Your SlideShare is downloading. ×
A Breach Carol: 2013 Review, 2014 Predictions
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

A Breach Carol: 2013 Review, 2014 Predictions


Published on

How'd we do in 2013 from a data breach perspective? As we close out the year, are the cupboards / budgets bare and will it be a lean holiday season? Or should we be budgeting a holiday celebration …

How'd we do in 2013 from a data breach perspective? As we close out the year, are the cupboards / budgets bare and will it be a lean holiday season? Or should we be budgeting a holiday celebration with all of the trappings and a sumptuous New Year?

Borrowing themes from the Charles Dickens holiday classic, this webinar will review industry statistics and other indicators to evaluate how we did in 2013 from a privacy breach and security incident response perspective. Will our mythical CSO and CPO get the Scrooge-like CFO to approve their budget increases? And what will 2014 hold from a security, privacy, and regulatory perspective? Register below to find out.

Our featured speakers for this Dickensian webinar will be:

- Ebenezer Scrooge, Chief Financial Officer, Acme Inc. played by Ted Julian, Chief Marketing Officer, Co3 Systems

- Bob Cratchit, Chief Privacy Officer, Acme Inc. played by Gant Redmon, General Counsel, Co3 Systems

- Tiny Tim, Chief Security Officer, Acme Inc. played by "Tiny" Tim Armstrong, Incident Response Specialist, Co3 Systems

Published in: Technology, News & Politics

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. A Breach Carol 2013 Recap, 2014 Predictions
  • 2. Agenda • Introductions • Ghosts of Security & Privacy Past • Ghosts of Security & Privacy Future • Q&A Page 2
  • 3. Introductions: Today’s Cast Ted Julian, Chief Marketing Officer, Co3 Systems Ebenezer Scrooge, Chief Financial Officer, Acme Inc. Gant Redmon, General Counsel, Co3 Systems Bob Cratchit, Chief Privacy Officer, Acme Inc. “Tiny” Tim Armstrong, Incident Response Specialist, Co3 Systems Tiny Tim, Chief Security Officer, Acme Inc Page 3
  • 4. Co3’s Incident Response Management Platform Automated Escalation Accelerate response by easily creating incidents from the systems you already have Industry Standard Frameworks Organizational SOPs Global Privacy Breach Regulations Community Best Practices Web Form Trouble Ticketing IR Plan Entry Wizard SIEM Instant Creation and Streamlined Collaboration IR plans created instantly based on regulations, best practices, and standard operating procedure. Collaborate on plan execution across multiple functions Contractual Requirements Intelligent Correlation IT Legal & Compliance Marketing HR Determine related incidents automatically to identify broader, concerted attacks Integrated Intelligence Gain valuable threat intelligence instantly from multiple intelligence feeds Accelerated Mitigation Speed results by easily outputting results to your management platforms Page 4 Trouble Ticketing SIEM GRC DASHBOARDS & REPORTING SSAE 16 TYPE II CERTIFIED HOSTING FACILITY Email
  • 5. Prologue • Where: Acme Inc. HQ, Ebenezer Scrooge’s office • Who: Ebenezer, Bob, and Tiny Tim • What: 2014 Budget Review Bob & Tim asked for modest budget increases. Scrooge ordered them to return tomorrow (Christmas Eve) with a plan that showed a 15% reduction. Bob & Tim drowned their sorrows in egg nog at the company holiday party. Ebenezer humbugged and went home early. Page 5
  • 6. That night… Scrooge is visited by the ghost of Jacob Marley, the deceased former CFO of Acme. Marley tells Scrooge he’ll be visited by two set of ghosts, the first are… The Ghosts of Security & Privacy Past Page 6
  • 7. Security Past • Snowden • More use of encryption inside companies who possess large amounts of data • Lack of gov’t collaboration • Increased amount of vigilante-style behavior (AJ) • Adobe • Security success story • Even big guys get breached • Silversky • Malware as a business has been heating up • More competition between malware “vendors” Page 7
  • 8. Security Past • Breach Data • VZ DBIR • 92% of threat actors are external • Collecting and sharing IOC’s and threat data leads to increased response times • 69% of breaches discovered by external parties • 66% took months to discover Page 8
  • 9. Privacy Past • Bloating of the privacy policy and Ts&Cs • Paypal’s terms longer than Hamlet • Privacy policies almost as long and are integrated into Ts&Cs • David Vladeck, former Director of the Bureau of Consumer Protection of the Federal Trade Commission, was no fan • Rule of thumb – longer they are, the less privacy you have Page 9
  • 10. Privacy Past • Apps take on a bigger roll • -FTC Mobile Privacy Disclosures report says the FTC wants "timely, easy-to-understand disclosures about what data they collect and how the data is used." • FTC action against Path, Inc. • California Attorney General’s Privacy Enforcement and Protection Unit has prepared Privacy on the Go: Recommendations for the Mobile Ecosystem. Page 10
  • 11. Privacy Past • Snowden hands the EU a bat to beat the US cloud providers - Safe harbor in dangerous waters • This year saw three phases of the EU leveraging the Snowden affair: Call for EU clouds, call for the end of Safe Harbor, and finally the 13 recommendation for Safe Harbor set forth by the European Commission. • One of the recommendations looks like a cigarettewarning label. Page 11
  • 12. Privacy Past • Executive Order • February 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity instructing NIST to lead the development of a framework to reduce cyber risks to critical infrastructure. • Fell short of Congressional action providing a litigation shield to companies sharing attack information with the US Government. No one seems to want to make it easier for companies to share info with the government these days. Page 12
  • 13. Privacy Past • HIPAA Final Rule • When it comes to breach response, the two big stories are business associates having direct reporting and notification responsibilities and breaches assumed to have caused harm. • As for harm, now we have to dig our way out of a breach with a risk assessment. Page 13
  • 14. Privacy Past Page 14
  • 15. POLL
  • 16. Later That Night… Scrooge receives another paranormal visit… The Ghosts of Security & Privacy Future Page 16
  • 17. Security Future • More breaches, more severe • The rise of Breach as a Service • CSO at a major enterprise is canned • Tiny Tim: cost argument to CFO re: before v after • The cost of a breach usually dwarfs that of training and tech • Breaches impact more diverse verticals • Moving away from mass malware to more industrial espionage • Healthcare increases as a target • Deadline for electronic patient records • Mobile? • Data leakage, apps with ad networks that leak • Fed mandate for minimum security requirements (ex. NIST IR for critical infrastructure) • Other verticals follow • More certifications for hosting (like FedRAMP) and personnel Page 17
  • 18. Security Future • IR disaster done right – Tylenol case study? Let’s say this doesn’t happen. • the company pulled 31 million bottles of tablets back from retailers, making it one of the first major recalls in American history. The crisis cost the company more than $100 million, but Tylenol regained 100% of the market share it had before the crisis. - Wikipedia • Snowden fallout from a security perspective • Lack of trust/sharing • Industry hides from gov’t, over-encrypts data on internal as well as external networks • Rise of “NSA-proof” tech - AJ • Model for best-of-breed IR begins to emerge: people, process, technology • Long term strategy starts to develop based on awareness of danger • IR professional services take off Page 18
  • 19. Privacy Future • Unified Breach Notice • US – No, maybe one more swing • EU – Yes • On October 21, 2013, the European Parliament approved its compromise text of the Draft Regulation to replace Directive 95/46/EC. • Next comes approval by the Council of Ministers. • Then the Parliament, the Council and the Commission must agree on the final text. A vote is expected before the parliamentary elections in May 2014. • Worked for telcos Page 19
  • 20. Privacy Future • Safe Harbor Alive and Well – The 13 Principles from the European Commission are not too specific or onerous. Page 20
  • 21. Privacy Future • Usernames and passwords • May the country follow California…again • S.B. 46, which amends Sections 1798.29 and 1798.82 of the Civil Code to require businesses and state agencies to notify consumers if their login credentials are compromised by a data breach Page 21
  • 22. Privacy Future • Greater personal awareness and responsibility • Cybermilitia: A Citizen Strategy to Fight, Win, and End War in Cyberspace • Authors Siobhan MacDermott and J.R. Smith Page 22
  • 23. POLL
  • 24. The Next Day Bob & Tiny Tim head to Scrooge’s office with their slashed budget proposals. They’re shocked when a thoroughly changed Scrooge awards them a 100% increase! Page 24
  • 26. Happy Holidays!
  • 27. “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE