Confusion and deception new tools for data protection
•
3 likes•690 views
Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once. As petabytes of data traverse the ecosystem, legacy data protection methods leave many gaps. By looking through the adversary’s eyes, you can create subterfuges, delay attack progress or reduce the value of any data ultimately accessed—and shift the risk equation. (Source : RSA Conference USA 2017)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Confusion and deception new tools for data protection
Similar to Confusion and deception new tools for data protection (20)
More from Priyanka Aash
More from Priyanka Aash (20)
Recently uploaded
Recently uploaded (20)
Confusion and deception new tools for data protection
- 2. #RSAC Agenda 1. The demand for data protection 2. Data protection from the “inside-out” 3. Data protection from the “outside-in” 4. Examples: “inside-out” and “outside-in” techniques
- 5. #RSAC Why demand for data-centric protection continues to grow 1. Forbes, “Cybersecurity Market Reaches $75 Billion In 2015” 2. Verizon, 2016 Data Breach Investigations Report 3. Symantec, Internet Security Threat Report 2016 4. Ponemon Institute, 2015 Cost of a Data Breach Projected total cost of cyber security in 20151 ~$75 Billion Number of records breached in 20153 429 Million Estimated yearly total cost from breaches4 ~107 Billion Number of data breaches reported in 20152 2,260 Breaches
- 6. #RSAC 2 Business and technology innovation Innovations are creating additional cyber risk for organizations, such as moving mission critical applications to the cloud. The average company now uses: 738cloud services6 6,488 security vulnerabilities7 were added to the National Vulnerability Database (NVD) in 2015, an average of 17 new vulnerabilities each day: Why the breaches haven’t stopped … and won’t 1Explosive data growth… Data is doubling in size every two years and by 2020, it will reach 44 zettabytes55 20202013 4.4 ZB 44 ZB 6 Underestimating the adversaries Organizations fail to recognize/understand the external threat actors and adversaries trying to access their crown jewels 4 Compliance versus risk-focused mindset Cyber security standards, laws, and regulations cannot keep up with both business and technological change and your evolving adversaries. 2014 2015 5 Consistently failing to implement security fundamentals Many companies lack fundamental data protection capabilities. 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published8. 5. “The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things”, EMC Digital Universe with Research & Analysis by IDC 6. 12 Must-Know Statistics on Cloud Usage in the Enterprise”, Skyhigh 7. National Vulnerability Database (NVD) 8. Verizon, “2015 Data Breach Investigations Report” 3 Technology flawed by design ~1,300 breaches4 ~2,100 breaches8
- 8. #RSAC Are you asking the right questions about cyber threats? How can public information be used against me? Who is putting us at risk (insiders and outsiders)? Where are the “crown jewels” that adversaries are after? What does my organization look like to an adversary? What are my organization’s “crown jewels”? Assuming adversaries will get to my “crown jewels,” what can I do to prevent & detect compromise? Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 12. #RSAC Data protection from the “inside-out” principles Fundamentally, data protection from the inside out focuses on three important principles: 1 Inventorying and classifying sensitive data and assets, as well as maintaining the inventory, is foundational, and incredibly important to data protection. Implementing and maturing data-layer protection capabilities can help to both prevent and detect data breaches at an organization’s “last line of defense.” Reducing the value of sensitive data is perhaps the most important principle, and is based on the premise that it’s not “if,” but “when” adversaries will get to your data. 2 3 Aligned data protection technologies • Data discovery and inventory • Data classification • Data loss prevention (DLP) • Data access governance (DAG) • Information rights management (IRM) • Database security • Data encryption, tokenization, and obfuscation • Data destruction Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 13. #RSAC Data collection Data storage Data usage and sharing Data retention and destruction Data targets Data protection capabilities Web apps Databases and storage devices Data loss prevention Data access governance Data destruction Information rights management Database security Cloud data transfers End user reporting Application data transfers Retain data on storage devices Destroy electronic data and physical documents after use Data Scanners/ printers Physical documents Data classification Data lifecycleSiloed data protection doesn’t work Data encryption, tokenization, and obfuscation Key and certificate management Data discovery and inventory Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 17. #RSAC Structure for deception Develop infrastructure profile Developing deception characteristics Develop deception plan Deception infrastructure activation GRID monitoring/ collection • Perform cyber reconnaissance on organization to determine external footprint & profile • Perform internal mapping (of business, network, systems, & activity) • Determine threat sophistication for Deception GRID (based on organizational characteristics) • Identify operational characteristics (i.e., weaknesses/vulnerabilities) • Develop size, scale, mock data, scaling characteristics, required devices, & mock systems/applications • Determine monitoring methods and notification procedures • Develop activation procedures (and required secondary activities) • Place deception GRID into (hostile or secondary) environment (remote, local, device, or cross-connected) • Place monitoring systems (external and internal) • Initiate monitoring collection for anomalies and indicators • Recover, collect, and/or kill/wipe Deception GRID (for deep analysis) Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 19. #RSAC Combined approach to protection and deception 19 Recon Assembly of malware Malware delivery Exploitation Malware installation Internal network reconnaissance Obfuscation & deception Remote control (of a botnet) Multiple probes & attempts Example attack model Classification Encryption Data loss prevention Database activity monitoring Information rights management Data flooding Automated anomaly response Intentional misconfiguration HoneypotsTraffic misdirection Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 20. #RSAC Example 1: Combined approach applied Traffic misdirection Honey pots Fake data Data flooding Bad actor monitoring Inside-OutOutside-In Crown Jewels protected from malware via previously implemented inside-out controls Crown Jewel data created and classified Confidential data access governance Crown Jewel data encrypted at storage; access limited by DAG Encryption & Crown jewel usage and sharing monitored and blocked by DLP and rights management services (RMS) DLP RMS Crown jewels discovered, then quarantined, encrypted, or destroyed via classification and DLP Your organizationBad actors Malware delivery Reconnaissance Malware assembly Exploitation Malware installation Internal reconnaissance Obfuscation & deception Covert channel Remote control Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 21. #RSAC Example 2: Combined approach applied Your organizationCrown Jewel data created and classified Confidential Crown Jewel usage and sharing monitored and blocked by DLP + RMS DLP RMS Crown Jewels discovered, then quarantined, encrypted, or destroyed via classification + DLP Traffic misdirection Honey pots Fake data Data flooding Bad actor monitoring Inside-outOutside-in Bad actors Malware delivery Reconnaissance Malware assembly Exploitation Malware installation Internal reconnaissance Obfuscation & deception Covert channel Remote control rights management Crown Jewel data encrypted at storage; access limited by DAG Encryption and Deception techniques devalue data while inside-out methods keep true data secure Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 22. #RSAC Applying data protection and deception Now Next Future “Inside-out” “Outside-in” • Inventory and classify your “crown jewels” and establish processes to maintain the inventory and classify “by design” • Get to know your adversaries • Perform internal and external reconnaissance to understand your network footprint • Implement additional inside-out data protection solutions based on your risk profile and tolerance • Identify deception practices to counter your adversaries: develop size, scale, and mock data corresponding to required devices in the deception schema • Integrate inside-out data protection solutions for more “holistic” data protection at your last line of defense • Monitor threat information from internal and external sensors • Apply what you learn from cyber incidents against your adversary Copyright © 2017 Deloitte Development LLC. All rights reserved.
- 23. #RSAC Questions 23 111 S Wacker Dr. Chicago, IL 60606-4301 Dan Frank Principal | Deloitte Advisory Cyber Risk Services Deloitte & Touche LLP Tel: +1 312 401 0125 danfrank@deloitte.com 1919 N Lynn St. Arlington, VA 22209 Craig Astrich Managing Director | Deloitte Advisory Cyber Risk Services Deloitte & Touche LLP Tel: +1 202 256 7405 castrich@deloitte.com This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.