Your SlideShare is downloading. ×
THE FAILURE OF                                            INFORMATION                                            SECURITY ...
How do we value information?© Copyright 2012 EMC Corporation. All rights reserved.   2
Bits vs BitsŸ On one hand, we have bits of dataŸ On the other, we have MANY “bits” of money© Copyright 2012 EMC Corporat...
What’s the Conversion Rate?Ÿ 10 Bits = €10?Ÿ 1 Gigabit = £1,000?Ÿ 1 Byte = 2 bits?Ÿ Where is this rate? How do I use i...
A Scholar’s Definition   Ÿ “Information value arises as the difference      between a decision maker’s payoff in the     ...
How do we classify info today?© Copyright 2012 EMC Corporation. All rights reserved.   6
Why is information classification broken?Ÿ Typical classification systems   are problematic        –  Lack definition (wh...
Four Dumb* Classification Schemes   Ÿ Structuralist (Focusing on regulatory      compliance)   Ÿ Realist (Stuff we care ...
Opportunities for AttackŸ Attackers and companies never value data   the same. There are reasons for this:        –  The ...
How do we identify these opportunities?Ÿ The value of information to us (Vc) varies   widelyŸ As does the payoff for an ...
How do we identify these opportunities?                                           O = Vc - PaŸ Positive values of O sugge...
Examples of how this works:                                           O = Vc - PaŸ Credit Card Information, 30m HQ Number...
The Value of Information Over Time                                                             Max Value                  ...
Events Occur, changes the curve                                                         Max Value                         ...
What’s interesting about these curves?Ÿ This one is a sample, but somewhat   representativeŸ Curve notes:        –  Each...
Beginning to translate these curvesŸ Information’s value varies over time        –  We need to consider malicious actors ...
We need a new modelŸ Minimum model requirements:        –  Information grouped by value                 ▪  To ME         ...
Moreover: The model needs to be simpleŸ No industry jargonŸ No dictionary requiredŸ Not dozens of pages© Copyright 2012...
Simple, Yet flexible Ÿ Must be able to adjust with value changes Ÿ Must rely on accurate inputs         –  Numbers of ac...
How SHOULD we view the world?                                                                             Customer Analyti...
The Model                   Value            Value  Value              to               if                                ...
The Model (part 2)                   Value            Value  Value              to               if                       ...
The Relevance of Data Mass      Payoff                                                   Amount of data© Copyright 2012 EM...
Combating Risk from Data GrowthŸ Reduce data stores        –  Truncation        –  De-value options (tokens)        –  DE...
How to apply the modelŸ Look at the kinds of data your business controls        –  Try to define what it is, then relate ...
How about we stay in touch?Ÿ If you would like a copy of these slides:        –  Text 424-279-8398 (BRW-TEXT) code 5287  ...
The Failure of Information Security Classification: A New Model is Afoot!
Upcoming SlideShare
Loading in...5
×

The Failure of Information Security Classification: A New Model is Afoot!

510

Published on

Presented at InnoTech Austin on November 8, 2012. All rights reserved.

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
510
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "The Failure of Information Security Classification: A New Model is Afoot!"

  1. 1. THE FAILURE OF INFORMATION SECURITY CLASSIFICATION A new model is afoot! Branden R. Williams, CISSP, CISM @BrandenWilliams branden.williams@rsa.com© Copyright 2012 EMC Corporation. All rights reserved. 1
  2. 2. How do we value information?© Copyright 2012 EMC Corporation. All rights reserved. 2
  3. 3. Bits vs BitsŸ On one hand, we have bits of dataŸ On the other, we have MANY “bits” of money© Copyright 2012 EMC Corporation. All rights reserved. 3
  4. 4. What’s the Conversion Rate?Ÿ 10 Bits = €10?Ÿ 1 Gigabit = £1,000?Ÿ 1 Byte = 2 bits?Ÿ Where is this rate? How do I use it? –  Doesn’t exist! –  Too many factors affect it to map globally.© Copyright 2012 EMC Corporation. All rights reserved. 4
  5. 5. A Scholar’s Definition Ÿ “Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.” Ÿ This works for theft, but what about copy? –  China/Mr. Pibb Problem –  Once copied, is it a race to the bottom?Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research. © Copyright 2012 EMC Corporation. All rights reserved. 5
  6. 6. How do we classify info today?© Copyright 2012 EMC Corporation. All rights reserved. 6
  7. 7. Why is information classification broken?Ÿ Typical classification systems are problematic –  Lack definition (what constitutes info of this kind?) –  And automation (teach systems to handle) –  Don’t address individual data value (is a vault required?)© Copyright 2012 EMC Corporation. All rights reserved. 7
  8. 8. Four Dumb* Classification Schemes Ÿ Structuralist (Focusing on regulatory compliance) Ÿ Realist (Stuff we care about, stuff we don’t) Ÿ Broker (risk-based, three tiers, soft chewy middle) Ÿ Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation)Information Classification: An Essential Security Thing Youre (Still) Not Doing, Trent Henry, Gartner © Copyright 2012 EMC Corporation. All rights reserved. 8
  9. 9. Opportunities for AttackŸ Attackers and companies never value data the same. There are reasons for this: –  The data itself isn’t valuable without the knowledge/hardware to monetize it –  Secondary/unused business data is ignored –  Differing interpretation of value lifecycle© Copyright 2012 EMC Corporation. All rights reserved. 9
  10. 10. How do we identify these opportunities?Ÿ The value of information to us (Vc) varies widelyŸ As does the payoff for an adversary (Pa)Ÿ Where those differ, we have opportunity (O) –  This could also be described as inefficiencyŸ This opportunity can be expressed as: O = Vc - Pa© Copyright 2012 EMC Corporation. All rights reserved. 10
  11. 11. How do we identify these opportunities? O = Vc - PaŸ Positive values of O suggest we know and understand the value, and attackers cannot monetizeŸ Negative values of O suggest we have high risk data that attackers want, but we devalueŸ Small values of O indicate matched intentŸ Large values of O indicate inefficiency© Copyright 2012 EMC Corporation. All rights reserved. 11
  12. 12. Examples of how this works: O = Vc - PaŸ Credit Card Information, 30m HQ Numbers –  Low value to company, transactions settled –  HIGH payoff to adversary ($1/card = $30m) –  Hugely negative Opportunity valueŸ Manufacturing process for IP, control SC –  Payoff is low to adversary due to supply chain –  If high spend on security, could be reallocated to other areas.© Copyright 2012 EMC Corporation. All rights reserved. 12
  13. 13. The Value of Information Over Time Max Value Area under this curve = money for Value information owner Time Information eventually becomes a liability© Copyright 2012 EMC Corporation. All rights reserved. 13
  14. 14. Events Occur, changes the curve Max Value Information is now Value copied, breach occurs Time The loot becomes divided among holders.© Copyright 2012 EMC Corporation. All rights reserved. 14
  15. 15. What’s interesting about these curves?Ÿ This one is a sample, but somewhat representativeŸ Curve notes: –  Each ACTOR has their own curve –  Curves can be steeper or flatter –  Curves can converge/diverge with actor action –  Curves only represent value for the ACTOR (i.e., unrealized value may not be represented) –  Eventually, information becomes a liability –  Impending threat mirrors value curve –  Think about a zero day exploit on its own curve© Copyright 2012 EMC Corporation. All rights reserved. 15
  16. 16. Beginning to translate these curvesŸ Information’s value varies over time –  We need to consider malicious actors when planning information security defenses –  Blanket controls cause inefficiencyŸ When curves converge/diverge… –  Values can dramatically consolidate/divideŸ Curves represent potential value to the actor –  Pent up value may exist without realization© Copyright 2012 EMC Corporation. All rights reserved. 16
  17. 17. We need a new modelŸ Minimum model requirements: –  Information grouped by value ▪  To ME ▪  To Competitor/Military ▪  Only if LOST –  Address information value over time ▪  Information changes in value over time ▪  Usually depreciating, some more rapidly than others –  Reflect # of actors and motivation –  Reflect change in motivation based on payoff ▪  Market forces can dramatically alter this ▪  Large data stores are more attractive than small ones© Copyright 2012 EMC Corporation. All rights reserved. 17
  18. 18. Moreover: The model needs to be simpleŸ No industry jargonŸ No dictionary requiredŸ Not dozens of pages© Copyright 2012 EMC Corporation. All rights reserved. 18
  19. 19. Simple, Yet flexible Ÿ Must be able to adjust with value changes Ÿ Must rely on accurate inputs –  Numbers of actors –  Projected payoffs with data theft –  Strength of perimeter defenses –  Number of business processes using the data –  Amount of data sprawl –  Account for amount of data as a change in payoff Ÿ Must be able to affect security posture19 © Copyright 2012 EMC Corporation. All rights reserved. 19
  20. 20. How SHOULD we view the world? Customer Analytics IT Configs Secret Sauce Biz Processes Intellectual Property Software Vuln DB Valuable to me Corp Strategy Derivative Data Analytics for Sale Medical Records Crown JewelsEasily Transferrable IP Valuable to Valuable if Actionable IP Competitors CC Data Lost Encryption Keys or Military PII/PHI Data Unused Biz Data Disinformation COMPINT Defense Old Source Code Information Old IP Old/Retired Encryption Keys © Copyright 2012 EMC Corporation. All rights reserved. 20
  21. 21. The Model Value Value Value to if Breach to You Comp. Lost Examples Prob. Biz Impact ACTION 1 50 2.3B* Number of Potential Actors Customer Analytics Secured, but Y N N IT Configs Low A/I not vaulted Business Processes Intellectual Property C–Delayed Protect Secret Sauce Risk (Vault) Y Y N Med Software Vuln DB A/I Corp Strategy Immediate Old Source Code C: Destroy Old IP (where new IP I: Secure N Y Y? Med C/I is derived) Archive Old encryption keys© Copyright 2012 EMC Corporation. All rights reserved. 21
  22. 22. The Model (part 2) Value Value Value to if Breach to You Comp. Lost Examples Prob. Biz Impact ACTION 1 50 2.3B* Number of Potential Actors Credit Card Numbers High Outsource N N Y PII/PHI (# C Destroy Unused Biz Data Actors) Obfuscate Sec. Data Analytics Protect IP (revenue) (Vault) Low Medical Records Secure Data Y N Y (High C High roller customers Impact) Proprietary Algorithms Financial Results Crown Jewels Protect Y Y Y Easily transferrable IP High C (Vault)© Copyright 2012 EMC Corporation. All rights reserved. 22
  23. 23. The Relevance of Data Mass Payoff Amount of data© Copyright 2012 EMC Corporation. All rights reserved. 23
  24. 24. Combating Risk from Data GrowthŸ Reduce data stores –  Truncation –  De-value options (tokens) –  DESTROYŸ Reduce the effective size –  1M records / 10 keys = 100K recs! –  Multiple algorithms© Copyright 2012 EMC Corporation. All rights reserved. 24
  25. 25. How to apply the modelŸ Look at the kinds of data your business controls –  Try to define what it is, then relate it to the model –  Be sure to find information NOT IN USE –  Understand flow and sprawl of data –  Look for large values of OŸ Add values where you can –  Valuing information is personal –  Use your own data –  Don’t rely on external sources to define data valueŸ Remember CONFIDENCE factor!Ÿ Take Action Per the Model!© Copyright 2012 EMC Corporation. All rights reserved. 25
  26. 26. How about we stay in touch?Ÿ If you would like a copy of these slides: –  Text 424-279-8398 (BRW-TEXT) code 5287 comma, your email address –  Example: 5287,your@email.comŸ Stay up to date with things I’m working on!Ÿ Contact: –  @BrandenWilliams –  brandenwilliams.com© Copyright 2012 EMC Corporation. All rights reserved. 26

×