SlideShare a Scribd company logo

The Failure of Information Security Classification: A New Model is Afoot!

InnoTech
InnoTech

Presented at InnoTech Austin on November 8, 2012. All rights reserved.

1 of 27
THE FAILURE OF INFORMATION SECURITY CLASSIFICATION A new model is afoot! Branden R. Williams, CISSP, CISM @BrandenWilliams branden.williams@rsa.com © Copyright 2012 EMC Corporation. All rights reserved. 1
How do we value information? © Copyright 2012 EMC Corporation. All rights reserved. 2
Bits vs Bits Ÿ On one hand, we have bits of data Ÿ On the other, we have MANY “bits” of money © Copyright 2012 EMC Corporation. All rights reserved. 3
What’s the Conversion Rate? Ÿ 10 Bits = €10? Ÿ 1 Gigabit = £1,000? Ÿ 1 Byte = 2 bits? Ÿ Where is this rate? How do I use it? –  Doesn’t exist! –  Too many factors affect it to map globally. © Copyright 2012 EMC Corporation. All rights reserved. 4
A Scholar’s Definition Ÿ “Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.” Ÿ This works for theft, but what about copy? –  China/Mr. Pibb Problem –  Once copied, is it a race to the bottom? Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research. © Copyright 2012 EMC Corporation. All rights reserved. 5
How do we classify info today? © Copyright 2012 EMC Corporation. All rights reserved. 6
Why is information classification broken? Ÿ Typical classification systems are problematic –  Lack definition (what constitutes info of this kind?) –  And automation (teach systems to handle) –  Don’t address individual data value (is a vault required?) © Copyright 2012 EMC Corporation. All rights reserved. 7
Four Dumb* Classification Schemes Ÿ Structuralist (Focusing on regulatory compliance) Ÿ Realist (Stuff we care about, stuff we don’t) Ÿ Broker (risk-based, three tiers, soft chewy middle) Ÿ Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation) Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner © Copyright 2012 EMC Corporation. All rights reserved. 8
Opportunities for Attack Ÿ Attackers and companies never value data the same. There are reasons for this: –  The data itself isn’t valuable without the knowledge/hardware to monetize it –  Secondary/unused business data is ignored –  Differing interpretation of value lifecycle © Copyright 2012 EMC Corporation. All rights reserved. 9
How do we identify these opportunities? Ÿ The value of information to us (Vc) varies widely Ÿ As does the payoff for an adversary (Pa) Ÿ Where those differ, we have opportunity (O) –  This could also be described as inefficiency Ÿ This opportunity can be expressed as: O = Vc - Pa © Copyright 2012 EMC Corporation. All rights reserved. 10
How do we identify these opportunities? O = Vc - Pa Ÿ Positive values of O suggest we know and understand the value, and attackers cannot monetize Ÿ Negative values of O suggest we have high risk data that attackers want, but we devalue Ÿ Small values of O indicate matched intent Ÿ Large values of O indicate inefficiency © Copyright 2012 EMC Corporation. All rights reserved. 11
Examples of how this works: O = Vc - Pa Ÿ Credit Card Information, 30m HQ Numbers –  Low value to company, transactions settled –  HIGH payoff to adversary ($1/card = $30m) –  Hugely negative Opportunity value Ÿ Manufacturing process for IP, control SC –  Payoff is low to adversary due to supply chain –  If high spend on security, could be reallocated to other areas. © Copyright 2012 EMC Corporation. All rights reserved. 12
The Value of Information Over Time Max Value Area under this curve = money for Value information owner Time Information eventually becomes a liability © Copyright 2012 EMC Corporation. All rights reserved. 13
Events Occur, changes the curve Max Value Information is now Value copied, breach occurs Time The loot becomes divided among holders. © Copyright 2012 EMC Corporation. All rights reserved. 14
What’s interesting about these curves? Ÿ This one is a sample, but somewhat representative Ÿ Curve notes: –  Each ACTOR has their own curve –  Curves can be steeper or flatter –  Curves can converge/diverge with actor action –  Curves only represent value for the ACTOR (i.e., unrealized value may not be represented) –  Eventually, information becomes a liability –  Impending threat mirrors value curve –  Think about a zero day exploit on its own curve © Copyright 2012 EMC Corporation. All rights reserved. 15
Beginning to translate these curves Ÿ Information’s value varies over time –  We need to consider malicious actors when planning information security defenses –  Blanket controls cause inefficiency Ÿ When curves converge/diverge… –  Values can dramatically consolidate/divide Ÿ Curves represent potential value to the actor –  Pent up value may exist without realization © Copyright 2012 EMC Corporation. All rights reserved. 16
We need a new model Ÿ Minimum model requirements: –  Information grouped by value ▪  To ME ▪  To Competitor/Military ▪  Only if LOST –  Address information value over time ▪  Information changes in value over time ▪  Usually depreciating, some more rapidly than others –  Reflect # of actors and motivation –  Reflect change in motivation based on payoff ▪  Market forces can dramatically alter this ▪  Large data stores are more attractive than small ones © Copyright 2012 EMC Corporation. All rights reserved. 17
Moreover: The model needs to be simple Ÿ No industry jargon Ÿ No dictionary required Ÿ Not dozens of pages © Copyright 2012 EMC Corporation. All rights reserved. 18
Simple, Yet flexible Ÿ Must be able to adjust with value changes Ÿ Must rely on accurate inputs –  Numbers of actors –  Projected payoffs with data theft –  Strength of perimeter defenses –  Number of business processes using the data –  Amount of data sprawl –  Account for amount of data as a change in payoff Ÿ Must be able to affect security posture 19 © Copyright 2012 EMC Corporation. All rights reserved. 19
How SHOULD we view the world? Customer Analytics IT Configs Secret Sauce Biz Processes Intellectual Property Software Vuln DB Valuable to me Corp Strategy Derivative Data Analytics for Sale Medical Records Crown Jewels Easily Transferrable IP Valuable to Valuable if Actionable IP Competitors CC Data Lost Encryption Keys or Military PII/PHI Data Unused Biz Data Disinformation COMPINT Defense Old Source Code Information Old IP Old/Retired Encryption Keys © Copyright 2012 EMC Corporation. All rights reserved. 20
The Model Value Value Value to if Breach to You Comp. Lost Examples Prob. Biz Impact ACTION 1 50 2.3B* Number of Potential Actors Customer Analytics Secured, but Y N N IT Configs Low A/I not vaulted Business Processes Intellectual Property C–Delayed Protect Secret Sauce Risk (Vault) Y Y N Med Software Vuln DB A/I Corp Strategy Immediate Old Source Code C: Destroy Old IP (where new IP I: Secure N Y Y? Med C/I is derived) Archive Old encryption keys © Copyright 2012 EMC Corporation. All rights reserved. 21
The Model (part 2) Value Value Value to if Breach to You Comp. Lost Examples Prob. Biz Impact ACTION 1 50 2.3B* Number of Potential Actors Credit Card Numbers High Outsource N N Y PII/PHI (# C Destroy Unused Biz Data Actors) Obfuscate Sec. Data Analytics Protect IP (revenue) (Vault) Low Medical Records Secure Data Y N Y (High C High roller customers Impact) Proprietary Algorithms Financial Results Crown Jewels Protect Y Y Y Easily transferrable IP High C (Vault) © Copyright 2012 EMC Corporation. All rights reserved. 22
The Relevance of Data Mass Payoff Amount of data © Copyright 2012 EMC Corporation. All rights reserved. 23
Combating Risk from Data Growth Ÿ Reduce data stores –  Truncation –  De-value options (tokens) –  DESTROY Ÿ Reduce the effective size –  1M records / 10 keys = 100K recs! –  Multiple algorithms © Copyright 2012 EMC Corporation. All rights reserved. 24
How to apply the model Ÿ Look at the kinds of data your business controls –  Try to define what it is, then relate it to the model –  Be sure to find information NOT IN USE –  Understand flow and sprawl of data –  Look for large values of O Ÿ Add values where you can –  Valuing information is personal –  Use your own data –  Don’t rely on external sources to define data value Ÿ Remember CONFIDENCE factor! Ÿ Take Action Per the Model! © Copyright 2012 EMC Corporation. All rights reserved. 25
How about we stay in touch? Ÿ If you would like a copy of these slides: –  Text 424-279-8398 (BRW-TEXT) code 5287 comma, your email address –  Example: 5287,your@email.com Ÿ Stay up to date with things I’m working on! Ÿ Contact: –  @BrandenWilliams –  brandenwilliams.com © Copyright 2012 EMC Corporation. All rights reserved. 26
The Failure of Information Security Classification: A New Model is Afoot!

Recommended

Negotiating Deals
Negotiating DealsNegotiating Deals
Negotiating Deals
Foresight Science & Technology
 
Entering engineering workforce_v4
Entering engineering workforce_v4Entering engineering workforce_v4
Entering engineering workforce_v4
Tony Pearson
 
The Marriage Between Cloud and ITSM
The Marriage Between Cloud and ITSMThe Marriage Between Cloud and ITSM
The Marriage Between Cloud and ITSM
RyeTerseGramp
 
Technology Asset Intelligence
Technology Asset IntelligenceTechnology Asset Intelligence
Technology Asset Intelligence
Luis Lobo e Silva
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
 
PromptCloud's demo at Unpluggd on Web Crawling and Big Data Solutions
PromptCloud's demo at Unpluggd on Web Crawling and Big Data SolutionsPromptCloud's demo at Unpluggd on Web Crawling and Big Data Solutions
PromptCloud's demo at Unpluggd on Web Crawling and Big Data Solutions
PromptCloud
 
PromptCloud Nasscom Emerge 50 Presentation
PromptCloud Nasscom Emerge 50 PresentationPromptCloud Nasscom Emerge 50 Presentation
PromptCloud Nasscom Emerge 50 Presentation
PromptCloud
 
Ecommerce product review and price crawl
Ecommerce product review and price crawlEcommerce product review and price crawl
Ecommerce product review and price crawl
PromptCloud
 

Recommended

Negotiating Deals
Negotiating DealsNegotiating Deals
Negotiating Deals
Foresight Science & Technology
 
Entering engineering workforce_v4
Entering engineering workforce_v4Entering engineering workforce_v4
Entering engineering workforce_v4
Tony Pearson
 
The Marriage Between Cloud and ITSM
The Marriage Between Cloud and ITSMThe Marriage Between Cloud and ITSM
The Marriage Between Cloud and ITSM
RyeTerseGramp
 
Technology Asset Intelligence
Technology Asset IntelligenceTechnology Asset Intelligence
Technology Asset Intelligence
Luis Lobo e Silva
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
 
PromptCloud's demo at Unpluggd on Web Crawling and Big Data Solutions
PromptCloud's demo at Unpluggd on Web Crawling and Big Data SolutionsPromptCloud's demo at Unpluggd on Web Crawling and Big Data Solutions
PromptCloud's demo at Unpluggd on Web Crawling and Big Data Solutions
PromptCloud
 
PromptCloud Nasscom Emerge 50 Presentation
PromptCloud Nasscom Emerge 50 PresentationPromptCloud Nasscom Emerge 50 Presentation
PromptCloud Nasscom Emerge 50 Presentation
PromptCloud
 
Ecommerce product review and price crawl
Ecommerce product review and price crawlEcommerce product review and price crawl
Ecommerce product review and price crawl
PromptCloud
 
Big data in travel domain
Big data in travel domainBig data in travel domain
Big data in travel domain
PromptCloud
 
101 cd 1315-1345
101 cd 1315-1345101 cd 1315-1345
101 cd 1315-1345
Chiou-Nan Chen
 
The long conversation february 2013
The long conversation february 2013The long conversation february 2013
The long conversation february 2013
Deusto Business School
 
Agathi galani digital_trends_11
Agathi galani digital_trends_11Agathi galani digital_trends_11
Agathi galani digital_trends_11
Hellenic Professionals Informatics Society
 
Maximizing business value from it virtual class
Maximizing business value from it virtual classMaximizing business value from it virtual class
Maximizing business value from it virtual class
Deusto Business School
 
Top things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategyTop things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategy
raulzamorano
 
Big data and the challenge of extreme information
Big data and the challenge of extreme informationBig data and the challenge of extreme information
Big data and the challenge of extreme information
John Mancini
 
Learning & Talent In The Cloud
Learning & Talent In The CloudLearning & Talent In The Cloud
Learning & Talent In The Cloud
David Wilson
 
Making it happy_with_mobile_content_management
Making it happy_with_mobile_content_managementMaking it happy_with_mobile_content_management
Making it happy_with_mobile_content_management
QuestexConf
 
Information Management in the Age of Big Data
Information Management in the Age of Big DataInformation Management in the Age of Big Data
Information Management in the Age of Big Data
bigdatasyd
 
RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012
Robert Colombo
 
Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...
Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...
Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...
Dave Roberts
 
Nyu Poly 2012 R Lyle V1.0
Nyu Poly 2012 R Lyle V1.0Nyu Poly 2012 R Lyle V1.0
Nyu Poly 2012 R Lyle V1.0
Ruthie Lyle, PhD
 
Cloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond KissCloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond Kiss
IBMSERBIA
 
Partner facing vspex deck[1]
Partner facing vspex deck[1]Partner facing vspex deck[1]
Partner facing vspex deck[1]
Arrow ECS UK
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012
MMMTechLaw
 
Identifying the Value of Informational Assets Before You Move Them to the Cloud
Identifying the Value of Informational Assets Before You Move Them to the CloudIdentifying the Value of Informational Assets Before You Move Them to the Cloud
Identifying the Value of Informational Assets Before You Move Them to the Cloud
EMC
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
EMC
 
KMWorld Presentation
KMWorld PresentationKMWorld Presentation
KMWorld Presentation
J. David Morris
 
101 ab 1445-1515
101 ab 1445-1515101 ab 1445-1515
101 ab 1445-1515
Chiou-Nan Chen
 
101 ab 1445-1515
101 ab 1445-1515101 ab 1445-1515
101 ab 1445-1515
Chiou-Nan Chen
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 

More Related Content

What's hot

Maximizing business value from it virtual class
Maximizing business value from it virtual classMaximizing business value from it virtual class
Maximizing business value from it virtual class
Deusto Business School
 
Top things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategyTop things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategy
raulzamorano
 
Big data and the challenge of extreme information
Big data and the challenge of extreme informationBig data and the challenge of extreme information
Big data and the challenge of extreme information
John Mancini
 
Making it happy_with_mobile_content_management
Making it happy_with_mobile_content_managementMaking it happy_with_mobile_content_management
Making it happy_with_mobile_content_management
QuestexConf
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012
MMMTechLaw
 

What's hot (16)

Big data in travel domain
Big data in travel domainBig data in travel domain
Big data in travel domain
 
101 cd 1315-1345
101 cd 1315-1345101 cd 1315-1345
101 cd 1315-1345
 
The long conversation february 2013
The long conversation february 2013The long conversation february 2013
The long conversation february 2013
 
Agathi galani digital_trends_11
Agathi galani digital_trends_11Agathi galani digital_trends_11
Agathi galani digital_trends_11
 
Maximizing business value from it virtual class
Maximizing business value from it virtual classMaximizing business value from it virtual class
Maximizing business value from it virtual class
 
Top things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategyTop things to consider when building your outsourcing strategy
Top things to consider when building your outsourcing strategy
 
Big data and the challenge of extreme information
Big data and the challenge of extreme informationBig data and the challenge of extreme information
Big data and the challenge of extreme information
 
Learning & Talent In The Cloud
Learning & Talent In The CloudLearning & Talent In The Cloud
Learning & Talent In The Cloud
 
Making it happy_with_mobile_content_management
Making it happy_with_mobile_content_managementMaking it happy_with_mobile_content_management
Making it happy_with_mobile_content_management
 
Information Management in the Age of Big Data
Information Management in the Age of Big DataInformation Management in the Age of Big Data
Information Management in the Age of Big Data
 
RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012RSC - STEM Conference Presentation - 03082012
RSC - STEM Conference Presentation - 03082012
 
Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...
Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...
Step Up to the Plate: Take Your Cloud Strategy from the Minor League to the M...
 
Nyu Poly 2012 R Lyle V1.0
Nyu Poly 2012 R Lyle V1.0Nyu Poly 2012 R Lyle V1.0
Nyu Poly 2012 R Lyle V1.0
 
Cloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond KissCloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond Kiss
 
Partner facing vspex deck[1]
Partner facing vspex deck[1]Partner facing vspex deck[1]
Partner facing vspex deck[1]
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012
 

Similar to The Failure of Information Security Classification: A New Model is Afoot!

Identifying the Value of Informational Assets Before You Move Them to the Cloud
Identifying the Value of Informational Assets Before You Move Them to the CloudIdentifying the Value of Informational Assets Before You Move Them to the Cloud
Identifying the Value of Informational Assets Before You Move Them to the Cloud
EMC
 
TDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI Convergence
TDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI ConvergenceTDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI Convergence
TDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI Convergence
Fitzgerald Analytics, Inc.
 
Seguridad en información digital Carlos Galeano EMC2 Regional Storage Specialist
Seguridad en información digital Carlos Galeano EMC2 Regional Storage SpecialistSeguridad en información digital Carlos Galeano EMC2 Regional Storage Specialist
Seguridad en información digital Carlos Galeano EMC2 Regional Storage Specialist
Ministerio TIC Colombia
 
Driving the Road to Platform-as-a-Service (PaaS)
Driving the Road to Platform-as-a-Service (PaaS) Driving the Road to Platform-as-a-Service (PaaS)
Driving the Road to Platform-as-a-Service (PaaS)
EMC
 

Similar to The Failure of Information Security Classification: A New Model is Afoot! (20)

Identifying the Value of Informational Assets Before You Move Them to the Cloud
Identifying the Value of Informational Assets Before You Move Them to the CloudIdentifying the Value of Informational Assets Before You Move Them to the Cloud
Identifying the Value of Informational Assets Before You Move Them to the Cloud
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
 
KMWorld Presentation
KMWorld PresentationKMWorld Presentation
KMWorld Presentation
 
101 ab 1445-1515
101 ab 1445-1515101 ab 1445-1515
101 ab 1445-1515
 
101 ab 1445-1515
101 ab 1445-1515101 ab 1445-1515
101 ab 1445-1515
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
DAMA Big Data & The Cloud 2012-01-19
DAMA Big Data & The Cloud 2012-01-19DAMA Big Data & The Cloud 2012-01-19
DAMA Big Data & The Cloud 2012-01-19
 
Partnership for the Private Cloud
Partnership for the Private CloudPartnership for the Private Cloud
Partnership for the Private Cloud
 
TDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI Convergence
TDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI ConvergenceTDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI Convergence
TDWI NYC Chapter - Tony Baer Ovum on Big data, Data quality, and BI Convergence
 
Antonio piraino v1
Antonio piraino v1Antonio piraino v1
Antonio piraino v1
 
Algorithms as a Business
Algorithms as a BusinessAlgorithms as a Business
Algorithms as a Business
 
Emc - Cloud Vision and Strategy
Emc - Cloud Vision and StrategyEmc - Cloud Vision and Strategy
Emc - Cloud Vision and Strategy
 
Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...
Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...
Webinar: eFolder Expert Series: Five Technologies from AppAssure to Boost You...
 
Seguridad en información digital Carlos Galeano EMC2 Regional Storage Specialist
Seguridad en información digital Carlos Galeano EMC2 Regional Storage SpecialistSeguridad en información digital Carlos Galeano EMC2 Regional Storage Specialist
Seguridad en información digital Carlos Galeano EMC2 Regional Storage Specialist
 
Adding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAdding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf code
 
On Demand Cloud Services Coury
On Demand Cloud Services CouryOn Demand Cloud Services Coury
On Demand Cloud Services Coury
 
Driving the Road to Platform-as-a-Service (PaaS)
Driving the Road to Platform-as-a-Service (PaaS) Driving the Road to Platform-as-a-Service (PaaS)
Driving the Road to Platform-as-a-Service (PaaS)
 
Selling Data Security Technology
Selling Data Security TechnologySelling Data Security Technology
Selling Data Security Technology
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
 
Big data: tendências e oportunidades - Palestrante: Ana Oliveira
Big data: tendências e oportunidades - Palestrante: Ana OliveiraBig data: tendências e oportunidades - Palestrante: Ana Oliveira
Big data: tendências e oportunidades - Palestrante: Ana Oliveira
 

More from InnoTech

More from InnoTech (20)

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is Maturing
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the field
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implications
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged Infrastructure
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studies
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacy
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 

The Failure of Information Security Classification: A New Model is Afoot!

  • 1. THE FAILURE OF INFORMATION SECURITY CLASSIFICATION A new model is afoot! Branden R. Williams, CISSP, CISM @BrandenWilliams branden.williams@rsa.com © Copyright 2012 EMC Corporation. All rights reserved. 1
  • 2. How do we value information? © Copyright 2012 EMC Corporation. All rights reserved. 2
  • 3. Bits vs Bits Ÿ On one hand, we have bits of data Ÿ On the other, we have MANY “bits” of money © Copyright 2012 EMC Corporation. All rights reserved. 3
  • 4. What’s the Conversion Rate? Ÿ 10 Bits = €10? Ÿ 1 Gigabit = £1,000? Ÿ 1 Byte = 2 bits? Ÿ Where is this rate? How do I use it? –  Doesn’t exist! –  Too many factors affect it to map globally. © Copyright 2012 EMC Corporation. All rights reserved. 4
  • 5. A Scholar’s Definition Ÿ “Information value arises as the difference between a decision maker’s payoff in the absence of information relative to what can be obtained in its presence.” Ÿ This works for theft, but what about copy? –  China/Mr. Pibb Problem –  Once copied, is it a race to the bottom? Banker, R. D., & Kauffman, R. J. (2004). The evolution of research on information systems: A fiftieth-year survey of the literature in management science (Vol. 50, pp. 281-298): INFORMS: Institute for Operations Research. © Copyright 2012 EMC Corporation. All rights reserved. 5
  • 6. How do we classify info today? © Copyright 2012 EMC Corporation. All rights reserved. 6
  • 7. Why is information classification broken? Ÿ Typical classification systems are problematic –  Lack definition (what constitutes info of this kind?) –  And automation (teach systems to handle) –  Don’t address individual data value (is a vault required?) © Copyright 2012 EMC Corporation. All rights reserved. 7
  • 8. Four Dumb* Classification Schemes Ÿ Structuralist (Focusing on regulatory compliance) Ÿ Realist (Stuff we care about, stuff we don’t) Ÿ Broker (risk-based, three tiers, soft chewy middle) Ÿ Striver (Everyone hates this guy, 3+ tiers, highly structured, opportunities for automation) Information Classification: An Essential Security Thing You're (Still) Not Doing, Trent Henry, Gartner © Copyright 2012 EMC Corporation. All rights reserved. 8
  • 9. Opportunities for Attack Ÿ Attackers and companies never value data the same. There are reasons for this: –  The data itself isn’t valuable without the knowledge/hardware to monetize it –  Secondary/unused business data is ignored –  Differing interpretation of value lifecycle © Copyright 2012 EMC Corporation. All rights reserved. 9
  • 10. How do we identify these opportunities? Ÿ The value of information to us (Vc) varies widely Ÿ As does the payoff for an adversary (Pa) Ÿ Where those differ, we have opportunity (O) –  This could also be described as inefficiency Ÿ This opportunity can be expressed as: O = Vc - Pa © Copyright 2012 EMC Corporation. All rights reserved. 10
  • 11. How do we identify these opportunities? O = Vc - Pa Ÿ Positive values of O suggest we know and understand the value, and attackers cannot monetize Ÿ Negative values of O suggest we have high risk data that attackers want, but we devalue Ÿ Small values of O indicate matched intent Ÿ Large values of O indicate inefficiency © Copyright 2012 EMC Corporation. All rights reserved. 11
  • 12. Examples of how this works: O = Vc - Pa Ÿ Credit Card Information, 30m HQ Numbers –  Low value to company, transactions settled –  HIGH payoff to adversary ($1/card = $30m) –  Hugely negative Opportunity value Ÿ Manufacturing process for IP, control SC –  Payoff is low to adversary due to supply chain –  If high spend on security, could be reallocated to other areas. © Copyright 2012 EMC Corporation. All rights reserved. 12
  • 13. The Value of Information Over Time Max Value Area under this curve = money for Value information owner Time Information eventually becomes a liability © Copyright 2012 EMC Corporation. All rights reserved. 13
  • 14. Events Occur, changes the curve Max Value Information is now Value copied, breach occurs Time The loot becomes divided among holders. © Copyright 2012 EMC Corporation. All rights reserved. 14
  • 15. What’s interesting about these curves? Ÿ This one is a sample, but somewhat representative Ÿ Curve notes: –  Each ACTOR has their own curve –  Curves can be steeper or flatter –  Curves can converge/diverge with actor action –  Curves only represent value for the ACTOR (i.e., unrealized value may not be represented) –  Eventually, information becomes a liability –  Impending threat mirrors value curve –  Think about a zero day exploit on its own curve © Copyright 2012 EMC Corporation. All rights reserved. 15
  • 16. Beginning to translate these curves Ÿ Information’s value varies over time –  We need to consider malicious actors when planning information security defenses –  Blanket controls cause inefficiency Ÿ When curves converge/diverge… –  Values can dramatically consolidate/divide Ÿ Curves represent potential value to the actor –  Pent up value may exist without realization © Copyright 2012 EMC Corporation. All rights reserved. 16
  • 17. We need a new model Ÿ Minimum model requirements: –  Information grouped by value ▪  To ME ▪  To Competitor/Military ▪  Only if LOST –  Address information value over time ▪  Information changes in value over time ▪  Usually depreciating, some more rapidly than others –  Reflect # of actors and motivation –  Reflect change in motivation based on payoff ▪  Market forces can dramatically alter this ▪  Large data stores are more attractive than small ones © Copyright 2012 EMC Corporation. All rights reserved. 17
  • 18. Moreover: The model needs to be simple Ÿ No industry jargon Ÿ No dictionary required Ÿ Not dozens of pages © Copyright 2012 EMC Corporation. All rights reserved. 18
  • 19. Simple, Yet flexible Ÿ Must be able to adjust with value changes Ÿ Must rely on accurate inputs –  Numbers of actors –  Projected payoffs with data theft –  Strength of perimeter defenses –  Number of business processes using the data –  Amount of data sprawl –  Account for amount of data as a change in payoff Ÿ Must be able to affect security posture 19 © Copyright 2012 EMC Corporation. All rights reserved. 19
  • 20. How SHOULD we view the world? Customer Analytics IT Configs Secret Sauce Biz Processes Intellectual Property Software Vuln DB Valuable to me Corp Strategy Derivative Data Analytics for Sale Medical Records Crown Jewels Easily Transferrable IP Valuable to Valuable if Actionable IP Competitors CC Data Lost Encryption Keys or Military PII/PHI Data Unused Biz Data Disinformation COMPINT Defense Old Source Code Information Old IP Old/Retired Encryption Keys © Copyright 2012 EMC Corporation. All rights reserved. 20
  • 21. The Model Value Value Value to if Breach to You Comp. Lost Examples Prob. Biz Impact ACTION 1 50 2.3B* Number of Potential Actors Customer Analytics Secured, but Y N N IT Configs Low A/I not vaulted Business Processes Intellectual Property C–Delayed Protect Secret Sauce Risk (Vault) Y Y N Med Software Vuln DB A/I Corp Strategy Immediate Old Source Code C: Destroy Old IP (where new IP I: Secure N Y Y? Med C/I is derived) Archive Old encryption keys © Copyright 2012 EMC Corporation. All rights reserved. 21
  • 22. The Model (part 2) Value Value Value to if Breach to You Comp. Lost Examples Prob. Biz Impact ACTION 1 50 2.3B* Number of Potential Actors Credit Card Numbers High Outsource N N Y PII/PHI (# C Destroy Unused Biz Data Actors) Obfuscate Sec. Data Analytics Protect IP (revenue) (Vault) Low Medical Records Secure Data Y N Y (High C High roller customers Impact) Proprietary Algorithms Financial Results Crown Jewels Protect Y Y Y Easily transferrable IP High C (Vault) © Copyright 2012 EMC Corporation. All rights reserved. 22
  • 23. The Relevance of Data Mass Payoff Amount of data © Copyright 2012 EMC Corporation. All rights reserved. 23
  • 24. Combating Risk from Data Growth Ÿ Reduce data stores –  Truncation –  De-value options (tokens) –  DESTROY Ÿ Reduce the effective size –  1M records / 10 keys = 100K recs! –  Multiple algorithms © Copyright 2012 EMC Corporation. All rights reserved. 24
  • 25. How to apply the model Ÿ Look at the kinds of data your business controls –  Try to define what it is, then relate it to the model –  Be sure to find information NOT IN USE –  Understand flow and sprawl of data –  Look for large values of O Ÿ Add values where you can –  Valuing information is personal –  Use your own data –  Don’t rely on external sources to define data value Ÿ Remember CONFIDENCE factor! Ÿ Take Action Per the Model! © Copyright 2012 EMC Corporation. All rights reserved. 25
  • 26. How about we stay in touch? Ÿ If you would like a copy of these slides: –  Text 424-279-8398 (BRW-TEXT) code 5287 comma, your email address –  Example: 5287,your@email.com Ÿ Stay up to date with things I’m working on! Ÿ Contact: –  @BrandenWilliams –  brandenwilliams.com © Copyright 2012 EMC Corporation. All rights reserved. 26