Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Time to re think our security process
1. 1
1
Time to Re-think
our
Security Process
Ulf Mattsson, Chief Technology Officer, Compliance Engineering
umattsson@complianceengineers.com
www.complianceengineers.com
2. 2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry Involvement
PCI DSS - PCI Security Standards Council
• Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing
• WG 11.3 Data and Application Security
CSA - Cloud Security Alliance
ANSI - American National Standards Institute
• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology
• NIST Big Data Working Group
User Groups
• Security: ISSA & ISACA
• Databases: IBM & Oracle
3. 3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC 2013 – 2014 Tokenization Task Force
5. 5
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Lessuseofencryption
Do we
know our
sensitive
data?
Big
Data
Public
Cloud
6. 6
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
7. 7
Not Managing Risks to Sensitive Data
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
Access Patterns
Data Discovery
Data Access
9. 9
Cloud Providers Not Becoming Security Vendors
• There is great demand for security providers that can offer
orchestration of security policy and controls that span not just
multicloud environments but also extend to on-premises
infrastructure
• Customers are starting to realize that the responsibility for mitigating
risks associated with user behavior lies with them and not the
CSP — driving them to evaluate a strategy that allows for incident
detection, response and remediation capabilities in cloud
environments
Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
10. 10
• Centrally managed security policy
• Across unstructured and structured silos
• Classify data, control access and monitoring
• Protection – encryption, tokenization and masking
• Segregation of duties – application users and privileged users
• Auditing and reporting
2014: Data–Centric Audit and Protection (DCAP)
Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
11. 11
• IT risk and security leaders must move from trying to prevent
every threat and acknowledge that perfect protection is not
achievable.
• Organizations need to detect and respond to malicious
behaviors and incidents, because even the best preventative
controls will not prevent all incidents.
• By 2020, 60% of enterprise information security budgets will be
allocated for rapid detection andr esponse approaches, up
from less than 20% in 2015.
2016: Shift Cybersecurity Investment
Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
12. 12
Security Outsourcing Fastest Growth
The information security market is estimated to have
grown 13.9% in revenue in 2015
with the IT security outsourcing segment
recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
14. 14
FS-ISAC Summit about “Know Your Data”
• Encryption at rest has become the new norm
• However, that’s not sufficient
• Visibility into how and where it flows during the
course of normal business is critical
Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
16. 16
Keep cardholder data storage to a minimum by implementing data retention
and disposal policies, procedures and processes that include at least the
following for all cardholder data storage
Discovery Results Supporting Compliance
1. Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements
2. Specific retention requirements for cardholder data
3. Processes for secure deletion of data when no longer needed
4. A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention.
Old PCI DSS Requirement 3.1
17. 17
• PCI DSS v2 did not have data flow in the 12
requirements, but mentioned it in “Scope of
Assessment for Compliance with PCI DSS
Requirements.”
• PCI DSS v3.1 added data flow into a requirement.
• PCI DSS v3.2 added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
20. 20
Discovery Deployment Example
Example of Customer Provisioning:
• Virtual host to load Software or Appliance
• User ID with “Read Only” Access
• Firewall Access
ApplianceDiscovery
Admin
Examples
21. 21
STEP 4:
The scanning
execution can
be monitored
by Provider
and the
customer via a
Job Scheduler
interface
Discovery Process (Step 4) – Scanning Job Lists
22. 22
I think it is Time to
Re-think our
Security Process
23. 23
Are You Ready for
PCI DSS 3.2 Requirement –
Security Control Failures?
24. 24
SOCTools
24/7 Eyes on
Glass (EoG)
monitoring,
Security
Operations
Center (SOC)
Managed
Tools Security
Service
Software as a Service (SaaS)
data discovery solution
Security Tools and Integrated Services
Discovery
Security Tools
and
Integrated
Services
25. 25
Compliance
Assessments
• PCI DSS & PA Gap
• HIPAA (2013
HITECH)
• SSAE 16-SOC
2&3*
• GLBA, SOX
• FCRA, FISMA
• SB 1385, ISO
27XXX
• Security Posture
Assessments
(based on industry
best practices)
• BCP & DRP (SMB
market)
Professional
Security Services
• Security
Architecture
• Engineering/Operat
ions
• Staff Augmentation
• Penetration Testing
• Platform Baseline
Hardening (M/F,
Unix, Teradata, i-
Series, BYOD,
Windows)
• IDM/IAM/PAM
architecture
• SIEM design,
operation and
implementation
• eGRC Readiness &
Deployment
E Security &
Vendor
Products
• Data Discovery
• Managed Tools
Security Service
• Data Loss
Protection
• SIEM & Logging
• Identity and
Access
Management
• EndPoint
Protection
• Network Security
Devices
• Encryption
• Unified Threat
• Multi-factor
Authentication
Managed
Security
Services
• MSSP/SOC
• SIEM 365
• Data Center SOC
• IDM/IAM Security
Administration
• Healthcare
Infrastructure
Solutions (2013
3rd Qtr.
• Vulnerability
Scans
• Penetration
Testing
Samples of Our Services