Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Who is the Next Target
and
How is Big Data Related?
Ulf Mattsson
CTO, Protegrity
ulf . mattsson [at] protegrity . com
The Changing
Threat Landscape
2
Data loss worries IT pros most

Source: 2014 Trustwave Security Pressures Report
3
Targeted Malware Topped the Threats

62% said that the pressure to protect from data breaches also increased over the past...
US and Canada - Targeted Malware Top Threat

In the United States and Canada, targeted malware was the top threat IT pros ...
http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf...
The Cost of Cyber Crime

Source: Symantec 2013
7
Risk of Cyberattacks is a Real and Growing Threat
Organizations worldwide are not "sufficiently
protected" against cyberat...
Energy Sector a Prime Target for Cyber Attacks
74 targeted cyberattacks per day between July 2012 and June
2013, with the ...
Breach Discovery Methods

Verizon 2013 Data-breach-investigations-report

10
Security Improving but We Are Losing Ground

11
Identity Theft

Source: www.pcworld.com/article/2088920/target-credit-card-data-was-sent-toserver-in-russia.html
12
Half of Americans Worry about Identity Theft
The Wall Street Journal reported that financial
institutions have spent big b...
Identity Theft Exploding with Massive Data Breaches
―Last year, some 13.1 million consumers suffered identity fraud,‖

Tho...
IRS Warns about Identity Theft
In many cases, an identity thief uses a legitimate
taxpayer’s identity to fraudulently file...
Target
Data Breach
16
iSIGHT partnered with the U.S. Secret Service
iSIGHT Partners has a
deeply comprehensive
understanding of the
entire code ...
How The Breach at Target Went Down
Credentials were stolen from Fazio Mechanical in a malwareinjecting phishing attack sen...
Memory Scraping

19
FBI warns of Memory-scraping Malware in wake of
Target breach
In its warning titled, "Recent Cyber Intrusion Events
Direct...
Researchers: Another ring of Attackers on Retailers
Researchers at RSA's First Watch cybersecurity
team:
• Similar to the ...
Malware Collected 11GB of Data from Target
The stolen credit card numbers of millions of Target
shoppers took an internati...
Memory Scraping Malware – Target Breach
Payment Card
Terminal

Point Of Sale Application

Authorization,
Settlement
…
Memo...
Attacks using memory scrapers
Attacks using memory scrapers can target any
application that processes credit card numbers
...
Malware
2014 Trustwave Security Pressures Report
• The rate and sophistication of malware and data breaches
continue to ac...
Old Security Approaches
Old security is like "boiling the ocean―
• Since you are trying to ―patch‖ all possible data paths...
Proactive Data
Security
27
The Changing
Thechnology
Landscape

28
Is it Impossible to Prevent Data Breaches?
Chip-and-PIN or EMV, is more secure than the current
magnetic stripe technology...
Use Big Data to Analyze Abnormal Traffic Pattern
Payment Card
Terminal

Point Of Sale Application

Authorization,
Settleme...
Reactionary vs Proactive Data Security
Don’t just fix yesterdays problems
Compliance vs Security
Think like a hacker
Malwa...
Big Data
What is Big Data?
Hadoop
• Designed to handle the emerging ―4 V’s‖
• Massively Parallel Processing (MPP)

• Elastic scale
...
Has Your Organization Already Invested in Big Data?

Source: Gartner
34
Vulnerabilities
in Big Data
35
Holes in Big Data…

Source: Gartner
36
Many Ways to Hack Big Data

BI Reporting

RDBMS

Hackers

Pig (Data Flow)

Hive (SQL)

Sqoop

Unvetted
Applications
Or
Ad ...
The Insider Threat

38
Sensitive Data Insight & Usability
Big Data and Cloud environments are designed for
access and deep insight into vast data...
Big Data Vulnerabilities and Concerns
Big Data (Hadoop) was designed for data access,
not security
Security in a read-only...
Threats to
Big Data
41
Attacks on Big Data – Honey Pot
The honey pot idea is a 10+ years old trick based
on fake data (in a pot) and redirection ...
Attacks on Big Data – Perimeter & Encryption
The old perimeter security and encryption :
• The discussion should be how to...
Attacks on Big Data – Access Control
The challenge of maintaining a ―classic‖ access
control model:
• The ―new approach‖ s...
Attacks on Big Data – Data Inference
The ―data inference‖ (re-identification) problem:
• New problem
• Not a Big Data prob...
Attacks on Big Data – Analytical Tools
The ―the lack of analytical tools‖
• Can it prevent an attacker from finding sensit...
Evolution of
Data Security
47
Evolution of Data Security Methods
Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption

Fine G...
Use of Enabling Technologies
Access controls

1%

Database activity monitoring

18%

Database encryption

30%

Backup / Ar...
Access Control
Risk

High –
Old and flawed:
Minimal access
levels so people
can only carry
out their jobs

Low –
I
Low
50
...
Applying the protection profile to
the content of data fields allows
for a wider range of authority
options

51
How the New Approach is Different
Risk

High –
Old:
Minimal access
levels – Least
Privilege to avoid
high risks

New:
Much...
Reduction of Pain with New Protection Techniques
Pain
& TCO
High

Input Value: 3872 3789 1620 3675

Strong Encryption Outp...
Fine Grained Data Security Methods
Vault-based vs. Vaultless Tokenization

Vault-based Tokenization
Footprint

Large, Expa...
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Encryption

Used Approach

Tokenization

Ciph...
The Future of Tokenization
PCI DSS 3.0
• Split knowledge and dual control

PCI SSC Tokenization Task Force
• Tokenization ...
Security of Different Protection Methods
Security Level
High

Low

I

I

I

Basic

Format

AES CBC

Vaultless

Data

Prese...
Speed of Different Protection Methods
Transactions per second*
10 000 000 1 000 000 100 000 10 000 1 000 -

100 I

I

I

I...
How Should I Secure Different Data?
Use
Case

Encryption
of Files

Simple –

Tokenization
of Fields

Card
Holder
Data

PII...
Protegrity Summary
Proven enterprise data security
software and innovation leader
•

Sole focus on the protection of
data
...
Upcoming SlideShare
Loading in …5
×

Who is the next target and how is big data related ulf mattsson

1,823 views

Published on

  • Nice presentation ... I agree with about 98 % - the 2 % I don't agree with are on slide #30:

    I am a big fan of SIEM, including automated analysis of the central log for suspicious patterns. But calling this 'Big Data Analysis' is stretching it IMHO... (why not call it how it was called before?).

    Also, the main problem with SIEM I see is that in many shops it isn't set up properly yet - so the problem is 'not enough input' rather than 'lack of analysis'.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Who is the next target and how is big data related ulf mattsson

  1. 1. Who is the Next Target and How is Big Data Related? Ulf Mattsson CTO, Protegrity ulf . mattsson [at] protegrity . com
  2. 2. The Changing Threat Landscape 2
  3. 3. Data loss worries IT pros most Source: 2014 Trustwave Security Pressures Report 3
  4. 4. Targeted Malware Topped the Threats 62% said that the pressure to protect from data breaches also increased over the past year. Source: 2014 Trustwave Security Pressures Report 4
  5. 5. US and Canada - Targeted Malware Top Threat In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure. Source: 2014 Trustwave Security Pressures Report 5
  6. 6. http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf 6
  7. 7. The Cost of Cyber Crime Source: Symantec 2013 7
  8. 8. Risk of Cyberattacks is a Real and Growing Threat Organizations worldwide are not "sufficiently protected" against cyberattac Cyberattacks fallout could cost the global economy $3 trillion by 2020 The report states that if "attackers continue to get better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization." Source: McKinsey report on enterprise IT security implications released in January 2014. 8
  9. 9. Energy Sector a Prime Target for Cyber Attacks 74 targeted cyberattacks per day between July 2012 and June 2013, with the energy sector accounting for 16.3% of them, which put it in second place behind government/public sector at 25.4%. The U.S. government's Department of Homeland Security (DHS) reported last year that its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 200 incidents between Oct. 2012 and May 2013 — with 53% aimed at the energy sector. There have, so far, not been any successful catastrophic attacks on the grid, and there is ongoing debate about how high the risk is for what both former Defense secretary Leon Panetta and former Homeland Security secretary Janet Napolitano called a "cyber Pearl Harbor" attack. Source: www.csoonline.com/article/748580/energy-sector-a-primetarget-for-cyber-attacks 9
  10. 10. Breach Discovery Methods Verizon 2013 Data-breach-investigations-report 10
  11. 11. Security Improving but We Are Losing Ground 11
  12. 12. Identity Theft Source: www.pcworld.com/article/2088920/target-credit-card-data-was-sent-toserver-in-russia.html 12
  13. 13. Half of Americans Worry about Identity Theft The Wall Street Journal reported that financial institutions have spent big bucks—more than $200 million alone in the case of the Target episode—to ease our concerns • The vast majority of that total ($172 million) covers the costs of replacing cards that have been compromised Half of American adults said they are ―extremely concerned‖ about their personal data when paying for goods at stores with plastic, according to a recent Associated Press-GfK poll Source: www.cuinsight.com/target-shoppers-shrug-off-massive-creditcard-data-breach.html 13
  14. 14. Identity Theft Exploding with Massive Data Breaches ―Last year, some 13.1 million consumers suffered identity fraud,‖ Those numbers don’t include the more than 110 million victims of the holiday breach, which, as it ripples through the population, will send the figures up like a rocket A stranger takes over someone’s life about once every two seconds And 1 in 3 of us now already has undesired personal experience with that upsetting fact, according to • Even worse, that number is certain to grow dramatically this year ―Four years ago, the number of identity-fraud victims was 1 in 9, and last year it was 1 in 3. We think the way it is going, and given the … breach, that number will likely increase.‖ Source: Javelin Strategy & Research’s 2014 Identity Fraud Report and nypost.com/2014/02/22/identity-crisis-exploding-with-massive-data-breaches/ 14
  15. 15. IRS Warns about Identity Theft In many cases, an identity thief uses a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund The agency’s work on identity theft and refund fraud continues to grow. For the 2014 filing season, the IRS has expanded its efforts to better protect taxpayers and help victims Taxpayers can call the IRS’ Identity Protection Specialized Unit at 800-908-4490 Source: www.burlingtoncountytimes.com/business/irs-warns-aboutscams/article_8d01916b-1af0-5960-8790-7991ef0bc20a.html 15
  16. 16. Target Data Breach 16
  17. 17. iSIGHT partnered with the U.S. Secret Service iSIGHT Partners has a deeply comprehensive understanding of the entire code family as well as that from several other victims The USSS has permitted us to share limited details surrounding these types of attacks 17
  18. 18. How The Breach at Target Went Down Credentials were stolen from Fazio Mechanical in a malwareinjecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers. The data theft was caused by the installation of malware on the firm's point of sale machines • Free version of Malwarebytes Anti-Malware was used by Target The subsequent file dump containing customer data is reportedly flooding the black market • could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-creditcard-records-from-target-7000026299/ 18
  19. 19. Memory Scraping 19
  20. 20. FBI warns of Memory-scraping Malware in wake of Target breach In its warning titled, "Recent Cyber Intrusion Events Directed Toward Retail Firms", the FBI said in the past year it has uncovered around 20 cases of cyberattacks against retailers year that utilized similar methods to those uncovered in the Target incident "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI in the report, seen by Reuters Source: searchsecurity.techtarget.com/news/2240213143/FBIwarns-of-memory-scraping-malware-in-wake-of-Target-breach 20
  21. 21. Researchers: Another ring of Attackers on Retailers Researchers at RSA's First Watch cybersecurity team: • Similar to the gang that tapped into the point-of-sales systems at Target, Neiman-Marcus and Michaels • That gang used a memory parsing program called POSRAM. • This most recently discovered ring of thieves makes use of a similar piece of malware dubbed ChewBacca Source:www.usatoday.com/story/cybertruth/2014/02/03/hackingof-point-of-sales-systems-escalates/5060523/ 21
  22. 22. Malware Collected 11GB of Data from Target The stolen credit card numbers of millions of Target shoppers took an international trip—to Russia ―The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,‖ according to a Jan. 14 report from iSight Partners, a Dallas-based information security company. Security company Seculert found that data stolen in the Target breach was received by a compromised U.S. server, then sent to a Russian server. 22
  23. 23. Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Authorization, Settlement … Memory Scraping Malware Web Server Russia
  24. 24. Attacks using memory scrapers Attacks using memory scrapers can target any application that processes credit card numbers In the past, memory scraping often required the attacker to have a small amount of target environment knowledge to configure the capture tool • The trend is toward generic discovery tools that could identify the desired information in a list of preconfigured processes or all running processes Source: http://www2.trustwave.com/rs/trustwave/images/2013-Global-SecurityReport.pdf 24
  25. 25. Malware 2014 Trustwave Security Pressures Report • The rate and sophistication of malware and data breaches continue to accelerate, a trend that is proving seemingly impossible for businesses to counter. Memory scraping • Used at Target: 110 million … • It’s next to impossible to stop data leakage. • You can’t beat it completely • detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect. • That's because attackers can use antivirus evasion techniques or packing tools to give the malware executable a never-before-seen checksum. 25
  26. 26. Old Security Approaches Old security is like "boiling the ocean― • Since you are trying to ―patch‖ all possible data paths and sensitive data stores, and May not even find a trace of the attack. • Malware • Data leaks 26
  27. 27. Proactive Data Security 27
  28. 28. The Changing Thechnology Landscape 28
  29. 29. Is it Impossible to Prevent Data Breaches? Chip-and-PIN or EMV, is more secure than the current magnetic stripe technology Cyber criminals can ―easily create cloned cards‖ from magnetic stripe data Major credit card companies have placed a deadline on U.S. merchants to adopt EMV technology by October of 2015, or face increased liability of fraud Source: news.medill.northwestern.edu/chicago/news.aspx?id=228123 29
  30. 30. Use Big Data to Analyze Abnormal Traffic Pattern Payment Card Terminal Point Of Sale Application Authorization, Settlement … Memory Scraping Malware Web Server SIEM Analytics Big Data Russia
  31. 31. Reactionary vs Proactive Data Security Don’t just fix yesterdays problems Compliance vs Security Think like a hacker Malware & Memory Scraping Protect the Data Flow with Tokenization Use Big Data to Analyze Data Traffic 31
  32. 32. Big Data
  33. 33. What is Big Data? Hadoop • Designed to handle the emerging ―4 V’s‖ • Massively Parallel Processing (MPP) • Elastic scale • Usually Read-Only • Allows for data insights on massive, heterogeneous data sets • Includes an ecosystem of components: Hive Pig Other Application Layers MapReduce HDFS Storage Layers Physical Storage 33
  34. 34. Has Your Organization Already Invested in Big Data? Source: Gartner 34
  35. 35. Vulnerabilities in Big Data 35
  36. 36. Holes in Big Data… Source: Gartner 36
  37. 37. Many Ways to Hack Big Data BI Reporting RDBMS Hackers Pig (Data Flow) Hive (SQL) Sqoop Unvetted Applications Or Ad Hoc Processes MapReduce (Job Scheduling/Execution System) Hbase (Column DB) HDFS (Hadoop Distributed File System) Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 37 Avro (Serialization) Zookeeper (Coordination) ETL Tools Privileged Users
  38. 38. The Insider Threat 38
  39. 39. Sensitive Data Insight & Usability Big Data and Cloud environments are designed for access and deep insight into vast data pools Data can monetized not only by marketing analytics, but through sale or use by a third party The more accessible and usable the data is, the greater this ROI benefit can be Security concerns and regulations are often viewed as opponents to data insight 39
  40. 40. Big Data Vulnerabilities and Concerns Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 40
  41. 41. Threats to Big Data 41
  42. 42. Attacks on Big Data – Honey Pot The honey pot idea is a 10+ years old trick based on fake data (in a pot) and redirection of requests: • Great for monitor what attackers are doing. • A modern approach should be based on tokenization with fake data ―everywhere‖ instead of in ―a pot‖. 42
  43. 43. Attacks on Big Data – Perimeter & Encryption The old perimeter security and encryption : • The discussion should be how to ―balance between security and insight‖. 43
  44. 44. Attacks on Big Data – Access Control The challenge of maintaining a ―classic‖ access control model: • The ―new approach‖ should be based on building the protection into the data (tokenization) • Not be based only on preventing access to data 44
  45. 45. Attacks on Big Data – Data Inference The ―data inference‖ (re-identification) problem: • New problem • Not a Big Data problem A ―balance between security and insight‖ is the right approach The de-tokenization-policy should evaluate combination of data fields that are accessed over time. 45
  46. 46. Attacks on Big Data – Analytical Tools The ―the lack of analytical tools‖ • Can it prevent an attacker from finding sensitive data? Attackers are simply looking for sensitive records • Not interested in advanced analytical results. The attacker will find points in the data flow where sensitive data is easier to find 46
  47. 47. Evolution of Data Security 47
  48. 48. Evolution of Data Security Methods Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 48 Time
  49. 49. Use of Enabling Technologies Access controls 1% Database activity monitoring 18% Database encryption 30% Backup / Archive encryption 21% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 91% 47% 35% 39% 23% Evaluating 49
  50. 50. Access Control Risk High – Old and flawed: Minimal access levels so people can only carry out their jobs Low – I Low 50 I High Access Privilege Level
  51. 51. Applying the protection profile to the content of data fields allows for a wider range of authority options 51
  52. 52. How the New Approach is Different Risk High – Old: Minimal access levels – Least Privilege to avoid high risks New: Much greater flexibility and lower risk in data accessibility Low – I Low 52 I High Access Privilege Level
  53. 53. Reduction of Pain with New Protection Techniques Pain & TCO High Input Value: 3872 3789 1620 3675 Strong Encryption Output: !@#$%a^.,mhu7///&*B()_+!@ AES, 3DES Format Preserving Encryption DTP, FPE 8278 2789 2990 2789 Format Preserving Vault-based Tokenization 8278 2789 2990 2789 Greatly reduced Key Management Vaultless Tokenization Low No Vault 1970 53 2000 2005 2010 8278 2789 2990 2789
  54. 54. Fine Grained Data Security Methods Vault-based vs. Vaultless Tokenization Vault-based Tokenization Footprint Large, Expanding. Small, Static. High Availability, Disaster Recovery Complex, expensive replication required. No replication required. Distribution Practically impossible to distribute geographically. Easy to deploy at different geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Latency, and Scalability 54 Vaultless Tokenization Will adversely impact performance & scalability. Little or no latency. Fastest industry tokenization.
  55. 55. Fine Grained Data Security Methods Tokenization and Encryption are Different Encryption Used Approach Tokenization Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY 55
  56. 56. The Future of Tokenization PCI DSS 3.0 • Split knowledge and dual control PCI SSC Tokenization Task Force • Tokenization and use of HSM Card Brands – Visa, MC, AMEX … • Tokens with control vectors ANSI X9 • Tokenization and use of HSM 56
  57. 57. Security of Different Protection Methods Security Level High Low I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization 57 I Encryption Standard Tokenization
  58. 58. Speed of Different Protection Methods Transactions per second* 10 000 000 1 000 000 100 000 10 000 1 000 - 100 I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization *: Speed will depend on the configuration 58
  59. 59. How Should I Secure Different Data? Use Case Encryption of Files Simple – Tokenization of Fields Card Holder Data PII PCI Personally Identifiable Information Complex – Protected Health Information I Un-structured 59 PHI I Structured Type of Data
  60. 60. Protegrity Summary Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Cross-industry applicability • • Financial Services, Insurance, Banking • Healthcare • Telecommunications, Media and Entertainment • 60 Retail, Hospitality, Travel and Transportation Manufacturing and Government

×