and application security solutions that
protect business-critical information in the cloud and on-premises.
2
We Protect What Matters Most
– Data are the intellectual property and applications are what run the business.
– Imperva has a singular purpose: protect these critical assets from the ever-
changing attacks of the cybercrime industry.
© 2018 Imperva, Inc. All rights reserved.
Terry Ray – Chief Technology Officer, Imperva
– Frequent speaker at industry events
– RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT,
The American Petroleum Institute, others…
– Expert commentary in news media
– Quoted publications include: Security Week, SC Magazine,
CBS News, the BBC, Dark Reading, others…
– Develop and articulate Imperva’s technical vision
and strategy
– Worked on hundreds of data security projects with
customers and regulators from every industry
3
© 2018 Imperva, Inc. All rights reserved.
Agenda
• Cyber Security Designs of Yesterday
• Today’s Design Requirements
• Getting to Today and Tomorrow
4
© 2018 Imperva, Inc. All rights reserved.
Yesterday’s Old Behavior and Technology
• Network Firewalls
• Anti-Virus/Malware
• Full Disk/Data Encryption
• E-mail Gateways
• Web Proxy Gateways
• Intrusion Detection/Protection Systems
• Identity Access Management
• Security Incident and Event Management
• Anti-Fraud
• Device Logs
5
Like water, adversaries most commonly take
the path of least resistance.
© 2018 Imperva, Inc. All rights reserved.6
Panera BreadLord & Taylor's, SaksUnder ArmourOrbitzPrimary Health Care, Inc.BJC HealthcareSpecial Agents Mutual BenefitATI Holdings, LLC and its subsidiaries Barnes-Jewish St. Peters HospitalBarnes-Jewish Hospital #2Kansas Department for AgingSt. Peter's Ambulatory Surgery CenterMassachusetts Department of RevenueSouthern National Bancorp of VirginiaFedExTufts Associated Health Maintenance Flexible Benefit Service CorporationCarePlus Health Plan The Sacramento BeeTriple-S Advantage, Inc. Department of Homeland Security Decatur County General HospitalMember First Mortgage, LLCOnePlusJason's Deli - Deli Management, Inc.
Guaranteed Rate, Inc.Onco360 and CareMed PharmacyBroward CollegetalentReef, Inc.Agency for Health Care AdministrationOSU Center for Health SciencesRea.deeming Beauty, IncRBC Royal BankSSM HealthLongs Peak Family Practice, P.C.Ancestry's RootsWeb.comOklahoma Dept of Human ServicesStanford UniversityTIO Networks Sinai Health System ImgurUberPizza HutTarte CosmeticsWe Heart ItCatholic United FinancialT-MobileChase Brexton Health CareArkansas Oral Facial SurgeryBriggs & Stratton Corporation
SVR TrackingArkansas Department of Medicaid Equals3ABB, Inc.Network HealthEquifax CorporationBroadSoftCBS Consolidated, Inc.MongoDBHand & Upper Extremity CentersAdult Internal Medicine of ScottsdaleMetroPlus Health Plan, Inc. The Neurology Foundation, Inc.McLaren Medical Group (MMG)Oncology Hematology ConsultantsAetnaSt. Marks Surgery CenterMid-Michigan Physicians Imaging CtrSt. Mark's Surgery CenterOncology Consultants, P.A.Northeast OB/GYN AssociatesInstitute for Women's HealthPacific Alliance Medical CenterUCLASurgical Dermatology Group
BloombergShelby County TennesseeWells FargoAnthemPlastic Surgery Assc of South DakotaAnthem Blue Cross Blue ShieldWomen's Health Care Group of PennKansas Department of CommerceUC Davis HealthWomen's Health Care Group of PAVerizonWhite Coats WellnessPeachtree Neurological Clinic, P.C.University of California Davis HealthPVHS-ICM Emp Health and WellnessEnterprise Services LLCCleveland Medical Associates, PLLCTampa Bay Surgery CenterDeep Root AnalyticsTorrance Memorial Medical CenterFamily Tree Health ClinicAirway Oxygen, Inc.Oklahoma UniversityDr. Zain KadriFlorida Department of Agriculture
Data Breaches May 2017 to April 2018 >10,000 Records
Sources: DatalossDB.Org, Privacy Rights Clearing House, Homeland Security
Outside IN – Answering The Wrong Questions for Today
7
Creates DBA
Deletes Data
Takes Data Quickly
Modifies Data
Encrypts Data
Redirects DataDeletes Database
Takes Data Slowly
Moves Data
DB/File User
Application
Network/End User
• Who Accessed the Data?
• When did they access it?
• How did they access it?
• Was it a Human or Application?
• Did they take anything?
• How much data did they access?
• Did they change anything?
• Did they modify the DB or File server?
• Did they access any sensitive data?
• Have they accessed this data before?
• What about their peers?
• Is this more data than they normally
access?
Answering some questions is ‘nice”, but
what’s the value if you can’t answer the
questions that must be answered to detect
a breach?User and Entity
Behavior
Analytics
Selective Native
System Logs
Identity Access
Management
Anti-Malware
PCI
Health
Data
SIEM
FirewallsPhone
Numbers
NamesAddresses
Birthdates
Regional ID
numbers
© 2018 Imperva, Inc. All rights reserved.
Traditional Cyber Security
Design Focus
• Network/Resource
Access
• End-Point
• Regulated Data Focus
The data most valuable to you, is rarely the
most valuable data to an attacker. Can you
predict where to defend?
Confidential© 2018 Imperva, Inc. All rights reserved.
The Digital
Transformation
Risks DATA
2 © 2018 Imperva, Inc. All rights reserved.
Confidential© 2018 Imperva, Inc. All rights reserved.
More Data in More Places
Structured
Unstructured Big Data SaaS
Confidential© 2018 Imperva, Inc. All rights reserved.
More Apps are Available
Web
Apps
Customer
portal
Mobile
Apps
Web Services
or APIs
More Data in More Places
Structured
Unstructured Big Data SaaS
5 © 2018 Imperva, Inc. All rights reserved.
Confidential© 2018 Imperva, Inc. All rights reserved.
Structured
Unstructured Big Data SaaS
Web
Apps
Customer
portal
Mobile
Apps
Web Services
or APIs
More Data in More Places
More Apps are Available More People Can Access It
Knowledge
Workers Customers Contractors
Privileged
Users
6 © 2018 Imperva, Inc. All rights reserved.
Confidential© 2018 Imperva, Inc. All rights reserved.
More Bad Actors
Structured
Unstructured Big Data SaaS
Web
Apps
Customer
portal
Mobile
Apps
Web Services
or APIs
More Data in More Places
More Apps are Available More People Can Access It
Knowledge
Workers Customers Contractors
Privileged
Users
7 © 2018 Imperva, Inc. All rights reserved.
Post Event Awareness: Data Breaches - Nov 2017
15 Sources: DatalossDB.Org, Privacy Rights Clearing House, Homeland Security
CISOsConcerned that
breaches go
undetected1
CISOs#1 concern in 20183
“Lack of competent in-
house staff”
OrganizationsIgnore security alerts
and can’t keep up with
the volume2
1. The Global CISO Study, ServiceNow, July 2017
2. Security Operations Challenges, Priorities, and Strategies, ESG, 2017
3. What CiSOs Worry About in 2018, Ponemon Institute, January 2018
78% 54% 70%Visibility Volume Expertise
© 2018 Imperva, Inc. All rights reserved.
Technology Needs of Today, Extending Beyond The Designs of
Yesterday.
• Most of Yesterday’s Technology Plus
• Cloud and On-Premises Coverage– Serverless, Containerized, etc.
• API Security
• Sec/DevOps
• Web Application Security
• Database Security
• File Security
• Application of Machine Learning/Automation
• Staff Expertise
17
Inside OUT – Answering The Right Questions for Security and Incident
Response
18
• Who Accessed the Data?
• When did they access it?
• How did the access it?
• Human or Application?
• Did they take anything?
• How much data did they access?
• Did they change anything?
• Did they modify the DB or File server?
• Did they access any sensitive data?
• Have they accessed this data before?
• What about their peers?
• Is this more data than they normally
access?
Creates DBA
Deletes Data
Takes Data Quickly
Modifies Data
Encrypts Data
Redirects DataDeletes Database
Takes Data Slowly
Moves Data
DB/File User
Application
Network/End User
Creates DBA
Deletes Data
Takes Data Quickly
Modifies Data
Takes Data
Redirects DataDeletes Database
Takes Data Slowly
Encrypts
DataCreates
AdminEscalates Rights
Start with data, it is what matters and what
attackers target most often.
© 2018 Imperva, Inc. All rights reserved.19
Do Your Cyber Security Design Start With What Matters Most?
Do you know where your sensitive data is?
Do you know if users should have access to your data?
Can you tell how much data they access?
Can you detect unusual data access in a reasonable time?
Do you have the necessary records for incident response?
GDPR
Art 5
Art 25
Art 32
Art 33
Art 34
Art 35
Art 44
PCI
Req 7.1
Req 8.5
Req 10
MAS, NYDFS, HIPAA,
SOX, FISMA, GLBA,
HITECH, ISO 27001
ETC…
NIST
SANS
Do you detect and mitigate application vulnerabilities?
Are vulnerable apps taken offline or is the risk accepted?
Can you business tolerate a DDOS longer than hours?
Does you app security strategy up level periodically to detect
changing attack methods (i.e. Crypto-Jacking, Ransomware)?
A
P
P
S
D
A
T
A