Managing Business Risks
&
Protect Your Critical Data
Know your Cyber – Enemy, Know Yourself
Today’s Cybersecurity drivers
COMPLIANCEHUMANERROR
SKILLS GAPADVANCEDATTACKS INNOVATION
2013800+ Million
records breached
20141+ Billion
records breached
2015Unprecedented
high-value targets breached
Attackers break through conventional safeguards every day
$6.5Maverage cost of a U.S. data breachaverage time to detect APTs
256 daysV2016-2-11
The cost of a data breach continues to rise
Global average Global average
$158 15% since 2013 $4M 29% since
2013
Highest countries Lowest countries Highest countries Lowest countries
$221
$213UNITED STATES
GERMANY
$100
$61BRAZIL
INDIA
Cost per record Cost per incident
$7M
$5MUNITED STATES
GERMANY
$1.8M
$1.6MSOUTH AFRICA
INDIA
Currencies converted to US dollarsSource: 2016 Cost of Data Breach Study: Global Analysis, by Ponemon Institute
The per-record cost of a data breach varies widely by industry
$80
$112
$129
$131
$133
$139
$145
$148
$156
$164
$172
$195
$208
$221
$246
$355
Public
Research
Transportation
Media
Consumer
Hospitality
Technology
Energy
Industrial
Communications
Retail
Life science
Services
Financial
Education
Healthcare
Healthcare and finance experienced larger costs
Average cost per record breached Currencies converted to US dollars
Source: 2016 Cost of Data Breach Study: Global Analysis, by Ponemon Institute
Are you doing enough to protect data that runs your business?
70%Customer data, product designs, sales information, proprietary algorithms, communications, etc. Source: TechRadar
of your company’svalue likely lies in intellectual property
90+%Regardless of the attach vector, the hacker’s goal is to get privileged access to valuable data Source: Verizon Reports
of breaches go after data in servers
It’s all about the data
~2%
Data
Shift from protecting the infrastructure to protecting the data
DATATHREE DRIVERS
File Shares Servers
Applications Storage
Databases
Endpoints
1. REGULATION
• Data privacy regulations• Asking the right questions
2. DATA BREACHES
• Attention to exposed data• Focus on data related risks
3. CLOUD
• No access to infrastructure• Data is leaving your IT
IBM CONFIDENTIAL
What we need to do ?
“Knowing the enemy enables you to take the offensive, knowing yourself enables you to stand on the defensive.” - Sun Tzu
The Benefits:
▶ Identify data risks▶ Prevent data breaches▶ Ensure data privacy▶ Reduce the cost of compliance
To protect critical data against unauthorized access and enable organizations to comply with government regulations and industry standards.
Define The Mission
Data at Rest Configuration Data in Motion
Where is the
sensitive data?
How to protect
sensitive data
to reduce risk?
How to secure
the repository?
Entitlements Reporting
Activity Monitoring
BlockingQuarantine
Dynamic DataMasking
Vulnerability Assessment
Who can
access?
What is actually
happening?
Answering key security questions
EncryptionDiscoveryClassification
How to prevent
unauthorized
activities?
How to protect
sensitive data?
Harden Monitor ProtectDiscover
prevent data breaches pass the auditprotect PII
Identify the Key entry points (Vocabulary)
Security Privacy ComplianceReal-Time Alerts Masking Regulations (SOX/PCI)Block Activity Encryption Monitor ActivityDefense in Depth Redaction Privileged User MonitoringForensic Investigation Personal Identifiable Info. Separation of DutiesPrevent Data Loss Confidential Data Audit PointCrown Jewels For Your Eyes Only Adaptive ControlsProtect IP Protect PII Protect Sensitive Data
11
Data protection is a journey…
Proactive approach - Perform vulnerability assessment, initiate discovery and classification
Dynamic blocking, alerting, quarantine, encryption and integration with security intelligence Comprehensive
data protection
Scope is assumed to be known. Focus on critical applications and the databases in the back end
Expandplatform coverage
Addressdata privacy
Sensitivedata discovery
Expand to big-data platforms and file systems
Acutecompliance
need
Monitor Activity, Report, Alert Review
Encrypt files, Manage keysResponsive
Proactive
Business Risk – Identify critical data that is of high value to the
organizationDa
ta V
alue
Data type Examples
Enterprise Critical Certain intellectual property Top-secret plans & formulas
Executive Acquisition / divestiture plans Executive / board deliberations
Regulated SPI & PII Sarbanes-Oxley HIPAA ITAR Quarterly results
Business Strategic External audit results
Alliance, joint venture & partner data
Business strategic plans
Business Unit Critical
Design documents R&D results Customer records Pricing data Security data
Operational Project plans Contracts Salaries & benefits data
Accounts receivable
Near-Public List of partners Revenue growth by segments
Market intelligence
Pay comparison data
CRITICAL DATA
0.01-2.0%
Personally identifiable information (PII), or Sensitive Personal Information (SPI),Health Insurance Portability and Accountability Act (HIPAA);, International Traffic in Arms Regulations (ITAR)
Identify the value of different categories of data to the enterprise
89 Market intelligence 1
100 Delivery plans 1
104 Market growth projections 1
Rank Relative Sensitivity
2 Acquisition plans x
3 Divestiture plans y
5 Secret formulas / trade secrets z
• Start with the data elements – map to categories
• Priority rank the categories
• Map categories to their classification schemes
Structured Data Discovery & Database Access Monitoring
Dashboard
Business Context Modeler (BCM)
Data Ingestion Wizard (DIW)
Data Security Products
Policy Management –Central
Command and Control Center (C3)
GOVERN
MODEL
MANAGEData Services
Unstructured Data Discovery & Activity Monitoring
Data Security Products
Discovering, Managing, and Protecting Data
Overview – Functional Architecture
• Discovery• Vulnerability Assessment• Activity Monitoring
Elaboration of objective
Develop a program to protect the most valuable information assets
16
� The goal is to provide awareness and visibility to their most critical information assets, where they are located, how they are protected, and who/what has access to it
� The growth in the sophistication of cyber attacks and resulting breaches has placed a new emphasis on protection of valuable information
� Identify recommendations to improve controls to avoid or minimize business risks
� What are our most critical information assets and are they adequately protected?� Are only authorized individuals able to access these sensitive assets?� Where are these sensitive assets located? � Do we share any of these information assets with our business partners?� Do we have access monitoring in place for these information assets?� Do we know if there are vulnerabilities associated with the storage repositories containing these assets? � Have we identified business owners of these information assets?
Representative questions addressed
A small number of PII data types expands into many rules for structured
scanning…
POLICYNAME Information Asset RULENAME METHOD COLUMNNAME PATTERN
Personal Information - Social Security Number Social Security NumberSSN Patterns -Contains Contains
SOC_SEC, SOC_SEC_NUMBER, SS_NUMBER, NATIONAL_ID, NTNL_ID, SCL_SCRTY_NMBR, SS#, SOCIAL_SECURITY_NUMBER, SOCIAL_SECURITY_NMB
Personal Information - Social Security Number Social Security NumberSSN Patterns - Equals to Equal_to_NCS SSN,PAYE_SSN, SSN_VAL
Personal Information - Tax Information Tax InformationITIN Patterns -Contains Contains TX_ID, TIN_NBR, TIN_TXT, TAX_ID_NBR, TXID, TAXNBR, _TNUMBER
Personal Information - Tax Information Tax Information EIN - Contains Contains EIN_FEDERAL, FEDERAL_EMPLOYEE_ID, FEIN
Personal Information - Salary information Salary info Salary info ContainsFED_TAX_AMT,PAYRL_TAX,TAX_CERT,BAS_SAL,HLTH_BENE_AMT,LST_YR_TOT_AMT,NTAX_SUBTOT_AMT,OTH_AMT,OTH_NTAX_AMT,PAYRL_TAX,RETIR_AMT
Personal Information - Telephone & Fax Number Telephone NumberTelephone Number Patterns - Ends with Ends_With
AREA_CD, AREA_CODE, BEEPER_NBR, CALLBACK_NUM, CELL_PHONE_NUM, CELL_PHONE_NUMBER, CELL_PH_NUM, COMPANY_TELEPHONE, FAX, FAXNUMBER, FAX_NBR, MOBILE_NUM, NUMBER_EXTENSION, PAGER, PAGER_NUM, PHN_NUM, PH_NUM, PRIMARY_PHONE, TELEPHONE_NBR, TELEPHONE_NUMBER, TELEX_NUMBER, TFN, TO_PHN, PHONE, PHONENUMBER, PHONE1, PHONE2,TELE_NUM, BLACKBERRYPIN
Personal Information - Driver License Number Driver License NumberDriver License Number Patterns - Ends with Ends_With DRIVER_NID, DRVR_LICENSE_ID, DRV_LIC, LICENSE_NBR, DRIVERLICENSE, DRIVERSLICENSENO
Personal Information - Vehicle Identification Vehicle IdentificationVIN Patterns - Ends With Ends_With VIN, VIN_CD, VIN_NBR, VIN_NUMBER, VEHICLEID
Personal Information - Vehicle Identification License Plate NumbersLicnese Plate Patterns - Ends with Ends_With LICENSEPLATE, VEHPLATENUMBER
Personal Information - Credit Card Number Credit Card NumberCredit Card Number Patterns - Contains Contains CREDITC, CC_NUMBER, CHARGEABLE_NUMBER, CREDIT_CARD_NUMBER, CC_NBR, CCV_NUMBER, CRDT_NBR
Personal Information - Bank Account Number Bank Account NumberBank Account Number Patterns - Ends With Ends_With
ACCOUNT_ID, ACCOUNT_NBR, ACCOUNT_NUM, ACCOUNT_NUMBER, ACCT_NBR, ACCT_NUMBER, BANK_ACCNT_NBR, BANK_ACCOUNT, BNK_ACCNT_NBR
Personal Information - User or Logon IDs User or Logon IDs Patterns Ending in Ends_With ACCESSID, CREATION_USER, DOCUSER, OPERATOR_ID, USERID, USERSTAMP, USER_ID
Personal Information - User or Logon IDs User or Logon IDs Exact Match Equal_to_NCS USER_LOGIN, OWNER_LOGIN, USERNAME
Personal Information - Email Address Email AddressEmail Patterns -Contains Contains EMAIL_ADDR,EMLADDR, EML_ADDRSS, EMAIL_BCC, EMAIL_CC, EMAIL_TO, E-MAIL,_EMAIL_ADR, EMAILADDRESS
Personal Information - Email Address Email AddressEmail Patterns - Ends with email Ends_With EMAIL
Personal Information - Password PasswordPassword Patterns -Ends with Ends_With PASSWORD
Is it Complex to map it ?
Target Databases Data Elements Taxonomy Data Classification
Customer Personal Info
Demographic Data
Employee Info
Last Name
Social Security Number
Date of Birth
Insurance Name
Address
…
Medical Record #
Nationality Info
…
Drivers License #
Gender
Felon Indicator
Marital Status
VIN #
…
Data Catalog
Classification Taxonomy Control(s)
PublicData Category 1 �Integrity Check
…
Business Use OnlyData Category 2 �Access Control
…
Internal Use OnlyEmployee Info �Integrity
�Access Control…
Confidential
Customer Personal Info
�Encryption�Multi-Factor
Authentication�AuditingDemographic Data
RestrictedData Category n
…
Metadata
Repositories Applications
Business processesData Owners
Business knowledge
GDPR: The elephant in the room !
Scope. ...
Single set of rules and one-stop shop. ...
Responsibility and accountability. ...
Consent. ...
Data Protection Officer. ...
Data breaches. ...
Sanctions.
GDPR
• It defines measures that data holders must do to protect data• It emphasizes enforcement expectations• It enables large fines • It imposes broad disclosure requirements for data security breaches• It comes into effect May 25, 2018
Dis
cove
r, C
lass
ify a
nd
Ran
k
Con
trol
s As
sess
men
t
Mon
itorin
g
Business Risk Visualization Dashboard
Dat
a Se
curit
y Ar
chite
ctur
e
DLP
, Mas
king
&
Enc
rypt
ion
Getting Started Discovery & Analysis What Next
� Review existing policies and documentation
� Define discovery rules for specified data
� Finalize and configure scan policies
� Run test scans to validate scan policies
� Identify repositories to be scanned
High-level recommendations and
next steps
Scan Databases, Collaboration sites and file shares
Analyze scan results to identify false positives and valid matches. Update scan policies to eliminate false positives
Sort discovery results and create a sensitive data inventory
Summarize findings and observations and review with stakeholders
� Deploy and configure discovery tool(s)
• Agreements and Contracts• Board Deliberations• Customer Information• Competitive Intelligence• Financial Statements• Employee Information
• Product Design Documents• Mergers and Acquisitions• Protected Health Information• Health Diagnosis Codes• Legal Cases• Alliances Strategy
• Personally Identifiable Information
• Intellectual Property• Payment Card Industry• Research & Development• Social Security Numbers
Where to start ?
Data type examples: