Instructor Introduction

Transcription

1 Securing Big Data

2 Instructor Introduction Leighton R. Johnson, III CISA, CISSP, CISM, MBCI, CSSLP, CIFI, CFCP, CAP, CRISC SC-ISACA Chapter Instructor Member: IEEE, ACM, ASIS, ISSA, IISFA, ISACA, ISC2, CSA, BCI, InfraGard, OSE

3 Background Leighton Johnson, the CTO of ISFMT (Information Security & Forensics Management Team), has presented computer security and forensics classes and seminars all across the United States and Europe. He has over 38 years experience in Computer Security, Software Development and Communications Equipment Operations & Maintenance; Primary focus areas include computer security, information operations & assurance, software system development life cycle focused on modeling & simulation systems, systems engineering and integration activities, database administration, business process & data modeling

4 Securing Big Data Every day 2.5 exabytes of data are generated from new and traditional sources including climate sensors, social media sites, digital pictures & videos, purchase transaction records, cellphone GPS signals, and more. Big data environments allow organizations to aggregate more and more data much of which is financial, personal, intellectual property or other types of sensitive data. The data is both unstructured and structured; huge amounts exist in systems and often it is real-time live data.

5 What is Big Data? Big data is the combination of any type of data structured and unstructured such as text, sensor data, audio, video, clickstreams, log files and more

6 Areas of Interest The Big Data areas of concern to auditors and security professionals include: Sensitive data discovery and classification Data access and change controls. Real-time data activity monitoring and auditing Data protection Data loss prevention Vulnerability management Compliance management

7 Big Data Components 3 V s Velocity Volume Variety Speed of data in and out Increasing amount of data Range of data types and sources

8 How Much is Big?

9 Big Data Sources Structured Data RDBMS based Unstructured Data Real-time data feeds Social Media sources i.e. Twitter, Facebook, Reddit, etc.

10 Big Data Usage Science and research Government Corporation/Private Sector Retail Wal-Mart 1M transactions per hour Amazon 3 DBs online 7.8 TB, 18.5 TB, and 24.7 TB Healthcare Energy/Smart Grid Others

11 Big 3 Big Data Users Marketing Trend Analysis Retail Sales Analysis Security Activity Correlation Analysis

12 Big Data Impacts & Benefits Governance What Data should be Included Planning Process of collecting and organizing outcomes Utilization Becoming information mavens Assurance Data Quality Privacy Regional and National Laws

13 Big Data Security Uses Big Data Security-based analysis can be used to: Detect probable threats based on current vulnerabilities, Provide analysis of identity and access activities, Correlate events and alerts, and Provide meaningful insights into the effectiveness of remediation of security incidents Identify patterns of anomalies to normal behavioral performance, operations and configuration states, Capacity planning and forecast of IT resource utilization

14 Security of Big Data Secure data, collect it, and then aggregate to evaluate to total Obtain visibility of all data - Collection Understand the context - Integration Utilize the intelligence - Analytics

15 Security Key - Correlation

16 Big Data Security Correlation Analysis capabilities Incident Response capabilities Data Breach capabilities Data Recovery capabilities Disaster Recovery capabilities Forensics capabilities

17 Compliance and Big Data Issues Volume Complexity Lack of consistent structure Need to isolate the compliance-sensitive portions of data from total

18 Compliance Issue Example Create multiple data sets and put them in the same location, Allows technology to cross-integrate that information. Potential new information that needs new controls. For instance, List of clients and it s benign Add marketing information from a third-party Now have a new data set. Then link in other information Now possible to have PII which requires compliance and protection Accomplished through dynamic queries of data sources.

19 Statutory & Regulatory Needs Scope Location Transnational Considerations Privacy Considerations Downstream Liabilities

20 Big Data Regulatory Issues Regulatory Considerations HIPAA SOX GLBA EU rules FACTA FERPA PCI-DSS

21 Regulatory Issue Example 1 HIPAA/HITECH Consequences of non-compliance are potentially severe, including both civil and criminal penalties Two ways to control keep data secure from release Encryption Destruction

22 Regulatory Issue Example 2 PCI-DSS An industry-wide framework for protecting consumer credit card data. Any company that stores, processes or transmits credit card data must comply with PCI-DSS by properly securing and protecting the data 22

23 Big Data & Cloud Legal Issues Where is the data? Cloud server locations Legal status vary from country to country. Despite the global feel of the cloud, some countries laws will be involved when it s time to sue to get back data or to demonstrate compliance with privacy rules.

24 ISACA s 5 Key Questions for Big Data Privacy and Security Can the company trust its sources of Big Data? What information is the company collecting without exposing the enterprise to legal and regulatory battles? How will the company protect its sources, processes and decisions from theft and corruption? What policies are in place to ensure that employees keep stakeholder information confidential during and after employment? What actions are company taking that creates trends that can be exploited by its rivals?

25 Securing Big Data Focal Points Security Architecture Infrastructure Components Hardware Software Computational Algorithms Real-Time Analytics Data Itself 25

26 Questions for Securing Big Data Data Fits Into Organization How? Data is Classified How? Search Algorithms are Controlled How? Data is Accessed How and By Whom? Data is Reported Out How and To Whom? Data is Updated - How Often and By What Process? 26

27 What Data Needs Securing Structured Data Sources Unstructured Data Sources Real-time Data Feeds Time-sensitive Data Meta-Data about the Data 27

28 Structured Data Sources Local Databases Spreadsheets and Office Documents Data Warehouses Partner Data Data Brokers 28

29 Standard Database Security Data Schemas Meta-data Files, Folders, Interfaces Transaction Logs ISACA has many documents covering various RDBMS 29

30 ISACA Sources - Examples Security, Audit and Control Features Oracle Database, 3rd Edition Social Media Audit/Assurance Program Personally Identifiable Information (PII) Audit/Assurance Program MySQL Server Audit/Assurance Program Microsoft SQL Server Database Audit/Assurance Program IT Tactical Management Audit/Assurance Program 30

31 COBIT based reviews Evaluate, Direct and Monitor Align, Plan and Organize Build, Acquire and Implement Deliver, Service and Support Monitor, Evaluate and Assess

32 Structured Data Review Files and Folders Databases Spreadsheets and Office Documents Data Warehouses Type Structure

33 Structured Data - 1 Standard database security efforts Data Schemas Meta-data Transaction Logs

34 Structured Data - 2 Standard Interface reviews Logs Transactions Meta-data on files, documents, and folders

35 Database Security Auditing Can relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. May also focus on identifying transactions within a database system or application that indicate evidence of wrongdoing, such as fraud.

36 Database Security Issues Change Management for schemas and formats Transaction Logging Retention Requirements

37 Unstructured Data Sources - 1 Social Media feeds Facebook, Twitter, LinkedIn, etc. Non-transactional Data structures Blogs And Chats Collaborative Environment Machine to Machine (M2M) data IoT data Sensor Data Feeds i.e. GPS Data 37

38 Unstructured Data Sources - 2 /Documents/Spreadsheets Social Media feeds Facebook, Twitter, LinkedIn, etc. News and Real-time Data feeds Log Files

39 Social Media Security Practices Authentication of social media evidence can present significant challenges Collection by screen shots, printouts or raw html feeds from an archive tool. Capture Techniques Documented Properly collected, preserved, searched and presented Metadata Search Criteria for Each Investigation Proper Chain of Custody Associated metadata is preserved Authenticity can be establish.

40 Twitter Security Twitter RSS feed Undocumented... eobama /user_timeline.rss?screen_name=michelleobama Twitter API. Every user has a unique # id: , screenname: MichelleObama Names may change! Twitter ID unique!

41 Facebook Security Facebook... Profile Information, Location, Photos... Text and Links, Checkins Friends / Close Friends / Family Apps Pages Groups Interests ***

42 Facebook Security (cont.) Why??? Criminal reasons Missing Persons Infidelity Malware Scams, Fraud, Human trafficking Child Pornography Illegal media sharing...

43 LinkedIn Security LinkedIn User Profiles LinkedIn Company Profiles LinkedIn Groups Advanced Search Premium Accounts

44 Issues Structures and Format Differences Storage Requirements Retention Practices

45 Visualization efforts Attempts to Visualize Data using various visualization techniques

46 Big Data Areas for Audits and Security Data Sources Real-time Data Feeds Time-sensitive Data Meta-Data about the Data Data Users Data Access Data Modification

47 Big Data Challenges to Security Rapid response times needs Non-consistency of data structures Lack of audit and security tools

48 How to Determine What to Secure Sources Timing Structures Compliance Needs One Way Examine Data Itself Forensically 48

49 Network Components Device Logs Transactional Logs Packet Captures

50 Security Itself Areas Within Environment Transactional Logs Network Activity Edge / Boundaries Access Attack Vectors Authentication

51 What To Look For - 1 Missing data either some or all of the data missing. Data out of range results range from A value of 300 is out of valid range. Another example is if data can vary in range, but has historically been within a particular range, a value outside that range might be reviewed. Duplicate data multiple observations for the same occurrence. Invalid data Wrong or incorrect data. Bad format data Fields that should be formatted in a particular manner are not. For example date fields that should be in ddmmyy format are recorded as ddmmmyyyy.

52 What to Look For 2 Unformatted data Data that should have been recorded in a particular format, such as an address where the street name and number goes in one area, the city goes in another, the country in still another and the post or zip code in yet another. If all the information is combined in one field, this makes processing difficult. Incomplete data files or records within a file that have missing fields or periods of coverage.

53 What To Look For - 3 Patterns of anomalies to normal behavioral performance, IT operations and configuration states, Capacity and forecast of IT resources

54 Securing Big Data - What To Do Access Controls Encryption Controls Audit Controls Governance Controls

55 What To Do - Access Internal and external authentication Object permission management in Structured Databases Extra controls for AC in data feeds Multifactor Authentication

56 What To Do - Encryption Transparent data encryption for all objects and data File-level and block-level encryption ETE Encryption for all moving data Robust key management

57 What To Do - Audit Auditing of all user activity/changes Watch the Input for Malicious or Inadvertent alterations Log Management criteria who can change what, under what circumstances, and when?

58 What To Do - Governance Data Security Laws in Location possible compliance issues ensure policies cover this Who is watching the watchers? Have a monitoring activity in place Reporting to Senior Executives and BOD especially for risks

59 What To Do - Summary Watch the Input for Malicious or Inadvertent alterations Change of Audit Logs is red flag Oversight in Privacy and Compliance areas have significant legal results watch these closely

60 Summary Identify redundant, obsolete, and trivial data in gathered data locations Detect personal data where possible Exercise classification and processing activities on a data set Activate forensics actions when and where needed Review which data files will be affected by a Compliance requirement

61 QUESTIONS