time to re think our security process
TRANSCRIPT
11
Time to Re-think our
Security Process Ulf Mattsson, Chief Technology Officer, Compliance Engineering
2
Ulf MattssonInventor of more than 25 US PatentsIndustry InvolvementPCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security
CSA - Cloud Security AllianceANSI - American National Standards Institute• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology• NIST Big Data Working Group
User Groups• Security: ISSA & ISACA• Databases: IBM & Oracle
3
My work with PCI DSS StandardsPayment Card Industry Security Standards Council (PCI SSC)1. PCI SSC Tokenization Task Force2. PCI SSC Encryption Task Force3. PCI SSC Point to Point Encryption Task Force4. PCI SSC Risk Assessment SIG5. PCI SSC eCommerce SIG6. PCI SSC Cloud SIG7. PCI SSC Virtualization SIG8. PCI SSC Pre-Authorization SIG9. PCI SSC Scoping SIG Working Group10. PCI SSC 2013 – 2014 Tokenization Task Force
4
5
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Less u
se of e
ncrypt
ion
Do we know our sensitive
data?
Big Data
PublicCloud
6
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
7
Not Managing Risks to Sensitive Data
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
Access PatternsData Discovery
Data Access
8
9
Cloud Providers Not Becoming Security Vendors• There is great demand for security providers that can offer
orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure
• Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments
Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
10
• Centrally managed security policy• Across unstructured and structured silos• Classify data, control access and monitoring• Protection – encryption, tokenization and masking• Segregation of duties – application users and privileged users• Auditing and reporting
2014: Data–Centric Audit and Protection (DCAP)
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
11
• IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable.
• Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents.
• By 2020, 60% of enterprise information security budgets will be allocated for rapid detection andr esponse approaches, up from less than 20% in 2015.
2016: Shift Cybersecurity Investment
Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
12
Security Outsourcing Fastest Growth
The information security market is estimated to have grown 13.9% in revenue in 2015
with the IT security outsourcing segment recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
13
14
FS-ISAC Summit about “Know Your Data”• Encryption at rest has become the new norm • However, that’s not sufficient• Visibility into how and where it flows during the
course of normal business is critical
Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
15
16
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage
Discovery Results Supporting Compliance1. Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention.
Old PCI DSS Requirement 3.1
17
• PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.”
• PCI DSS v3.1 added data flow into a requirement.• PCI DSS v3.2 added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
1818
Example of A Discovery
Process
Scoping Asset Classification
Job Scan DefinitionScanningAnalysis
ReportingRemediation
PCI DSS 3.2 Requirement - Discovery
19
Example - Discovery Scanning Job Status List
20
Discovery Deployment Example
Example of Customer Provisioning:• Virtual host to load Software or Appliance• User ID with “Read Only” Access• Firewall Access
ApplianceDiscoveryAdmin
Examples
21
STEP 4:The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface
Discovery Process (Step 4) – Scanning Job Lists
22
I think it is Time to Re-think our
Security Process
23
Are You Ready for PCI DSS 3.2 Requirement –Security Control Failures?
24
SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC)
Managed Tools Security Service
Software as a Service (SaaS) data discovery solution
Security Tools and Integrated Services
Discovery
Security Toolsand
Integrated Services
25
Compliance Assessments • PCI DSS & PA Gap• HIPAA (2013 HITECH)• SSAE 16-SOC 2&3*• GLBA, SOX• FCRA, FISMA• SB 1385, ISO 27XXX• Security Posture Assessments (based on industry best practices)• BCP & DRP (SMB market)
Professional Security Services• Security Architecture • Engineering/Operations• Staff Augmentation• Penetration Testing• Platform Baseline Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows)• IDM/IAM/PAM architecture• SIEM design, operation and implementation• eGRC Readiness & Deployment
E Security & Vendor Products• Data Discovery• Managed Tools Security Service• Data Loss Protection • SIEM & Logging • Identity and Access Management• EndPoint Protection• Network Security Devices• Encryption• Unified Threat• Multi-factor Authentication
Managed Security Services• MSSP/SOC • SIEM 365• Data Center SOC• IDM/IAM Security Administration• Healthcare Infrastructure Solutions (2013 3rd Qtr.• Vulnerability Scans• Penetration Testing
Samples of Our Services
2626
Ulf Mattsson, Chief Technology Officer, Compliance [email protected]
www.complianceengineers.com