Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
1
Time to Re-think
our
Security Process
Ulf Mattsson, Chief Technology Officer, Compliance Engineering
umattsson@complia...
2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry Involvement
PCI DSS - PCI Security Standards Council
• Encrypt...
3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Task F...
4
5
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Lessu...
6
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
7
Not Managing Risks to Sensitive Data
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
Access Pat...
8
9
Cloud Providers Not Becoming Security Vendors
• There is great demand for security providers that can offer
orchestratio...
10
• Centrally managed security policy
• Across unstructured and structured silos
• Classify data, control access and moni...
11
• IT risk and security leaders must move from trying to prevent
every threat and acknowledge that perfect protection is...
12
Security Outsourcing Fastest Growth
The information security market is estimated to have
grown 13.9% in revenue in 2015...
13
14
FS-ISAC Summit about “Know Your Data”
• Encryption at rest has become the new norm
• However, that’s not sufficient
• V...
15
16
Keep cardholder data storage to a minimum by implementing data retention
and disposal policies, procedures and processe...
17
• PCI DSS v2 did not have data flow in the 12
requirements, but mentioned it in “Scope of
Assessment for Compliance wit...
18
18
Example of
A Discovery
Process
Scoping
Asset Classification
Job Scan Definition
Scanning
Analysis
Reporting
Remediat...
19
Example - Discovery Scanning Job Status List
20
Discovery Deployment Example
Example of Customer Provisioning:
• Virtual host to load Software or Appliance
• User ID w...
21
STEP 4:
The scanning
execution can
be monitored
by Provider
and the
customer via a
Job Scheduler
interface
Discovery Pr...
22
I think it is Time to
Re-think our
Security Process
23
Are You Ready for
PCI DSS 3.2 Requirement –
Security Control Failures?
24
SOCTools
24/7 Eyes on
Glass (EoG)
monitoring,
Security
Operations
Center (SOC)
Managed
Tools Security
Service
Software ...
25
Compliance
Assessments
• PCI DSS & PA Gap
• HIPAA (2013
HITECH)
• SSAE 16-SOC
2&3*
• GLBA, SOX
• FCRA, FISMA
• SB 1385,...
26
26
Ulf Mattsson, Chief Technology Officer, Compliance Engineering
umattsson@complianceengineers.com
www.complianceengin...
Upcoming SlideShare
Loading in …5
×

Time to re think our security process

296 views

Published on

Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Time to re think our security process

  1. 1. 1 1 Time to Re-think our Security Process Ulf Mattsson, Chief Technology Officer, Compliance Engineering umattsson@complianceengineers.com www.complianceengineers.com
  2. 2. 2 Ulf Mattsson Inventor of more than 25 US Patents Industry Involvement PCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security CSA - Cloud Security Alliance ANSI - American National Standards Institute • ANSI X9 Tokenization Work Group NIST - National Institute of Standards and Technology • NIST Big Data Working Group User Groups • Security: ISSA & ISACA • Databases: IBM & Oracle
  3. 3. 3 My work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC 2013 – 2014 Tokenization Task Force
  4. 4. 4
  5. 5. 5 Encryption Usage - Mature vs. Immature Companies Source: Ponemon - Encryption Application Trends Study • June 2016 Lessuseofencryption Do we know our sensitive data? Big Data Public Cloud
  6. 6. 6 Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015
  7. 7. 7 Not Managing Risks to Sensitive Data Source: The State of Data Security Intelligence, Ponemon Institute, 2015 Access Patterns Data Discovery Data Access
  8. 8. 8
  9. 9. 9 Cloud Providers Not Becoming Security Vendors • There is great demand for security providers that can offer orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure • Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
  10. 10. 10 • Centrally managed security policy • Across unstructured and structured silos • Classify data, control access and monitoring • Protection – encryption, tokenization and masking • Segregation of duties – application users and privileged users • Auditing and reporting 2014: Data–Centric Audit and Protection (DCAP) Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
  11. 11. 11 • IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. • Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents. • By 2020, 60% of enterprise information security budgets will be allocated for rapid detection andr esponse approaches, up from less than 20% in 2015. 2016: Shift Cybersecurity Investment Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
  12. 12. 12 Security Outsourcing Fastest Growth The information security market is estimated to have grown 13.9% in revenue in 2015 with the IT security outsourcing segment recording the fastest growth (25%). Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
  13. 13. 13
  14. 14. 14 FS-ISAC Summit about “Know Your Data” • Encryption at rest has become the new norm • However, that’s not sufficient • Visibility into how and where it flows during the course of normal business is critical Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
  15. 15. 15
  16. 16. 16 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage Discovery Results Supporting Compliance 1. Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Old PCI DSS Requirement 3.1
  17. 17. 17 • PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.” • PCI DSS v3.1 added data flow into a requirement. • PCI DSS v3.2 added data discovery into a requirement. New PCI DSS 3.2 Standard – Data Discovery Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
  18. 18. 18 18 Example of A Discovery Process Scoping Asset Classification Job Scan Definition Scanning Analysis Reporting Remediation PCI DSS 3.2 Requirement - Discovery
  19. 19. 19 Example - Discovery Scanning Job Status List
  20. 20. 20 Discovery Deployment Example Example of Customer Provisioning: • Virtual host to load Software or Appliance • User ID with “Read Only” Access • Firewall Access ApplianceDiscovery Admin Examples
  21. 21. 21 STEP 4: The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface Discovery Process (Step 4) – Scanning Job Lists
  22. 22. 22 I think it is Time to Re-think our Security Process
  23. 23. 23 Are You Ready for PCI DSS 3.2 Requirement – Security Control Failures?
  24. 24. 24 SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC) Managed Tools Security Service Software as a Service (SaaS) data discovery solution Security Tools and Integrated Services Discovery Security Tools and Integrated Services
  25. 25. 25 Compliance Assessments • PCI DSS & PA Gap • HIPAA (2013 HITECH) • SSAE 16-SOC 2&3* • GLBA, SOX • FCRA, FISMA • SB 1385, ISO 27XXX • Security Posture Assessments (based on industry best practices) • BCP & DRP (SMB market) Professional Security Services • Security Architecture • Engineering/Operat ions • Staff Augmentation • Penetration Testing • Platform Baseline Hardening (M/F, Unix, Teradata, i- Series, BYOD, Windows) • IDM/IAM/PAM architecture • SIEM design, operation and implementation • eGRC Readiness & Deployment E Security & Vendor Products • Data Discovery • Managed Tools Security Service • Data Loss Protection • SIEM & Logging • Identity and Access Management • EndPoint Protection • Network Security Devices • Encryption • Unified Threat • Multi-factor Authentication Managed Security Services • MSSP/SOC • SIEM 365 • Data Center SOC • IDM/IAM Security Administration • Healthcare Infrastructure Solutions (2013 3rd Qtr. • Vulnerability Scans • Penetration Testing Samples of Our Services
  26. 26. 26 26 Ulf Mattsson, Chief Technology Officer, Compliance Engineering umattsson@complianceengineers.com www.complianceengineers.com

×