kommits tech day€¦ · 10/14/2015 39 modern data protection rules: giving a boost to businesses...
TRANSCRIPT
Copyright © 2015 Raytheon Company. All rights reserved.
KommITS Tech Day
John Enger
Manager, Sales Engineering
October 2015
Who am I?
John Enger - Manager, Sales Engineering – Benelux & Nordics
– 17 year IT security industry veteran
– 10 years with Websense
Also attending from Websense today – Peter Tornqvist – Public Sector Sales
– Ragnar Modin - Sales Representative
– Patrik Birgersson - Sales Engineer
10/14/2015 1
Copyright © 2015 Raytheon Company. All rights reserved.
Framing the Problem
Legacy Defences are full of holes!
The Enemy is in
your Blind Spots
HTTPS / SSL
Spear Phishing
AD, SAM, Password extraction
Custom Encryption
Malware
Managing multiple systems is HARD!
2017 4.25 million
2013 2.25 million
Market indicators show the need for as many as
4.25 million security professionals by 2017, representing
the potential for a 47% shortage in qualified personnel.
2013 (ISC)2 Global Information
Workforce Study = 250,000
The Skills Gap continues to Grow
© 2015 Websense, Inc.
PwC - The Global State of
Information Security®
Survey 2014 & 2015
3.4 million
9.4 million
22.7 million
24.9 million
28.9 million
42.8 million
SECURITY INCIDENTS GROW BY 66% CAGR
One thing is very clear: Most organizations’
cyber security programs do not rival the
persistence, tactical skills, and
technological prowess of today’s
cyber adversaries.
Total number of security incidents detected by 9,700 survey respondents
© 2015 Websense, Inc.
Nation-states, hackers,
and organized crime
groups are the cyber
security villains that
everybody
loves to hate.
BUT…
* PwC - The Global State of Information
Security® Survey 2014 & 2015
© 2015 Websense, Inc.
EMPLOYEES ARE THE
MOST-CITED CULPRITS
OF INCIDENTS*
* PwC - The Global State of Information
Security® Survey 2014 & 2015
32% of respondents said
insider crimes are more costly
or damaging than incidents
perpetrated by outsiders.
It’s all about the data
All recent examples
Anthem Blue Cross
Ashley Madison Dating Site
Bonnier Publications
CVS Pharmacies
Experian
Hacking Team
Hilton Hotels
Postnord Ransonware
UK.gov HM Revenue & Customs
US.gov Census Bureau
US.gov Internal Revenue Service
US.gov Office of Personnel Management
Various UK hospitals
The list goes on! 10/14/2015 11
© 2015 Websense, Inc.
What is the way out? What is the way out?
Copyright © 2015 Raytheon Company. All rights reserved.
Understanding how
modern attacks work
The 7 Stages of Advanced Attacks
10/14/2015 14
RE
CO
N
01
LU
RE
02
RE
DIR
EC
T
03
EX
PL
OIT
KIT
04
DR
OP
PE
R
FIL
E
05
CA
LL
HO
ME
06
DA
TA
TH
EF
T
07
© 2015 Websense, Inc.
Target Organisation
Employee Email
server
Compromised
machine
Attacker
Web proxy Control server
RECON LURE REDIRECT EXPLOIT KIT DROPPER FILE CALL HOME DATA THEFT
Compromised
Website
The 7 Stages of Advanced Attacks
Postnord example
10/14/2015 16
Postnord: Multiple Layers of Protection
10/14/2015 17
RE
CO
N
01
LU
RE
02
RE
DIR
EC
T
03
EX
PL
OIT
KIT
04
DR
OP
PE
R
FIL
E
05
CA
LL
HO
ME
06
DA
TA
TH
EF
T
07
Postnord: Multiple Layers of Protection
10/14/2015 18
RE
CO
N
01
LU
RE
02
RE
DIR
EC
T
03
EX
PL
OIT
KIT
04
DR
OP
PE
R
FIL
E
05
CA
LL
HO
ME
06
DA
TA
TH
EF
T
07
OPM Breach: Multiple Layers of Protection
10/14/2015 19
RE
CO
N
01
LU
RE
02
RE
DIR
EC
T
03
EX
PL
OIT
KIT
04
DR
OP
PE
R
FIL
E
05
CA
LL
HO
ME
06
DA
TA
TH
EF
T
07
Copyright © 2015 Raytheon Company. All rights reserved.
Finding the Solution
Use Threat Modelling
A structured approach that enables you to identify, quantify and address security risks
A good threat model enables you to: – Identify key assets
– Identify data owners and threat actors
– Quantify the business impact of any realised risks
– Predict future attacks before they happen
– Identify effective mitigations
Threat Modelling is a process, not a product
Fundamentals to Success
1. What am I trying to protect?
2. How am I trying to protect it?
3. Does it make sense?
4. Is it cost effective?
10/14/2015 22
Questions, Questions…
Would you protect your staff laptops by keeping them in a bank vault?
Would you protect your database server by posting an armed guard next to it?
Are either of these really any different to investing in IT Security solutions that don’t protect your assets?
If you spent so much money on a steel door to your house that you couldn’t afford any windows, have you really protected your home?
Is that any really different to using all your IT Security budget to only address half the risk to the business?
The wrong protection could derail you…
10/14/2015 24
Rethinking the Security Journey
25 TIME Infrastructure Compliance Threat
• Breach detection
• Malware forensics
• Threat intel feeds
• Threat modelling
FW/NGFW/UTM
• SIEM
• Anti-Virus
• Device Encryption
Perimeter Baseline Business Threat
3
2
1
MAT
UR
ITY
Business Risk
4
• Full DLP/DTP
• Data discovery
• Data encryption
• Behaviour analysis
• Predictive analytics
Risk (Data-centric)
Perimeter security approach
10/14/2015 26
Multi-layered Security
Data Security approach
10/14/2015 27
Enforcement
Points
Content
Classifiers
© 2014 Websense, Inc. Page 28
The Enemy is in
your Blind Spots
HTTPS / SSL
Spear Phishing
AD, SAM, Password extraction
Custom Encryption
Malware
Copyright © 2015 Raytheon Company. All rights reserved.
Websense Data Security
Where can we protect ?
10/14/2015 30
Data in Motion
Data that is traversing a
medium, such as a
network, via email, web,
FTP protocols etc.
Sensitive data exists in multiple contexts
Data in Use
Data that is being used
by a system or an
operator, via an
application, such as a
browser, a word
processor etc.
Data at Rest
Data that is being stored
on a medium, such as a
file share, a database or
on a user’s hard disk.
Use plain language
10/14/2015 31
Rule Properties |
Severity: (High)
Action Plan: (Block_All) Rule Properties | Source |
Edit: Directory Entries
Rule Properties | Destinations |
R Email
R Web
R HTTP/HTTPS
R Chat
Rule Properties | Condition |
Add: PreciseID FP – DB Records
Rule Properties | Destinations |
R Email: All
R Web: All
Do not allow doctors to send patient records to…
(Action)
(Who: From)
(How)
(What)
(Who: To)
Detection technologies
10/14/2015 32
Context-aware data centric policies
10/14/2015 33
Who
Human Resources
Customer Service
Finance
Accounting
Legal
Sales
Marketing
Technical Support
Engineering
What
Source Code
Business Plans
M&A Plans
Employee Salary
Patient Information
Financial Statements
Customer Records
Technical Document
Competitive Info
Where
Benefits Provider
Personal Web Storage
Blog
Customer
USB
Spyware Site
Business Partner
Competitor
Analyst
How
File Transfer
Instant Messaging
Peer-to-Peer
Web
Audit
Notify
Remove
Quarantine
Encrypt
Block
Removable Media
Copy/Paste
Print Screen
Action
Confirm
OCR
10/14/2015 34
• What is it? (OCR – Optical Character Recognition)
– Extract text from images and scanned documents for analysis
– Screenshots, Smartphone / Tablet photos
– Scanned documents, checks, receipts, and fax pages
Picture of PII
X OCR analyzes
Image text
INDUSTRY FIRST
Behavioral analytics
10/14/2015 35
Data Risk Indicators
Indicators of
compromise Suspicious User Activity Description of
behavior and
rules that led to
warning flag
Drip DLP
10/14/2015 36
Old Way:
1 x 1 Analysis
New Way:
Analysis
Over Time
Examples: 1 customer record every hour from a PC to Web
1 or 2 records of confidential data per day
Low and slow attacks below the radar
Drip DLP
Standard DLP
INDUSTRY FIRST John Doe Joe Smith
4:57 PM
Customer Information
Joe,
Customer cc# 4321 1234 5678
John Doe Joe Smith
12:02 PM
Customer Information
Joe,
Here is a customer information:
John Doe Joe Smith
1:15 PM
Customer Information
Joe,
Here is a customer information:
John Doe Joe Smith
2:32 PM
Customer Information
Joe,
Here is a customer information:
John Doe Joe Smith
3:42 PM
Customer Information
Joe,
Here is a customer information:
John Doe Joe Smith
4:57 PM
Customer Information
Joe,
Customer cc# 4321 1234 5678
Low Impact Incident
High Impact Event
IP and Compliance policies
10/14/2015 37
Explanation
Types of IP
to secure
Compliance
&
Regulations
Copyright © 2015 Raytheon Company. All rights reserved.
New EU Legislation
Covering Data Security
EU Data Security Legislation Summary
The new EU Data Security regulations are intended to replace the 1995 EU Data Directive (95/45/EC)
The motivation is to ultimately help give a boost to business while maintaining privacy rights for individuals
Link to the EU: – http://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-regulation/
10/14/2015 39
Modern data protection rules: giving a boost to businesses
“In 2011, the data of EU citizens was worth EUR 315 billion. This has the potential to grow
to nearly EUR 1 trillion by 2020. Yet to fully unlock the value of data, we will have to ensure
we have a true digital single market. Our reform does just that. It is a market opener.”
Martine Reicherts, EU Justice Commissioner
Who What When?
Q: Who will the new legislation apply to?
A: All companies established in EU, PLUS EU rules will apply to any companies not established in the EU that offer goods or services within the EU, or any companies that monitor the online behaviour of citizens.
Q: What is the difference between an EU “Directive” and an EU “Regulation”?
A: A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, the individual countries get to decide how to reach the goal. By contrast, a "regulation" is a binding legislative act which must be applied in its entirety across the EU.
Q: How much time do we have to complete our implementation?
A: There will be a Two year implementation period from the legislation passing into law to help businesses prepare in a controlled manner.
10/14/2015 40
What are the main changes?
Companies that process >5,000 data subjects will be required to have a Data Protection Officer.
Mandatory disclosure of incidents within 72 hours to the local regional body
Businesses will need to know WHAT was stolen – Not knowing what was stolen, or being notified of a breach by 3rd parties will be
considered negligent = bigger fines
– (From a DPO point of view, this makes Data Security solutions critically important!)
10/14/2015 41
NOTE: THIS MAY CHANGE!
• These details are the current status
• However this is all currently under
Trilogue discussion - some details
may change
Maximum fines of up to 1m euro or 2% or worldwide revenue – Although a reduction in earlier fine levels, it seems the cost/benefit of the level of fines has been modelled, with the likelihood of achieving the
desired result – essentially, if the fines are too big, it will encourage organisations to mount a legal challenge instead of accept the punishment
The Data Controller and Data Processer will be accountable
“Right to be Erased” requirement
Stricter rules for consent to use personal data – explicit consent must be obtained rather than consent assumed
Easier access to personal data, plus the right to data portability
How Websense Products Can Help
A number of specific legislative articles directly encourage
business to implement data security solutions, including:
– Article 30 - Security of processing - “….shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risks…”
– Article 31 - Notification of a personal data breach to the supervisory authority
– Article 32 - Communication of a personal data breach to the data subject
24h or 72h time limit
– Article 33 - Data protection impact assessment
Each of the articles above are directly addressed by Data Loss and
Data Theft protection solutions.
10/14/2015 42
Would you like to know more?
Websense “Office of the CSO” – Team of proven Security Leaders
Pro-bono Services available: – Threat Strategy Assessments
– Security Framework Reviews
– CSO “Toolkit for Success”
– Custom Consultations
– Best Practise Sharing Summits
www.websense.com/cso (automatically redirects to): – http://www.websense.com/content/websense-office-of-the-cso.aspx
Summary
Legacy defences don’t work against modern threats
Realtime content analysis and security scanning are required
Remember the 4 key questions!
DLP solutions are your last (and often your BEST) line of
defence against modern targeted attacks
10/14/2015 44
Tack för att ni har lyssnat!
10/14/2015 45