cyber security by design - etda · –rsa, gartner, issa, owasp, isaca, ians, cdm, nlit, the...

© 2018 Imperva, Inc. All rights reserved.

Cyber Security by Design

Terry Ray – CTO – Imperva Inc.

July 22, 2018


Who is Imperva?

– Imperva is a leading provider of data and application security solutions that

protect business-critical information in the cloud and on-premises.

2

We Protect What Matters Most

– Data are the intellectual property and applications are what run the business.

– Imperva has a singular purpose: protect these critical assets from the ever-

changing attacks of the cybercrime industry.


Terry Ray – Chief Technology Officer, Imperva

– Frequent speaker at industry events

– RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT,

The American Petroleum Institute, others…

– Expert commentary in news media

– Quoted publications include: Security Week, SC Magazine,

CBS News, the BBC, Dark Reading, others…

– Develop and articulate Imperva’s technical vision

and strategy

– Worked on hundreds of data security projects with

customers and regulators from every industry

3


Agenda

• Cyber Security Designs of Yesterday

• Today’s Design Requirements

• Getting to Today and Tomorrow

4


Yesterday’s Old Behavior and Technology

• Network Firewalls

• Anti-Virus/Malware

• Full Disk/Data Encryption

• E-mail Gateways

• Web Proxy Gateways

• Intrusion Detection/Protection Systems

• Identity Access Management

• Security Incident and Event Management

• Anti-Fraud

• Device Logs

5

Like water, adversaries most commonly take

the path of least resistance.

© 2018 Imperva, Inc. All rights reserved.6

Panera BreadLord & Taylor's, SaksUnder ArmourOrbitzPrimary Health Care, Inc.BJC HealthcareSpecial Agents Mutual BenefitATI Holdings, LLC and its subsidiaries Barnes-Jewish St. Peters HospitalBarnes-Jewish Hospital #2Kansas Department for AgingSt. Peter's Ambulatory Surgery CenterMassachusetts Department of RevenueSouthern National Bancorp of VirginiaFedExTufts Associated Health Maintenance Flexible Benefit Service CorporationCarePlus Health Plan The Sacramento BeeTriple-S Advantage, Inc. Department of Homeland Security Decatur County General HospitalMember First Mortgage, LLCOnePlusJason's Deli - Deli Management, Inc.

Guaranteed Rate, Inc.Onco360 and CareMed PharmacyBroward CollegetalentReef, Inc.Agency for Health Care AdministrationOSU Center for Health SciencesRea.deeming Beauty, IncRBC Royal BankSSM HealthLongs Peak Family Practice, P.C.Ancestry's RootsWeb.comOklahoma Dept of Human ServicesStanford UniversityTIO Networks Sinai Health System ImgurUberPizza HutTarte CosmeticsWe Heart ItCatholic United FinancialT-MobileChase Brexton Health CareArkansas Oral Facial SurgeryBriggs & Stratton Corporation

SVR TrackingArkansas Department of Medicaid Equals3ABB, Inc.Network HealthEquifax CorporationBroadSoftCBS Consolidated, Inc.MongoDBHand & Upper Extremity CentersAdult Internal Medicine of ScottsdaleMetroPlus Health Plan, Inc. The Neurology Foundation, Inc.McLaren Medical Group (MMG)Oncology Hematology ConsultantsAetnaSt. Marks Surgery CenterMid-Michigan Physicians Imaging CtrSt. Mark's Surgery CenterOncology Consultants, P.A.Northeast OB/GYN AssociatesInstitute for Women's HealthPacific Alliance Medical CenterUCLASurgical Dermatology Group

BloombergShelby County TennesseeWells FargoAnthemPlastic Surgery Assc of South DakotaAnthem Blue Cross Blue ShieldWomen's Health Care Group of PennKansas Department of CommerceUC Davis HealthWomen's Health Care Group of PAVerizonWhite Coats WellnessPeachtree Neurological Clinic, P.C.University of California Davis HealthPVHS-ICM Emp Health and WellnessEnterprise Services LLCCleveland Medical Associates, PLLCTampa Bay Surgery CenterDeep Root AnalyticsTorrance Memorial Medical CenterFamily Tree Health ClinicAirway Oxygen, Inc.Oklahoma UniversityDr. Zain KadriFlorida Department of Agriculture

Data Breaches May 2017 to April 2018 >10,000 Records

Sources: DatalossDB.Org, Privacy Rights Clearing House, Homeland Security

Outside IN – Answering The Wrong Questions for Today

7

Creates DBA

Deletes Data

Takes Data Quickly

Modifies Data

Encrypts Data

Redirects DataDeletes Database

Takes Data Slowly

Moves Data

DB/File User

Application

Network/End User

• Who Accessed the Data?

• When did they access it?

• How did they access it?

• Was it a Human or Application?

• Did they take anything?

• How much data did they access?

• Did they change anything?

• Did they modify the DB or File server?

• Did they access any sensitive data?

• Have they accessed this data before?

• What about their peers?

• Is this more data than they normally

access?

Answering some questions is ‘nice”, but

what’s the value if you can’t answer the

questions that must be answered to detect

a breach?User and Entity

Behavior

Analytics

Selective Native

System Logs

Identity Access

Management

Anti-Malware

PCI

Health

Data

SIEM

FirewallsPhone

Numbers

NamesAddresses

Birthdates

Regional ID

numbers


Traditional Cyber Security

Design Focus

• Network/Resource

Access

• End-Point

• Regulated Data Focus

The data most valuable to you, is rarely the

most valuable data to an attacker. Can you

predict where to defend?

Confidential© 2018 Imperva, Inc. All rights reserved.

The Digital

Transformation

Risks DATA

2 © 2018 Imperva, Inc. All rights reserved.


More Data in More Places

Structured

Unstructured Big Data SaaS


More Apps are Available

Web

Apps

Customer

portal

Mobile

Apps

Web Services

or APIs


Structured




Structured


Web

Apps

Customer

portal

Mobile

Apps

Web Services

or APIs


More Apps are Available More People Can Access It

Knowledge

Workers Customers Contractors

Privileged

Users



More Bad Actors

Structured


Web

Apps

Customer

portal

Mobile

Apps

Web Services

or APIs


More Apps are Available More People Can Access It

Knowledge

Workers Customers Contractors

Privileged

Users


Post Event Awareness: Data Breaches - Nov 2017

15 Sources: DatalossDB.Org, Privacy Rights Clearing House, Homeland Security

CISOsConcerned that

breaches go

undetected1

CISOs#1 concern in 20183

“Lack of competent in-

house staff”

OrganizationsIgnore security alerts

and can’t keep up with

the volume2

1. The Global CISO Study, ServiceNow, July 2017

2. Security Operations Challenges, Priorities, and Strategies, ESG, 2017

3. What CiSOs Worry About in 2018, Ponemon Institute, January 2018

78% 54% 70%Visibility Volume Expertise


Technology Needs of Today, Extending Beyond The Designs of

Yesterday.

• Most of Yesterday’s Technology Plus

• Cloud and On-Premises Coverage– Serverless, Containerized, etc.

• API Security

• Sec/DevOps

• Web Application Security

• Database Security

• File Security

• Application of Machine Learning/Automation

• Staff Expertise

17

Inside OUT – Answering The Right Questions for Security and Incident

Response

18

• Who Accessed the Data?

• When did they access it?

• How did the access it?

• Human or Application?

• Did they take anything?

• How much data did they access?

• Did they change anything?

• Did they modify the DB or File server?

• Did they access any sensitive data?

• Have they accessed this data before?

• What about their peers?

• Is this more data than they normally

access?

Creates DBA

Deletes Data

Takes Data Quickly

Modifies Data

Encrypts Data


Takes Data Slowly

Moves Data

DB/File User

Application

Network/End User

Creates DBA

Deletes Data

Takes Data Quickly

Modifies Data

Takes Data


Takes Data Slowly

Encrypts

DataCreates

AdminEscalates Rights

Start with data, it is what matters and what

attackers target most often.

© 2018 Imperva, Inc. All rights reserved.19

Do Your Cyber Security Design Start With What Matters Most?

Do you know where your sensitive data is?

Do you know if users should have access to your data?

Can you tell how much data they access?

Can you detect unusual data access in a reasonable time?

Do you have the necessary records for incident response?

GDPR

Art 5

Art 25

Art 32

Art 33

Art 34

Art 35

Art 44

PCI

Req 7.1

Req 8.5

Req 10

MAS, NYDFS, HIPAA,

SOX, FISMA, GLBA,

HITECH, ISO 27001

ETC…

NIST

SANS

Do you detect and mitigate application vulnerabilities?

Are vulnerable apps taken offline or is the risk accepted?

Can you business tolerate a DDOS longer than hours?

Does you app security strategy up level periodically to detect

changing attack methods (i.e. Crypto-Jacking, Ransomware)?

A

P

P

S

D

A

T

A

cyber security by design - etda · –rsa, gartner, issa, owasp, isaca, ians, cdm, nlit, the...

Documents