Data Security: Fight Insider Threats & Protect Your Sensitive Data Marco Ercolani
Agenda Data is challenging to secure A look at security incidents Cost of a Data Breach Data Governance and Security Understand the data in order to protect it 2
The Problem: Data is challenging to secure DYNAMIC Data multiplies continuously and moves quickly DISTRIBUTED Data is everywhere, across applications and infrastructure IN DEMAND Users need to constantly access and share data to do their jobs 3
83% of CISOs say that the challenge posed by external threats has increased in the last three years Near Daily Leaks of Sensitive Data 40% increase in reported data breaches and incidents Relentless Use of Multiple Methods 800,000,000+ records were leaked, while the future shows no sign of change Insane Amounts of Records Breached 42% of CISOs claim the risk from external threats increased dramatically from prior years. 4 Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment 4
What is a data breach? A breach is defined as an event in which an individual s name plus a medical record and/or a financial record or debit card is potentially put at risk either in electronic or paper format. What is a compromised record? We define a record as information that identifies the natural person (individual) whose information has been lost or stolen in a data breach. Examples can include a retail company s database with an individual s name associated with credit card information and other personally identifiable information. 7
According to Ponemon Institute, the cost of a data breach to global organizations is on the rise up 6% $154 Average cost per record compromised up 7% $136 $145 $154 $3.79 million Average total cost per data breach 23% increase Total cost of a data breach net change over two years Net change over 1 year = 6% Net change over 2 years = 12% FY 2013 FY 2014 FY 2015 Average per capita cost Source: Ponemon Institute Cost of Data Breach Study 8
Certain industries have higher data breach costs up 7% Per capita cost by industry classification Source: Ponemon Institute Cost of Data Breach Study 9
Time to identify and contain data breaches impact cost Mean time to identify and contain data breach incidents (in days) Source: Ponemon Institute Cost of Data Breach Study 10
Overwhelmingly, survey respondents identify evasion of existing security controls as a key reason for breaches Evaded existing preventive security controls 65% Insufficient funding 37% Lack of in-house expertise 35% Third-party vetting failure 20% Poor leadership 15% Incomplete knowledge of where sensitive data exists 12% Lack of data classification 7% Lack of accountability 6% Other 3% Source: Ponemon Institute Cost of Data Breach Study. Two responses permitted. 11
Security leaders are more accountable than ever before CEO CFO/COO CIO CHRO CMO Loss of market share and reputation Legal exposure Audit failure Fines and criminal charges Financial loss Loss of data confidentiality, integrity and/or availability Violation of employee privacy Loss of customer trust Loss of brand reputation Your board and CEO demand a strategy Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series 12
Attack types and industries Sampling of 2014 security incidents by attack type and attacked industries 13 Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015 13
Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors Source: IBM 2015 Cyber Security Intelligence Index, Figure 5 14
Two types of data 1) Data that someone wants to steal 2) Everything else 16
What data do people want to steal? PCI The Payment Card Industry Data PHI Protected health information is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual PII Personally identifiable information is any data that could potentially identify a specific individual IP Intellectual Property Data 17
Data Governance and Security are changing rapidly Data Explosion Consumerization of IT Everything is Everywhere Attack Sophistication Extending the perimeter; focus shifts to protecting the DATA Moving from traditional perimeterbased security to logical perimeter approach to security focusing on the data and where it resides Antivirus IPS Firewall Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently Focus needs to shift from the perimeter to the data that needs to be protected 18
Our philosophy: You need to understand the data in order to protect it How old is it? Is it still being used? Who owns the data? Relevance Value Is it used? How often? By who? DATA Risk Sensitivity Exposure Volumes Lifecycle Production Test/Dev Archive Analysis 19
Data Security 101 Need Value to understand the data in order to protect it High Value, Low Risk Table with no sensitive data that is used often by an important business application For the Business Value Risk High Value, High Risk Table with sensitive data that is used often by business application Above the line High value data with low (or at least acceptable) risk levels Below the line Risk levels are too high given the business value of the data DATA Low Value, High Risk Dormant table with sensitive data Low Value, Low Risk Temp table with no sensitive data To the business 20
Understanding the Data Value vs. Risk Value to the Business The Goal: Reduce risk and get all data element above the acceptable risk line Risk 21
How we do it? Data at Rest Configuration Data Data in Motion Discovery Classification Masking Encryption Vulnerability Assessment Entitlements Reporting Activity Monitoring Blocking Quarantine Dynamic Data Masking Where is the sensitive data? How to protect sensitive data? How to secure the repository? Who should have access? What is actually happening? How to prevent unauthorized activities? How to protect sensitive data to reduce risk? Define Security Policies Dormant Entitlements Enforce Security Policies Dormant Data Streamline Compliance 22
Physical security is just as important as digital monitoring Maintaining a rigorous security posture that considers not just digital but also physical security is key to protect against insider threats. 23
Q&A
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.