The document discusses the evolving landscape of data security, emphasizing the lessons learned from the Target data breach and the increasing sophistication of cyber attacks. It highlights the limitations of compliance measures and advocates for proactive security strategies, including the adoption of tokenization and other advanced data protection methods. The document also underscores the urgent need for organizations to rethink their security approaches to better protect sensitive data from emerging threats.

1. WHO IS THE NEXT TARGET?WHO IS THE NEXT TARGET?
Proactive Approaches to Data Security
Ulf Mattsson
CTO, Protegrity
Ulf.Mattsson@protegrity.com

2. Working with the Payment Card Industry Security Standards
Council (PCI SSC):
• PCI SSC Tokenization Task Force
• PCI SSC Encryption Task Force
• PCI SSC Point to Point Encryption Task Force
• PCI SSC Risk Assessment SIG
Ulf Mattsson & PCI Data Security Standards
• PCI SSC eCommerce SIG
• PCI SSC Cloud SIG
• PCI SSC Virtualization SIG
• PCI SSC Pre-Authorization SIG
• PCI SSC Scoping SIG
• PCI SSC 2013 – 2014 Tokenization Task Force
2

3. New threats and methods of attack
New technologies offer new vulnerabilities
Lessons learned from the Target breach
Topics
Lessons learned from the Target breach
The importance of proactive thinking
New technologies to properly secure data
3

4. THE CHANGING
THREAT LANDSCAPETHREAT LANDSCAPE
4
How have the methods of attack shifted?

5. Data Loss Worries IT Pros Most
5
Source: 2014 Trustwave Security Pressures Report

6. Data Loss Worries IT Pros Most
6
Source: 2014 Trustwave Security Pressures Report

7. “It’s clear the bad guys
are winning at a faster
rate than the good guys
Security - We Are Losing Ground
7
Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening
rate than the good guys
are winning, and we’ve
got to solve that.”
- 2014 Verizon Data Breach Investigations Report

8. Security - We Are Losing Ground
“…Even though security
is improving, things are
getting worse faster, so
8
getting worse faster, so
we're losing ground
even as we improve.”
- Security expert Bruce Schneier
Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11

9. Security - We Are Losing Ground
“Cyber attack fallout
could cost the global
economy $3 trillion by
9
Source: McKinsey report on enterprise IT security implications released in January 2014.
economy $3 trillion by
2020.”

10. PRIME TARGETS FOR
DATA BREACHDATA BREACH
10

11. CIA and NSA Tell Utilities How To Up Cybersecurity
11
Source: Smart Grid News
The Bipartisan Policy Center (BPC) has published a new report titled
"Cybersecurity and the North American Electric Grid: New Policy Approaches to
Address an Evolving Threat."

12. The U.S. government's Industrial Control Systems Cyber
Emergency Response Team
Responded to more than 200 incidents
53% aimed at the energy sector.
So far, there have not been any successful catastrophic
attacks on the US energy grid
Energy Sector a Prime Target for Cyber Attacks
attacks on the US energy grid
Ongoing debate about the risk of a "cyber Pearl Harbor"
attack.
Source: www.csoonline.com/article/748580/energy-sector-a-prime-target-for-cyber-attacks
(Oct. 2012 - May 2013)
12

13. The global energy sector has become vulnerable to
cyber-attack
Increasingly adopting internet-based industrial
control systems in an effort to cut costs
The industry has yet to experience business
Energy Sector Faces Cyber-attack Threat: Marsh
interruption or physical damage as a result of a
cyber-attack
Being "disproportionately" targeted by increasingly
sophisticated hacker networks the broker
Source: 2014 Report, Insurance broker Marsh
13

14. BEWARE MALWAREBEWARE MALWARE
14

15. 15

16. New Malware
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
16

17. Total Malicious Signed Malware
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
17

18. Targeted Malware Topped the Threats
18
62% said that the pressure to protect from data breaches also increased over the past year.
Source: 2014 Trustwave Security Pressures Report

19. US - Targeted Malware Top Threat
19
Source: 2014 Trustwave Security Pressures Report

20. FBI uncovered 20 cyber attacks against retailers in the
past year that utilized methods similar to Target incident
Believe POS malware crime will continue to grow over the
near term
Despite law enforcement and security firms' actions to
mitigate it
FBI Memory-Scraping Malware Warning
mitigate it
Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”
Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-
malware-in-wake-of-Target-breach
20

21. THE CHANGING
TECHNOLOGYTECHNOLOGY
LANDSCAPE
What effect, if any, does the rise of “Big Data” have on breaches?
21

22. Has Your Organization Already Invested in Big Data?
22
Source: Gartner

23. Holes in Big Data…
23
Source: Gartner

24. Many Ways to Hack Big Data
24
Hackers
& APT
Rogue
Privileged
Users
Unvetted
Applications
Or
Ad Hoc
Processes

25. Many Ways to Hack Big Data
MapReduce
(Job Scheduling/Execution System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avro(Serialization)
Zookeeper(Coordination)
Hackers
Unvetted
Applications
Or
Ad Hoc
Processes
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
25
HDFS
(Hadoop Distributed File System)
Hbase (Column DB)
Avro(Serialization)
Zookeeper(Coordination)
Privileged
Users

26. Big Data (Hadoop) was designed for data access,
not security
Security in a read-only environment introduces new
challenges
Massive scalability and performance requirements
Big Data Vulnerabilities and Concerns
Sensitive data regulations create a barrier to
usability, as data cannot be stored or transferred in
the clear
Transparency and data insight are required for ROI
on Big Data
26

27. TARGET DATA
BREACHBREACH
27
What can we learn from the Target breach?

28. Target Breach Optioned as Sony Feature Film
28
Source: Welivesecurity.com

29. Target Corp. said in its annual report that a massive
security breach has hurt its image and business,
while spawning dozens of legal actions, and it
noted it can't estimate how big the financial tab will
end up being
Security software picked up on suspicious activity
Target Says It Ignored Early Signs of Data Breach
Security software picked up on suspicious activity
after a cyberattack was launched, but it decided not
to take immediate action
Received security alerts on Nov. 30 that indicated
malicious software had appeared in its network
Source: SEC (Securities and Exchange Commission )
29

30. Target Data Breach, U.S. Secret Service & iSIGHT
Target CIO Beth Jacob
resigned
30

31. Memory Scraping Malware – Target Breach
Payment Card
Terminal
Point Of Sale Application
Memory Scraping Malware
Authorization,
Settlement
…
Web Server
Memory Scraping Malware
Russia
31

32. Credentials were stolen from Fazio Mechanical in a malware-
injecting phishing attack sent to employees of the firm by
email
• Resulted in the theft of at least 40 million customer records containing
financial data such as debit and credit card information.
• In addition, roughly 70 million accounts were compromised that
included addresses and mobile numbers.
The data theft was caused by the installation of malware on
How The Breach at Target Went Down
the firm's point of sale machines
The subsequent file dump containing customer data is
reportedly flooding the black market
• Starting point for the manufacture of fake bank cards, or provide data
required for identity theft.
Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-
card-records-from-target-7000026299/
32

33. The FTC is probing the massive hack of credit card
information
Target could face federal charges for failing to
protect its customers' data from hackers
When you see a data breach of this size with clear
harm to consumers, it's clearly something that the
Target May Face Federal Suit Over Privacy Fumble
harm to consumers, it's clearly something that the
FTC would be interested in looking at," said Jon
Leibowitz, a former FTC chairman
Sen. Richard Blumenthal, a Connecticut Democrat,
urged the FTC to investigate the Target hack soon
after it became public in December
Source: Bloomberg Businessweek
33

34. Who Is The Next Target?
34

35. It’s not like other businesses are using some
special network security practices that Target
doesn’t know about.
They just haven’t been hit yet.
No number of traps, bars, or alarms will keep out
the determined thief
Source: www.govtech.com/security
35

36. THINKING LIKE A
HACKERHACKER
How can we shift from reactive to proactive thinking?
36

37. The Modern Day Bank Robber
37

38. Current Breach Discovery Methods
38
Verizon 2013 Data-breach-investigations-report & 451 Research

39. You must assume the systems will be breached.
Once breached, how do you know you've been compromised?
You have to baseline and understand what 'goodness' looks like
and look for deviations from goodness
McAfee and Symantec can't tell you what normal looks like in your
own systems.
Only monitoring anomalies can do that
CISOs say SIEM Not Good for Security Analytics
Only monitoring anomalies can do that
Monitoring could be focused on a variety of network and end-user
activities, including network flow data, file activity and even going
all the way down to the packets
Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner
39

40. TURNING THE TIDE
40
What new technologies and techniques can be used to
prevent future attacks?

41. What if a
Social Security number or
Credit Card NumberCredit Card Number
in the Hands of a Criminal
was Useless?
41

42. COMPLIANCE
VS.
SECURITYSECURITY
42

43. Target was certified as meeting the standard for the
payment card industry in September 2013
Compliance can protect us from liability, but
whether it actually protects us from loss of business
and loss of data is not so clear
Compliance is a minimal deterrent that everyone
Target Breach Lesson: PCI Compliance Isn't Enough
Compliance is a minimal deterrent that everyone
has to have in place
If you're driving a car, you're expected to have a
driver's license. That doesn't make you a safe driver
Source: TechNewsWorld
43

44. Protection of cardholder data in memory
Clarification of key management dual control and split
knowledge
Recommendations on making PCI DSS business-as-
usual and best practices
Security policy and operational procedures added
PCI DSS 3.0
Security policy and operational procedures added
Increased password strength
New requirements for point-of-sale terminal security
More robust requirements for penetration testing
44

45. Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security
Evolution of Data Security Methods
Time
Fine Grained Security
• Access Controls
• Field Encryption (AES & )
• Masking
• Tokenization
• Vaultless Tokenization
45

46. Old and flawed:
Minimal access
levels so people
can only carry
Access Control
Risk
High –
can only carry
out their jobs
46
Access
Privilege
Level
I
High
I
Low
Low –

47. Applying the
Protection Profile to the
Structure of each
Sensitive Data Fields allows forSensitive Data Fields allows for
a Wider Range
of Granular Authority Options
47

48. Examples: De-Identified Sensitive Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
48

49. Risk
High –
Old:
Minimal access
levels – Least
New :
Much greater
The New Data Protection - Tokenization
Access
Privilege
Level
I
High
I
Low
Low –
levels – Least
Privilege to avoid
high risks
Much greater
flexibility and
lower risk in data
accessibility
49

50. Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Tokenization users had 50% fewer security-related
incidents than tokenization non-users
50
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

51. Security of Different Protection Methods
High
Security Level
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
51
Low

52. Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
52
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

53. 10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Different Protection Methods
10 000 -
1 000 -
100 -
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
53

54. Different Tokenization Approaches
Property Dynamic Pre-generated Vaultless
Vault-based
54

55. Use
Case
How Should I Secure Different Data?
Simple – PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Personally Identifiable Information
Type of
Data
I
Structured
I
Un-structured
Complex – PHI
Protected
Health
Information
55
Personally Identifiable Information

56. Use Big Data to Analyze Abnormal Usage Pattern
Payment Card
Terminal
Point Of Sale Application
Memory Scraping Malware
Authorization,
Settlement
…
Web Server
Memory Scraping Malware
Moscow, Russia
FireEye
Malware?

57. Trend - Open Security Analytics Frameworks
57 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture
Enterprise Big Data Lake

58. Conclusions
Changing threat landscape & challenges to secure data:
• Attackers are looking for not just payment data – a more serious problem.
• IDS systems are lacking context needed to catch data theft
• SIEM detection is too slow in handling large amounts of events.
What happened at Target?
• Modern customized malware can be very hard to detect
58
• They were compliant, but not secure
How can we prevent what happened to Target and the next attack
against our sensitive data?
• Assume that we are under attack - proactive protection of the data itself
• We need to analyze event information and context to catch modern attackers
• The Oracle Big Data Appliance can provide the foundation for solving this problem

59. Thank you!Thank you!
Questions?
Please contact us for more information
http://www.protegrity.com/news-resources/collateral/
Ulf.Mattsson@protegrity.com