More Related Content
Similar to The Failure of Information Security Classification: A New Model is Afoot! (20)
The Failure of Information Security Classification: A New Model is Afoot!
- 1. THE FAILURE OF
INFORMATION
SECURITY
CLASSIFICATION
A new model is afoot!
Branden R. Williams, CISSP, CISM
@BrandenWilliams
branden.williams@rsa.com
© Copyright 2012 EMC Corporation. All rights reserved. 1
- 2. How do we value information?
© Copyright 2012 EMC Corporation. All rights reserved. 2
- 3. Bits vs Bits
Ÿ On one hand, we have bits of data
Ÿ On the other, we have MANY “bits” of money
© Copyright 2012 EMC Corporation. All rights reserved. 3
- 4. What’s the Conversion Rate?
Ÿ 10 Bits = €10?
Ÿ 1 Gigabit = £1,000?
Ÿ 1 Byte = 2 bits?
Ÿ Where is this rate? How do I use it?
– Doesn’t exist!
– Too many factors affect it to map globally.
© Copyright 2012 EMC Corporation. All rights reserved. 4
- 5. A Scholar’s Definition
Ÿ “Information value arises as the difference
between a decision maker’s payoff in the
absence of information relative to what can
be obtained in its presence.”
Ÿ This works for theft, but what about copy?
– China/Mr. Pibb Problem
– Once copied, is it a race to the bottom?
Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of
the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research.
© Copyright 2012 EMC Corporation. All rights reserved. 5
- 6. How do we classify info today?
© Copyright 2012 EMC Corporation. All rights reserved. 6
- 7. Why is information classification broken?
Ÿ Typical classification systems
are problematic
– Lack definition (what
constitutes info of
this kind?)
– And automation
(teach systems to
handle)
– Don’t address individual
data value (is a vault
required?)
© Copyright 2012 EMC Corporation. All rights reserved. 7
- 8. Four Dumb* Classification Schemes
Ÿ Structuralist (Focusing on regulatory
compliance)
Ÿ Realist (Stuff we care about, stuff we don’t)
Ÿ Broker (risk-based, three tiers, soft chewy
middle)
Ÿ Striver (Everyone hates this guy, 3+ tiers,
highly structured, opportunities for
automation)
Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner
© Copyright 2012 EMC Corporation. All rights reserved. 8
- 9. Opportunities for Attack
Ÿ Attackers and companies never value data
the same. There are reasons for this:
– The data itself isn’t valuable without the
knowledge/hardware to monetize it
– Secondary/unused business data is ignored
– Differing interpretation of value lifecycle
© Copyright 2012 EMC Corporation. All rights reserved. 9
- 10. How do we identify these opportunities?
Ÿ The value of information to us (Vc) varies
widely
Ÿ As does the payoff for an adversary (Pa)
Ÿ Where those differ, we have opportunity (O)
– This could also be described as inefficiency
Ÿ This opportunity can be expressed as:
O = Vc - Pa
© Copyright 2012 EMC Corporation. All rights reserved. 10
- 11. How do we identify these opportunities?
O = Vc - Pa
Ÿ Positive values of O suggest we know and
understand the value, and attackers cannot
monetize
Ÿ Negative values of O suggest we have high
risk data that attackers want, but we devalue
Ÿ Small values of O indicate matched intent
Ÿ Large values of O indicate inefficiency
© Copyright 2012 EMC Corporation. All rights reserved. 11
- 12. Examples of how this works:
O = Vc - Pa
Ÿ Credit Card Information, 30m HQ Numbers
– Low value to company, transactions settled
– HIGH payoff to adversary ($1/card = $30m)
– Hugely negative Opportunity value
Ÿ Manufacturing process for IP, control SC
– Payoff is low to adversary due to supply chain
– If high spend on security, could be reallocated to
other areas.
© Copyright 2012 EMC Corporation. All rights reserved. 12
- 13. The Value of Information Over Time
Max Value
Area under this curve
= money for
Value
information owner
Time Information
eventually becomes a
liability
© Copyright 2012 EMC Corporation. All rights reserved. 13
- 14. Events Occur, changes the curve
Max Value
Information is now
Value
copied, breach occurs
Time The loot
becomes divided
among holders.
© Copyright 2012 EMC Corporation. All rights reserved. 14
- 15. What’s interesting about these curves?
Ÿ This one is a sample, but somewhat
representative
Ÿ Curve notes:
– Each ACTOR has their own curve
– Curves can be steeper or flatter
– Curves can converge/diverge with actor action
– Curves only represent value for the ACTOR (i.e.,
unrealized value may not be represented)
– Eventually, information becomes a liability
– Impending threat mirrors value curve
– Think about a zero day exploit on its own curve
© Copyright 2012 EMC Corporation. All rights reserved. 15
- 16. Beginning to translate these curves
Ÿ Information’s value varies over time
– We need to consider malicious actors when
planning information security defenses
– Blanket controls cause inefficiency
Ÿ When curves converge/diverge…
– Values can dramatically consolidate/divide
Ÿ Curves represent potential value to the actor
– Pent up value may exist without realization
© Copyright 2012 EMC Corporation. All rights reserved. 16
- 17. We need a new model
Ÿ Minimum model requirements:
– Information grouped by value
▪ To ME
▪ To Competitor/Military
▪ Only if LOST
– Address information value over time
▪ Information changes in value over time
▪ Usually depreciating, some more rapidly than others
– Reflect # of actors and motivation
– Reflect change in motivation based on payoff
▪ Market forces can dramatically alter this
▪ Large data stores are more attractive than small ones
© Copyright 2012 EMC Corporation. All rights reserved. 17
- 18. Moreover: The model needs to be simple
Ÿ No industry jargon
Ÿ No dictionary required
Ÿ Not dozens of pages
© Copyright 2012 EMC Corporation. All rights reserved. 18
- 19. Simple, Yet flexible
Ÿ Must be able to adjust with value changes
Ÿ Must rely on accurate inputs
– Numbers of actors
– Projected payoffs with data theft
– Strength of perimeter defenses
– Number of business processes using the data
– Amount of data sprawl
– Account for amount of data as a change in payoff
Ÿ Must be able to affect security posture
19
© Copyright 2012 EMC Corporation. All rights reserved. 19
- 20. How SHOULD we view the world?
Customer Analytics
IT Configs
Secret Sauce Biz Processes
Intellectual Property
Software Vuln DB
Valuable to me
Corp Strategy
Derivative Data
Analytics for Sale
Medical Records
Crown Jewels
Easily Transferrable IP Valuable to
Valuable if
Actionable IP Competitors CC Data
Lost
Encryption Keys or Military PII/PHI Data
Unused Biz Data
Disinformation
COMPINT
Defense Old Source Code
Information Old IP
Old/Retired Encryption Keys
© Copyright 2012 EMC Corporation. All rights reserved. 20
- 21. The Model
Value Value
Value to if Breach
to You Comp. Lost Examples Prob. Biz Impact ACTION
1 50 2.3B* Number of Potential Actors
Customer Analytics Secured, but
Y N N IT Configs Low A/I not vaulted
Business Processes
Intellectual Property C–Delayed Protect
Secret Sauce Risk (Vault)
Y Y N Med
Software Vuln DB A/I
Corp Strategy Immediate
Old Source Code C: Destroy
Old IP (where new IP I: Secure
N Y Y? Med C/I
is derived) Archive
Old encryption keys
© Copyright 2012 EMC Corporation. All rights reserved. 21
- 22. The Model (part 2)
Value Value
Value to if Breach
to You Comp. Lost Examples Prob. Biz Impact ACTION
1 50 2.3B* Number of Potential Actors
Credit Card Numbers High Outsource
N N Y PII/PHI (# C Destroy
Unused Biz Data Actors) Obfuscate
Sec. Data Analytics Protect IP
(revenue) (Vault)
Low
Medical Records Secure Data
Y N Y (High C
High roller customers
Impact)
Proprietary Algorithms
Financial Results
Crown Jewels Protect
Y Y Y Easily transferrable IP High C (Vault)
© Copyright 2012 EMC Corporation. All rights reserved. 22
- 23. The Relevance of Data Mass
Payoff
Amount of data
© Copyright 2012 EMC Corporation. All rights reserved. 23
- 24. Combating Risk from Data Growth
Ÿ Reduce data stores
– Truncation
– De-value options (tokens)
– DESTROY
Ÿ Reduce the effective size
– 1M records / 10 keys =
100K recs!
– Multiple algorithms
© Copyright 2012 EMC Corporation. All rights reserved. 24
- 25. How to apply the model
Ÿ Look at the kinds of data your business controls
– Try to define what it is, then relate it to the model
– Be sure to find information NOT IN USE
– Understand flow and sprawl of data
– Look for large values of O
Ÿ Add values where you can
– Valuing information is personal
– Use your own data
– Don’t rely on external sources to define data value
Ÿ Remember CONFIDENCE factor!
Ÿ Take Action Per the Model!
© Copyright 2012 EMC Corporation. All rights reserved. 25
- 26. How about we stay in touch?
Ÿ If you would like a copy of these slides:
– Text 424-279-8398 (BRW-TEXT) code 5287
comma, your email address
– Example: 5287,your@email.com
Ÿ Stay up to date with things I’m working on!
Ÿ Contact:
– @BrandenWilliams
– brandenwilliams.com
© Copyright 2012 EMC Corporation. All rights reserved. 26