Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | marc-crudgington |
View: | 179 times |
Download: | 3 times |
Name of presentationCompany name
Data Security:Why You Need Data Loss Prevention
& How to Justify It
Name of presentationCompany name
Marc CrudgingtonVice President, Information Security
Agenda Impact of Cyber Crime on our
Economy1
Cost Companies are Incurring2 Who are the Threat Actors3 Data Loss Prevention Strategy4 Data Loss Prevention Ecosystem5 Hidden Benefits of Data Loss
Prevention6
Justifying a Data Loss Prevention Strategy
7
28%
8%10%8%
46%Jobs in US Economy
IP Intensive Finance
Healthcare Energy
Other
US Economy
4*1, 2, 3
Impact on US Industries• IP: 70% of value of public
companies • Annual losses: estimated over
$300B• China: +$107B sales and +2.1M
jobs
IP Intensive
• 2013: 856 reported breaches • Q1 2014: 98.3% of data exposed• 37%: Breaches affected the sector
Finance / Business
• 43%: ITRC account of breaches • 2013: 8.8M records stolen• 1.8M: Victims of Identity Theft
Healthcare
5*3, 4, 5
US Economy: Loss Estimates
6
• 1M+ jobs lost and a $200B cost in 2010 • Based on estimate of 5,080 jobs per $1B
• 0.5% ($70B) or 1% ($140B) of National Income• Globally - $350B or $700B
• Healthcare: $7B for HIPAA 2013 losses• SMBs: 80% file bankruptcy or suffer
significant financial losses• S&P 500: $136.5B due to AP Twitter hack
*6, 7, 9
Past Data Breaches
2011 2012 2013 2014
Adobe – 152M (IDs, pwd,
data)Epsilon - $4B, names/email
Saudi Aramco – 30,000+
PCs infected
Target – 110M affected;
CEO/CIO gone
eBay – 145M credentials
7*9
Per Record Cost of Breach
2014
2013
2012
2011
8
$201$18
8$194
$214
*6
Per Cyber Incident Cost
Associated Costs
9
Enterprises SMB’s Attack TypeIncident- Prof Svcs
$109k- Bus. Opp.
$457kPrevention- New IT Sec
$57k- Training
$26k
Total $649k
Incident- Prof Svcs
$13k- Bus. Opp.
$23kPrevention- New IT Sec
$9k- Training
$5k
Total $50k
Targeted- Ent.
$2.4M- SMB
$92kPhishing- Ent.
$57k- SMB
$26kDDoS- Ent.
$57k- SMB
$26k
*8
Malicious Cyber Activity
10
• Loss of IP and Confidential Information• Cybercrime• Loss of sensitive business information-stock
market manipulation• Opportunity costs, including service and
employment disruptions, and reduced trust for online activities
• The additional cost of securing networks, insurance, and recovery from cyber attacks
• Reputational damage
Malicious Software
11
• Third-party apps 87% of vulnerabilities 2012
• Per day 315,000 new malicious programs • 132 million applications at risk recorded in
2012• Malicious software – 500,000 devices in
100 secondsthough• 58% report IT Security under-resourced• 40% under prepared
*8
Probability LikelihoodEvent happensYour corporationImpacts Outcomes + or -Event createsYour corporation
What are your Risks?
Threat vs. Risk
12
Cause Adversary’s determination Inflict damage Accept success or failureAbility Adversary’s resourcesBreach target Inflict damage
Who are your Threats?
Threat Risk
Threat Actors:
Criminals Nation-states
Corporations Hacktivist
13
Extremists
Insiders
Animals, ‘Kids’, and the Guy/Gal sitting next to you
Threat Actors: Animals
14
• Criminals • Associated with Russian Federation,
eastern-Euro countries, Global as well• Extort and/or sell data to others• Strategic Web Compromise, Botnets,
Phishing,…• Nation-states
• Testing war-time capabilities• Spying, stealing, disrupting• SWC, DDoS, Malware,…
Threat Actors: ‘Kids’
15
• Extremists• Fanatics of ideas that create identity• Create terror or fear• Al-Qaida, Jihad
• Hacktivists• Wrong to a group (country, people,
‘under-dog’)• Brazil World Cup, Sochi, Iranian election• Anonymous, LulzSec, AntiSec, others
Threat Actors: Guy/Gal…
16
• Insiders• Greed, hurt by corporation/organization• Expertise – built, admin, system
knowledge• Accounts for about 15% of breaches
• Corporations• Economic intelligence, sabotage• IP theft, copying, infringement,
duplicating• Easier to steal it, not just China (Silicon
Valley) *10, 11
Result People Processes Tech. Levera
ge
DLP Strategy
What do you want to achieve?
Who are the resources we’ll need?
What’s in place?What not in place?
Minimal disruption with greatest coverage
In preparing for battle I have always found that plans are useless, but planning is indispensable. ~Dwight D. Eisenhower
17
Utilize others for what they know
DLP Strategy
18
• ResultAlign DLP to protection Strategy; KPI’sEvaluate for comprehensive solutionsBuy-in from key stakeholders
• PeopleRoles – clearly define themData Owners/Users – culture and importance of dataExpertise – internal and external
• ProcessesAssess controls and business impact (HR issues) Must have Data Classification programSupporting Business processes
DLP Strategy
19
• TechnologyTake steps, implement methodicallyNext-gen products for maximum coverageOver estimateSilver Bullets do not exist
• LeverageVendors for implementation expertiseLike companies for solutionsInformation sharing groups
DLP Strategy
20
Warning Signs• Implement a workforce reduction• Employees regularly export data• Sensitive data resides across enterprise• Outside vendor/contractor accesses
sensitive data• Unmonitored/controlled mobile devices• Stock lower, product end, company sale
DLP Ecosystem
Data protection should be…
At rest In motionOn
endpoints
21
Data Governan
ce
Regulatory
Classification
PoliciesTools
Discovery
TrainingDLP
Program
DLP Ecosystem
22
Benefits of DLP
23
Flexible Securit
y
Data Visibilit
y
Limit Liability
Cloud and
MobilePrepared for…
Detect Malicio
us Events
Compliance
Employee Monitorin
g
Justifying DLP
24
• Bottom-up approach• Discuss with divisions, incremental
budget• Present risks
• Current and Potential• Utilize security trends
• Breach size, frequency, cost• Cost of not having
• Quantified vs. Qualified• Due diligence
• Assets, strategy, vendors, costs
Justifying DLP
25
• What are the regulatory requirements?• State, federal, industry, customer
• Innovation cost• Product development
• Present benefits• Internal and external
• Thought out Project Plan• Don’t over-sell, over-promise
• Use Truth Tactics• Stock price, WSJ articles, C-level firings,
Fines, Prison
Do you haveany questions? ???
Thank You!
Bibliography1. The State of American Energy 2013 Report, http://www.api.org/~/
media/Files/Policy/SOAE-2013/SOAE-Report-2013.pdf2. Select USA, Commerce.gov, Industry Snapshots, http://
selectusa.commerce.gov/industry-snapshots3. The IP Commission Report, National Bureau of Asian Research, May 20134. Financial Institutions Privacy and Security – 2013 Year in Review, January 7, 2014,
Anne Foster and Gerald Ferguson, Data Privacy Monitor5. 2014 Data Breach Industry Forecast, Experian6. 2014 Ponemon Study7. The Economic Impact of Cybercrime and Cyber Espionage, McAfee, July 20138. IT Security by the Numbers: Calculating the Total Cost of Protection, Kaspersky Lab9. Counting the Cost: A Meta-analysis of the Cost of Ineffective Business Continuity, The
Business Continuity Institute, Patrick Alcantara, 2014 www.bcifiles.com/BCI-CountingtheCost.pdf
10. CrowdStrike Global Threat Report: 2013 Year in Review, CrowdStrike 11. Verizon 2014 Data Breach Investigations Report, Verizon Corp, 2014