Data Security: Fight Insider Threats & Protect Your Sensitive Data

(1)

Fight Insider Threats & Protect Your Sensitive Data

Marco Ercolani

(2)

 Data is challenging to secure

 A look at security incidents

 Cost of a Data Breach

 Data Governance and Security

 Understand the data in order to protect it

(3)

The Problem: Data is challenging to secure

DYNAMIC

Data multiplies

continuously and moves

quickly

DISTRIBUTED

Data is everywhere,

across applications

and infrastructure

IN DEMAND

(4)

4 _Source:_{IBM X-Force Threat Intelligence Quarterly – 1Q 2015}_and_{2014 IBM Chief Information Security Officer Assessment}

83% of CISOs say that the challenge posed by external threats has

increased in the last three years

Near Daily Leaks

of Sensitive Data

40% increase

in reported data

breaches and incidents

Relentless Use

of Multiple Methods

800,000,000+ records

were leaked, while the future

shows no sign of change

“Insane” Amounts of Records

Breached

42% of CISOs

(5)

What is a data breach?

A breach is defined as an event in which

an individual’s name plus a medical record

and/or a financial record or debit card is

potentially put at risk—either in electronic

or paper format.

What is a compromised record?

We define a record as information that

identifies the natural person (individual)

whose information has been lost or stolen

in a data breach.

Examples can include a retail company’s

database with an individual’s name

(6)

According to Ponemon Institute, the cost of a data breach to global

organizations is on the rise

Source:

Ponemon Institute Cost of Data Breach Study

$154

Average cost per

record compromised

23% increase

Total cost of a data breach net

change over two years

$3.79 million

Average total cost per

data breach

up 6%

up 7%

$136

$145

$154

FY 2013

FY 2014

FY 2015

Average per capita cost

(7)

Certain industries have higher data breach costs

Source:

Ponemon Institute Cost of Data Breach Study

up 7%

(8)

Time to identify and contain data breaches impact cost

Source:

Ponemon Institute Cost of Data Breach Study

(9)

Overwhelmingly, survey respondents identify evasion of existing

security controls as a key reason for breaches

3%

6%

7%

12%

15%

20%

35%

37%

65%

Other

Lack of accountability

Lack of data classification

Incomplete knowledge of where sensitive data exists

Poor leadership

Third-party vetting failure

Lack of in-house expertise

Insufficient funding

Evaded existing preventive security controls

(10)

Security leaders are more accountable than ever before

Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series

Loss of market

share and

reputation

Legal exposure

Audit failure

Fines and

criminal charges

Financial loss

Loss of data

confidentiality,

integrity and/or

availability

Violation of

employee privacy

Loss of

customer trust

Loss of brand

reputation

CEO

CFO/COO

CIO

CHRO

CMO

(11)

13 _Source:_{IBM X-Force Threat Intelligence Quarterly – 1Q 2015}

Attack types and industries

(12)

Recent data from IBM Security Services shows 55% of all attacks

were found to be carried out by malicious insiders or inadvertent

actors

(13)

Two types of data

1) Data that someone

wants to steal

(14)

What data do people want to steal?

 PCI

The Payment Card Industry Data

 PHI

Protected health information is any information

about health status, provision of health care, or

payment for health care that can be linked to a

specific individual

 PII

Personally identifiable information is any data that

could potentially identify a specific individual

(15)

Data Governance and Security are changing rapidly

Data Explosion

Everything is

Everywhere

Attack

Sophistication

Extending the perimeter; focus shifts to protecting the DATA

Moving from traditional

perimeter-based security…

…to logical “perimeter” approach to

security—focusing on the data and

where it resides

Firewall

Antivirus

IPS

• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently

• Focus needs to shift from the perimeter to the data that needs to be protected

(16)

Our philosophy:

Value

Is it used?

How often?

By who?

Risk

Sensitivity

Exposure

Volumes

Lifecycle

Production

Test/Dev

Analysis

Relevance

How old is it?

Is it still being used?

Who owns the data?

DATA

(17)

Data Security 101

Value

Risk

For the Business

To the business

Above the line

High value data with

low (or at least

acceptable) risk levels

Below the line

Risk levels are too high

given the business

value of the data

Low Value, High Risk

Dormant table with sensitive

data

Low Value, Low Risk

Temp table with no sensitive

data

High Value, High Risk

Table with sensitive data

that is used often by

business application

High Value, Low Risk

Table with no sensitive

data that is used often

by an important

business application

DATA

Need to

understand

the data in order to protect it

(18)

Value to the

Business

Risk

The Goal:

Reduce risk and get all data element

above the ‘acceptable risk’ line

(19)

Data at Rest

Configuration Data

Data in Motion

Where is the

sensitive data?

How to protect

sensitive data

to reduce risk?

How to secure

the repository?

Entitlements

Reporting

Activity

Monitoring

Blocking

Quarantine

Dynamic Data

Masking

Vulnerability

Assessment

Who should

have access?

What is actually

happening?

How we do it?

Masking

Encryption

Discovery

Classification

How to prevent

unauthorized

activities?

How to protect

sensitive data?

Define Security Policies

Dormant Data

Dormant Entitlements

Streamline Compliance

(20)

Physical security is just as important as digital monitoring

(21)

(22)

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU