SANS WhatWorks - Compliance & DLP


Published on

Presentation given by Nick Selby, Trident Risk Management at SANS WhatWorks in Data Leakage Prevention, New Orleans, 2010

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Brian Krebs on the increasing levels of data loss through paper.
  • In July, 2002, Mayor Bloomberg raised the tax on cigarettes in New York City to ensure that they would have a minimum sales price of $7.50 a pack. This was done, he said, to spare the city the expense of thousands of smoking-related deaths and illnesses each year. The city backed this up with smoking cessation education, programs and support. Smoking has declines 27% in New York City since the tax was introduced; Smoking related deaths are down from more than 200 per 100,000 in 2002 to about 160 per 100,000 in 2007. Teen smoking fell from 18% of New York City teenagers in 2001 to 8.5% in 2007.
  • SANS WhatWorks - Compliance & DLP

    1. 1. Sleeping With The Enemy: <br />Better Living Through Hacking Compliance (budgets)<br />Or<br />Navigating the Corridors of the <br />Compliance Industrial Complex<br />January, 2010<br />
    2. 2. In a nutshell<br />Compliance != Security<br />A selection of frothy rants about PCI in particular, then<br />“But Nick? What can I, a mere infosec professional, do?”;<br />A New and Improved Way to Articulate Risk;<br />Scattered throughout: Propaganda, crypto-advertising for TRM (when you engage TRM as a consultant, you and your boss become measurably more attractive to the opposite sex.)<br />
    3. 3. Compliance != Security<br />Compliance == Compliance<br />Are you <br />{compliant|secure} <br />like this guy is {compliant|secure} ? <br />
    4. 4. Compliance & DLP<br />What the hell does a rant about compliance have to do with DLP? <br />Well, if you’re like most infosec professionals, <br />You’re tasked with reducing data loss; and<br />You’re tasked with increasing compliance tasks and reducing audit dings for, you know, everything<br />I aver these goals are in conflict<br />
    5. 5. DLP is not a Technology Issue <br />Ironically, this is being presented at a conference called, WhatWorks in DLP <br />Note, ladies and gentlemen, the Red Square of Death.<br />Image: The 451 Group, Mind The Data Gap, June 2008,<br />
    6. 6. Why Rulesets Exist<br />Ruleset writers aren’t evil, but they are reactive<br />SOX, HIPAA, PCI – all were in response to a specific problem<br />All attempt to raise the level of overall “security”<br />How they do so is the problem<br />Some rulesets are less cynical than others<br />
    7. 7. PCI on PCI<br />“The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.”<br />
    8. 8. “Not worthless.”<br />“I do not believe the PCI Standards are worthless; in the absence of other requirements, they do serve some purpose. But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that.”<br />-Rep. Yvette D Clarke (D-N.Y.)<br />chairwoman of the Subcommittee On Emerging Threats, Cybersecurity and Science and Technology,<br /> Committee on Homeland Security<br />
    9. 9. The PCI Dilemma<br />PCI says it wants to, “Raise the bar” by setting forth some highly specific tasks and standards. <br />Unfortunately they were specific to a paradigm gone by, and those who don’t comply get fined and hassled<br />For offloading risk from card brands, PCI has raised the bar.<br />For data security, not only has PCI not, “raised the floor,” in fact it’s substantially lowered the ceiling<br />Because it is expensive in terms of money and resources, PCI is not the minimum standard, it’s the maximum effort that many organizations make.<br />
    10. 10. Why Compliance is InfoSec’s Problem<br />As punishment for making everything so complicated, information security professionals have been saddled with compliance management.<br />
    11. 11. OK, here’s really why… <br />Enron. Yelling. <br />SOX.<br />“Oh, crap – who’s going to deal with this? Hey! Information Security!” <br />
    12. 12. The CEO should do better<br />The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. <br />That is a fiduciary breach of his responsibility to shareholders. In addition to firing his ass, this should also be a floggable offense.<br />
    13. 13. Here’s why present-day implementations of PCI are not just not good for security, but why they’re antithetical to good security.<br />
    14. 14. Setting The Bar … at 1984<br />We’re in an Orwellian IT universe, and criminals are Big Brother <br />They have better configuration management data on us than our own information security groups. <br />They know exactly what we’re doing because PCI tells them what we’re doing.<br />They have rapidly evolving and advanced persistent threats, new generations of attack tools and a wildly changed attack paradigm<br />We have anti-virus and IDS/IPS and firewalls<br />
    15. 15. When Rules & Taxes Matter<br />When government wishes to discourage behavior, they have options:<br />They can shunt it off to someone else (“Faith Based Community Initiatives,” etc<br />They can tax it<br />They can legislate it<br />Taxes and legislation clearly discourage behaviors…<br />
    16. 16. Smoking in New York City<br />March, 2003: Smoking banned at NYC restaurants, bars, nightclubs<br />
    17. 17. Smoking deaths in NYC<br />
    18. 18. Teen Smoking Rates in NYC<br />* no data available for 2007<br />
    19. 19. Now, let’s look at how well PCI has<br />worked to prevent loss of PII<br />
    20. 20. Records Lost….<br />2006:<br />PCI 1.1<br />PCI 1.0<br />2008:<br />PCI 1.2<br />
    21. 21. Records Lost….<br />SEPT 2006:<br />PCI 1.1<br />DEC 2004:<br />PCI 1.0<br />OCT 2008:<br />PCI 1.2<br />
    22. 22. Records Lost Per Breach<br />
    23. 23. An opposing view<br />
    24. 24. A retort<br />“From all accounts it appears that many of the murders and drug-smuggling operations can be attributed to the Mafia. What would the world look like if we ignored their crimes when measuring the success of policing efforts?”<br />
    25. 25. Statistics Manipulation<br />Of course, I’m being intellectually dishonest with my statistics on PCI. <br />In the slides about smoking we deal with known and proved risks and threats. <br />The PCI council behaves as if it is too, but security is a dynamic, transactional environment comprising constantly evolving technology. PCI makes specific statements about security which are suspect at any point in time let alone in a continuum, and pretends it’s delivering consistent effect against a static equation. <br />Logicians call this behavior, “Stupid.” <br />Okay, they call it “Confounded thinking.”<br />
    26. 26. The Trouble With PCI<br />SOX, HIPAA, etc made their goals clear and the means vague. This caused confusion, but the market sorted it out. <br />PCI is a compilation of a hunches on how to prevent breaches: the specific means to the desired end (that is, to offload risk onto merchants). <br />How about not confusing the means and end? Just punish the failure to secure data, and let the free market figure out how best to prevent breaches. <br />
    27. 27. PCI is a Protection Racket by a Cabal.<br />Ponemon 2009 PCI DSS Compliance Study:<br />71% of companies don’t treat PCI as a strategic initiative <br />79% have experienced a data breach<br />56% don’t believe PCI compliance improves their data security posture<br />60 % say they can’t achieve PCI compliance<br />Recent studies say 30% of the IT security budget is spent on PCI compliance<br />Let’s call it 20%. TWENTY PERCENT. Plus, when you’re breached, you got your fines and your publicity hit. That’s a regressive, unofficial tax for which we get back nothing. And the card brands get to offload risk onto merchants. <br />
    28. 28. If we’re gonna tax, let’s tax…<br />D’OH!TAX Fun Fact: This tax will hit many banks!<br />D’OH!TAX<br />THE<br />a. $1,000 per record breached;<br />b. Raises $250,000,000,000 for deficit reduction – WHAT bailout?;<br />c. Replaces all PCI requirements;<br />d. All other fines & reporting requirements still apply<br />
    29. 29. While I’m in Fantasy Land…<br />I also want a pony. <br />
    30. 30. What is to be done?<br />
    31. 31. First of all…<br />Join the rebel alliance.<br />Don’t let a dismal failure be held up as a success:<br />Loose lips sink ships - let’s sink one: be vocal about PCI failures and how they affect your job, your happiness and your effectiveness as an info-security pro.<br />Because if you don’t speak up, other rule-writers will hold up PCI as the model of how this stuff should be done. <br />
    32. 32. Be Constructive<br />Rather than berate something which isn’t going away, let’s work to change these arbitrarily objective compliance overviews like PCI into subjective risk analysis tools.<br />Let’s be wiser about how we look at PCI and use it as a lever to free up budget funds for things that we, as security professionals, believe will positively impact the bottom line.<br />
    33. 33. Then…<br />Reduce the suck.<br />Work the system as best you can.<br />Question – loudly – things that seem like window-dressing. Ask, “What is the intent of this?” <br />Use compliance requirements to justify spending on sensible things, like greatly expanding pen testing, or setting up an incident response workbench.<br />
    34. 34. Compensating Controls<br />If you are not engaged deeply with your QSA in substantive conversations regarding compensating controls, you either don’t care, or: <br /> You don’t understand your environment;<br /> You don’t understand the requirements; and<br /> You are wasting lots of money on PCI. <br />You pay those people. <br />Make them work for you.<br />
    35. 35. Let’s Get Back To Basics<br />
    36. 36. “If you can’t measure, you can’t improve.” <br />Well, yeah, but…<br />Right now, we’re counting things that help the vendors sell us stuff.<br />Not only do we count these things, we let vendors tell us how important one is relative to another!<br />It’s fine to count things, but if you’re counting the things that matter to the vendors, not to your business, you’re not doing yourself any favors<br />According to this, everything’s getting better! Awesome!<br />
    37. 37. Every business is different <br />A fashion house can’t tell a media firm what’s important; hell, one media firm can’t tell another what’s important.<br />This is not just cross industry – it’s true in the same company three months later! <br />Each pen tester, each auditor will have different results even in the same company<br />
    38. 38. This is so not news<br />Andy Jaquith, Dan Geer, Betsy Nichols, et al have been talking about this for a wicked-long time.<br />Yet in conversations around the country, the counting thing is still mainly based on :<br /><ul><li>Threats – viruses and naval-gazing thereof;
    39. 39. Vulns – and the relative terror thereof</li></li></ul><li>Metrics Must Be Business Focused<br />Count business processes. <br />Count internal communications traffic volume. <br />Count internal-to-external traffic volume<br />Count incident response time. <br />Count to learn what you care about. <br />Then count what you care about.<br />Don’t conflate risk and threat – don’t count threats and call the resultant pool of metrics a collection of risk. <br />
    40. 40. Articulating Risk<br />How do you articulate risk? <br />Doctors listen most to mom’s statements like, “Something’s just not right.”<br />Say to your CIO, “This feels icky”<br />How Icky? On a scale of 1 to eeew!<br />Eeeeeeew<br />A little<br />
    41. 41. An Example<br />PCI 12.2 talks about internal and external pen testing teams. There is great bang-for-buck setting up internal pen-testing team:<br />To talk to pen testers<br />To test patches, controls<br />To enumerate hosts, processes, workflows<br />To understand your environment<br />To understand and positively affect config management<br />
    42. 42. Pick Your Battles<br />Find out what you care about<br />Attach your team to revenue producing projects<br />Use PCI and compliance as a lever the budget<br />Speak in terms of risk, not threat<br />Count metrics that speak in dollars and time<br />Yell when compliance makes you do something dumb or hate your job <br />
    43. 43. Questions?<br />Contact us:<br />Nick Selby, Managing Director<br />nick.selby [ at]<br />Paul Davis, Chief Security Officer<br />paul.davis[at ]<br />Clint Bruce, Chairman<br />c.Bruce (at )<br />