SlideShare a Scribd company logo

FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets

Download as PPTX, PDF
Puneet Kukreja, profile picture
Puneet Kukreja

The document discusses the evolving threat landscape for organizations regarding the protection of their crown jewels and data assets, emphasizing the need for a data-first approach to cybersecurity. It highlights the challenges of increasing cyber risks, data proliferation, and the significance of understanding the lifecycle and value of sensitive data. Ultimately, it stresses improving data protection strategies and capabilities to address the complexities of modern cyber threats.

Data & Analytics
1 of 23
Downloaded 59 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 1 Of Crown Jewels and Data Assets April 2017
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 2 The threat landscape
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 3 It’s all in the news You cannot hide
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 4 The changing threat landscape According to Information Security Forum (ISF), Threat Horizon 2018 report information security threats are set to worsen. Organisations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, proliferation of data, increased regulation, and a debilitating skills shortage.
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 5 So what do we know
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 6 Industry 4.0 The outcome of being “smart” The rise of the extended kinetic enterprise 1st industrial revolution Through introduction of mechanical production facilities with the help of water and steam power 2nd industrial revolution Through introduction of mass production with the help of electrical energy 3rd industrial revolution Through application of electronics and IT to further automate production 4th industrial revolution On the basis of cyber-physical production systems (CPPS), merging of real and virtual worlds Industry 4.0 Industry 3.0 Industry 2.0 Industry 1.0 First mechanical weaving loom 1784 End of 18th century Beginning of 20th century Beginning of 1970s of 20th century Today Degreeofcomplexity First assembly line 1870 First programmable logic control system 1969 Internet of things Internet of services Internet of data Internet of people Industry 4.0 Smart Buildings Smart Mobility Smart Homes Smart Grid Smart Logistics Social Web Business Web CPPS Smart Factory
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 7 What it means for you… Given the breadth of the cyber ecosystem the attack surface or opportunity for malicious attack, it is imperative that there is acknowledgement that organisations need to move their focus to a data first approach. MAGNITUDE RISK TIME STAGES TECHNOLOGIES VALUE DRIVERS Discernment of patterns among data that leads to action, descriptions or predictions Gathering information created at different times or from different sources Initiating, changing or maintaining an event or state Use of sensors to generate data about a physical event or state Transmission of information from generation to processing location
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 8 What it means for you… Understand the lifecycle of your data and know the worth of risk in today’s connected enterprise … focus on data
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 9 Cyber Risk ≠ Cyber Security Cyber risk and cyber security are often used interchangeably however they are two different concepts. Often inadvertently the focus is on cyber security, neglecting broader cyber risk management. Cyber security is a category of solutions that partially address cyber risk. Cyber security is based on the principles of confidentiality, integrity and availability Cyber risk is a category of business risks that have strategic, operational and regulatory implications. Cyber risk management assesses threats, vulnerabilities and its potential impact to the broader organisation Cyber Risk Cyber Security
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 10 Cyber Risk ≠ Cyber Security The end game will be a bigger digital objective of which Cyber is just one of the many key ingredients. Cyber Risk Cyber Security Cyber • Internet of Things • Big Data • Cloud • Social / Mobility • Blockchain • Augmented Reality • Digital Platforms • CX / UX • Open Data Networks • Process Automation • Right Speed IT • Information Management • Core Systems Reinvention Digital Enablement
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 11 So how do we protect our data assets
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 12 Data Protection Fundamental changes to how organizations approach data protection need to occur in order for the risk landscape to improve. Organizations are not investing in the right areas to address the risks and threats which are most impactful and likely. Recent attacks demonstrate that we need to change the game 3. Implementing solutions to protect data and monitor for data loss at the “data layer” 1. Risk mitigation versus compliance requirements 2. Building and maintaining a comprehensive inventory of sensitive assets and data 4. Consistently executing the security fundamentals
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 13 Data Protection Why is protecting data so difficult? Explosive data growth… Data is doubling in size every two years and by 2020, it will reach 44 zettabytes5. …and data proliferation The average organisation shares documents with 826 external domains / organisations6 Technology flawed by design 6,488 new security vulnerabilities8 were added to the National Vulnerability Database (NVD) in 2015. This means an average of Compliance focused mindset Cyber Risk standards, laws, and regulations have not and cannot keep up with both business and technological change and evolving adversaries. Consistently failing to implement security fundamentals Many companies lack the standard data protection capabilities (i.e., malware protection, data lifecycle management). 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published2. Business and technology innovation Innovations are creating additional cyber risk for organisations. Many organisations have started moving mission critical applications to the cloud. The average company uses 1 2020 4.4 ZB 44 ZB This could fill up the library of congress more than 10 million times 2013 3 4 5 2 By 2020, there will be Internet of Things (IoT) devices2. Although PCI compliance among organizations has increased from 20% to 29% from 2014 to 20152, the number of data breaches has also increased during that time period from 1300 to 2100. 2015 2,100 breaches 2014 1,300 breaches This is more than 10x what IT expects. 17 new vulnerabilities each day 5 Billion 738 cloud services7 Top Trends Autonomic Platforms Internet of Things Cloud Enablement Digital Enablement Extended Enterprise & Third Party Risk
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 14 Data breach root causes Let’s keep it simple It’s not due to lack of funding It’s because most organisations do not use a data-centric approach to protection 1. Organizations do not have enough experienced Cyber Security resources to appropriately protect all IT infrastructure and sensitive data 2. The end user continues to be targeted and exploited via spear-phishing, drive-by- exploits, and social engineering attacks 3. Many companies often release insecure software before sufficient testing can be performed due to the need for quick release into the market 4. Attackers are profiting and succeeding so they are not going away and not giving up 5. The level of sophistication in hacker goals and hacker tools continues to rise.
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 15 What is Data-centric protection? Data protection is one of the key focus areas for leading regulations and standards. Rules around data security are becoming more prevalent, stringent and mandatory increasing with the assumption that adversaries are in. This assumption means organisations needs to focus on the what is important to them. Their Most Valuable Information. Rather than data than just keeping the attackers out. Principle Description DataSecurity Know what Data is important and where it is Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection. Apply Data-level protection capabilities Implementing Data-layer protection capabilities can help to both prevent and detect Data breaches at an organisation’s “last line of defence”. Know what Data is important Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection. CorePrincipals Data Gov. Data agenda Set a data agenda to manage the explosive growth in data. Define the data Ensure that requirements and definitions must be driven by the business and not IT. Data-centric processes Established data centric processes with data at the heart of the conversation to drive the standardisation of shared concepts. Privacy Understand obligations Understand your privacy requirements, risks and personal information assets you hold. Monitor and manage Continuously monitor, measure and improve privacy risk management processes. Ready to respond Be resilient to respond to privacy risk.
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 16 How to change the game Data protection capabilities should occur from the “inside out”, in addition to the “outside in”. Assume your adversaries are “in”, and limit what they can do, and the impact they can cause. Data protection from the inside out Focus on scope Invest in areas that maximize return on investment Focusing at the data layer makes it harder for attackers to get hold of sensitive information Top Goals Discourage Attackers: Make attacks harder, more time consuming and costly Engineer for Control Failure: Protect data assuming other traditional controls will fail Minimise Breach Impact: Any data loss should result in the least possible impact Play the Percentages: Invest in areas that maximise return on investment Business Centric Capabilities – Third-party access – Business impact to data – Operational risk profiling of data – Data ownership – Data lifecycle ownership – Data lifecycle management Data Centric Capabilities Focus on the sensitive data itself – Identify and maintain an inventory of the most critical assets through enterprise data discovery, classification and management programs – Render compromised data useless through tokenisation, encryption and obfuscation – Zero in on the most likely targets for attacks – Monitor for data access or exfiltration at database layer and endpoints Illustrative Supplemental Capabilities Close access paths through fundamental security controls – Strong Authentication – Malware Detection – Privileged User Management – Vulnerability and Patch Management – Configuration Management Data Application Platform Network
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 17 Data protection framework Growth / Innovation Privacy Risk management Regulatory compliance Business Value Business objectives • Policies and standards covering each of the Data Protection capabilities • Operational procedures and supporting guides • Data protection reference architecture • Risk Reporting framework and dashboards • KRIs and KPIs • Embedding data protection culture across the business (IT, HR, etc.) • Data protection training and awareness • Data risk management lifecycle including identification, testing, response, and treatment • Threat modeling and data risk identification • Data Protection strategy and roadmap • Data Protection organization structure and accountability • Regulatory compliance and exam management Strategy and operating model Policies, standards, and architecture Risk reporting and culture Governance Data Protection Technology Capabilities Data Security Governance (Operational Capabilities) Data discovery and inventory Data classification Data encryption, tokenization, and obfuscation Key and certificate management Information rights management Payments security Data retention and destruction Data loss prevention Data access governance Database security • Business Impact & Readiness • IT Operations & Readiness • Stakeholder Management & Communication • Collaboration & Information Life Cycle Tools • Master Data Management and Sharing • Data Security & Architecture • Data Workflow • Metadata Repository • Progress Tracking • Issue monitoring • Continuous improvement • Score carding • Data analytics Controls set (e.g. ISF, NIST, Privacy regulation, NAB SKCA)Assessment
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 18 It’s not all about frameworks and policies INTEGRATED FRAMEWORK FOR DATA PROTECION Data Collection / Creation Data Storage Data Usage and Sharing Data Retention and Destruction Data Classification Data Security Architecture Security Metrics and Reporting, Board Reporting Awareness and Culture, Secure Data Lifecycle, Data Management, Third Party Security Encryption and Tokenisation, Privacy Assessment Platform, Third Party Security Platform Discovery and Classification Data Loss Prevention User Behavior Analytics CASB Analytics and Reporting DataProtectionCapabilities Data Classification Discovery and Classification Data Loss Prevention CASB
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 19 Protection across the data lifecycle Data Collection Data Storage Data Usage and Sharing Data Retention and Destruction Sensitive data is collected by an organization as part of its day- to-day operations via point of sale devices, application forms, data from credit bureaus, etc. Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc., for further use by applications and users Data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices, and other devices within and outside the network Data is retained or destroyed by organization per regulatory, internal compliance or business requirements, using electronic or physical media for retention DataTargets -MITM attack -Malicious insider -POS Malware -Stolen Device -Eavesdropping -Data Exfiltration -Remnant data -Backup Failure DataProtection Capabilities Data Web applications Databases and storage devices Cloud data transfers Retain data on storage devices Data encryption, tokenization, and obfuscation / Key and certificate management / Payment security Data loss prevention Data discovery, inventory, and classification Data access governance Data retention and destructionInformation rights management Database security End user reporting Application data transfers Scanning and printing devices Physical documents Destroy electronic data and physical documents after use Threats -Data Exfiltration -Corrupt backup
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 20 How would it work – its all about options There are many ways to get started, depending on the needs, priorities and maturity of an individual organization’s data protection program. Data Discovery Exercise Perform a data discovery exercise to understand where structured and structured sensitive data exists across the organization. Provide recommendations on how to protect and manage sensitive data identified. Conduct a risk assessment to identify areas in the organization that is most at risk for data being exfiltrated. Provide recommendations on remediation activities to strengthen those areas. Data Exfiltration Risk Assessment Assist with the implementation and deployment of data protection technology solutions and capabilities. We can provide full scale technology implementation support. Data Protection Technology and Capability Implementation Develop supporting capabilities (eg: governance, operating model, key risk indicators, key performance indicators, etc) to enhance and strengthen the data protection program Data Protection Program Foundation Development Conduct a data protection assessment of the opportunity to understand key risks the organization is facing as well as capability maturity and any gaps that exist. Develop a data protection strategy and roadmap to define the components and capabilities needed to build a Data Protection program. Data Protection Assessment and Strategy Perform service level agreement (SLA) based for Data Loss Prevention (DLP) tools, including event analysis, system maintenance, reporting and other operational tasks. Managed Services
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 21 Manage it as a program Identify PU Stakeholders Strategy Operations Planning and Design Discover and Classify Monitor and RespondDeploy Protection Mechanisms Identify Senior Management and Stakeholders Identify Applicable Data Protection Laws and Regulations Develop Assessment Project Plan & Team Develop Program Vision and Objectives Define Requirements and Controls Management Processes Data Protection Governance Strategy Develop Strategy and Roadmap Training & Awareness Plan and Materials Procure and Deploy Data Discovery, Classification and Inventory Tools Data Types Most Valuable to the Business Data Flow Mapping of Valuable Data Assessment of Risk & Controls Remediation and Action Plan Prioritise Data Protection Implementation based upon Data Classification Scheme Design and Implement Data Protection Solution across the Data Lifecycle Stages Integrate Applications, Business Processes, Platform and Systems with the Data Protection Solutions Deploy Fundamental Security Controls to Enhance Broader Data Protection Posture Deploy Data Monitoring Tools Processes Define and Implement Incident Response Processes Implement Metrics, Monitoring Reporting (including Board) Report on Outcomes
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 22 Of Crown Jewels and Data Assets
Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 23 This document and the information contained in it is confidential and should not be used or disclosed in any way without our prior consent. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. The entity named herein is a legally separate and independent entity. In providing this document, the author only acts in the named capacity and does not act in any other capacity. Nothing in this document, nor any related attachments or communications or services, have any capacity to bind any other entity under the ‘Deloitte’ network of member firms (including those operating in Australia). Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence. About Deloitte Australia In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit our web site at www.deloitte.com.au. Liability limited by a scheme approved under Professional Standards Legislation. Member of Deloitte Touche Tohmatsu Limited © 2017 Deloitte Risk Advisory Pty Ltd Puneet Kukreja National Lead Partner – Data Protection Group National Cyber Leader – Banking and Financial Services Cyber Risk Advisory T: +61403037010 E: pkukreja@deloitte.com.au Thank you.

More Related Content

PDF
Forcepoint Dynamic Data Protection
MarketingArrowECS_CZ
 
PPTX
Making Cloud Security Part of Your DNA Webinar Slides
Netskope
 
PPTX
Global Cybersecurity Consulting Firm
wilsonconsulting1
 
PPTX
4.5.cloud security
DrRajapraveenkN
 
PDF
Optimize IT Infrastructure
Scalar Decisions
 
PDF
EveryCloud_Company_Intro_Piece
Paul Richards
 
PDF
Global Mandate to Secure Cloud Computing
CloudSecurityAllianceAustralia
 
PPTX
Cloud Security
The TNS Group
 
Forcepoint Dynamic Data Protection
MarketingArrowECS_CZ
 
Making Cloud Security Part of Your DNA Webinar Slides
Netskope
 
Global Cybersecurity Consulting Firm
wilsonconsulting1
 
4.5.cloud security
DrRajapraveenkN
 
Optimize IT Infrastructure
Scalar Decisions
 
EveryCloud_Company_Intro_Piece
Paul Richards
 
Global Mandate to Secure Cloud Computing
CloudSecurityAllianceAustralia
 
Cloud Security
The TNS Group
 

What's hot (20)

PDF
7 Experts on Implementing Microsoft Defender for Endpoint
Mighty Guides, Inc.
 
PPTX
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Netskope
 
PDF
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
PPTX
The Cloud & I, The CISO challenges with Cloud Computing
Moshe Ferber
 
PPTX
Atelier Technique - Symantec - #ACSS2019
African Cyber Security Summit
 
PDF
GDPR is Here. Now What?
Forcepoint LLC
 
PDF
Introduction to Cloud Security
Susanne Tedrick
 
PDF
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
YounesChafi1
 
PDF
Cisco Connect 2018 Philippines - security keynote
NetworkCollaborators
 
PDF
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
Scalar Decisions
 
PDF
Dell Solutions Tour 2015 - Security in the cloud, Ramses Gallego, Security St...
Kenneth de Brucq
 
PPTX
Driving the successful adoption of Microsoft Office 365
Forcepoint LLC
 
PDF
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Veritas Technologies LLC
 
PDF
Security Everywhere: A Growth Engine for the Digital Economy
Cisco Russia
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
Keys to success and security in the cloud
Scalar Decisions
 
PPTX
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
PDF
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
PDF
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
PDF
Jason Tooley – Welcome to Vision Solution Day EMEA
Veritas Technologies LLC
 
7 Experts on Implementing Microsoft Defender for Endpoint
Mighty Guides, Inc.
 
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Netskope
 
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
The Cloud & I, The CISO challenges with Cloud Computing
Moshe Ferber
 
Atelier Technique - Symantec - #ACSS2019
African Cyber Security Summit
 
GDPR is Here. Now What?
Forcepoint LLC
 
Introduction to Cloud Security
Susanne Tedrick
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
YounesChafi1
 
Cisco Connect 2018 Philippines - security keynote
NetworkCollaborators
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
Scalar Decisions
 
Dell Solutions Tour 2015 - Security in the cloud, Ramses Gallego, Security St...
Kenneth de Brucq
 
Driving the successful adoption of Microsoft Office 365
Forcepoint LLC
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Veritas Technologies LLC
 
Security Everywhere: A Growth Engine for the Digital Economy
Cisco Russia
 
Securing medical apps in the age of covid final
DevOps.com
 
Keys to success and security in the cloud
Scalar Decisions
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Veritas Technologies LLC
 
Ad

Similar to FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets (20)

PDF
5 Steps to Securing Your Company's Crown Jewels
IBM Security
 
PDF
Encrypt-Everything-eB.pdf
alexguzman510050
 
PDF
A data-centric program
at MicroFocus Italy ❖✔
 
PDF
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET Journal
 
PPTX
Secure Your High Risk Data
Naveed Ahmed
 
PDF
Where data security and value of data meet in the cloud ulf mattsson
Ulf Mattsson
 
PDF
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
PDF
3 guiding priciples to improve data security
Keith Braswell
 
PPTX
Managing privacy
Juan Carlos Carrillo
 
PDF
Threat Ready Data: Protect Data from the Inside and the Outside
DLT Solutions
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
PPTX
Managing privacy by Victor Chapela
Juan Carlos Carrillo
 
PPTX
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
PDF
The good, the bad and the ugly of the target data breach
Ulf Mattsson
 
PDF
Who is the next target proactive approaches to data security
Ulf Mattsson
 
PDF
CIR Magazine - Cyber Readiness, key to survival
Morgan Jones
 
PDF
Key note in nyc the next breach target and how oracle can help - nyoug
Ulf Mattsson
 
PDF
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
PDF
Oracle-The Rise of Data Capital-MIT Technology Review
Rob Finley
 
PPTX
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
5 Steps to Securing Your Company's Crown Jewels
IBM Security
 
Encrypt-Everything-eB.pdf
alexguzman510050
 
A data-centric program
at MicroFocus Italy ❖✔
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET Journal
 
Secure Your High Risk Data
Naveed Ahmed
 
Where data security and value of data meet in the cloud ulf mattsson
Ulf Mattsson
 
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
3 guiding priciples to improve data security
Keith Braswell
 
Managing privacy
Juan Carlos Carrillo
 
Threat Ready Data: Protect Data from the Inside and the Outside
DLT Solutions
 
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Managing privacy by Victor Chapela
Juan Carlos Carrillo
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
Ulf Mattsson
 
The good, the bad and the ugly of the target data breach
Ulf Mattsson
 
Who is the next target proactive approaches to data security
Ulf Mattsson
 
CIR Magazine - Cyber Readiness, key to survival
Morgan Jones
 
Key note in nyc the next breach target and how oracle can help - nyoug
Ulf Mattsson
 
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
Oracle-The Rise of Data Capital-MIT Technology Review
Rob Finley
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Ad

Recently uploaded (20)

PPTX
Web_Engineering_Assignment_Clean.pptxfor college
HUSNAINAHMAD39
 
PPTX
Introduction to Data Analytics and Data Science
KavithaCIT
 
PDF
blockchain123456789012345678901234567890
tanvikhunt1003
 
PDF
CH2-MODEL-SETUP-v2017.1-JC-APR27-2017.pdf
jcc00023con
 
PPTX
Complete_STATA_Introduction_Beginner.pptx
mbayekebe
 
PPT
Grade 5 PPT_Science_Q2_W6_Methods of reproduction.ppt
AaronBaluyut
 
PPTX
Data Security Breach: Immediate Action Plan
varmabhuvan266
 
PDF
A Systems Thinking Approach to Algorithmic Fairness.pdf
Epistamai
 
PDF
Classifcation using Machine Learning and deep learning
bhaveshagrawal35
 
PPTX
World-population.pptx fire bunberbpeople
umutunsalnsl4402
 
PPTX
Measurement of Afordability for Water Supply and Sanitation in Bangladesh .pptx
akmibrahimbd
 
PDF
Chad Readey - An Independent Thinker
Chad Readey
 
PPTX
Probability systematic sampling methods.pptx
PrakashRajput19
 
PDF
Company Profile 2023 PT. ZEKON INDONESIA.pdf
hendranofriadi26
 
PDF
Technical Writing Module-I Complete Notes.pdf
VedprakashArya13
 
PPTX
Web dev -ppt that helps us understand web technology
shubhragoyal12
 
PPTX
Economic Sector Performance Recovery.pptx
yulisbaso2020
 
PPTX
Pipeline Automatic Leak Detection for Water Distribution Systems
Sione Palu
 
PDF
Research about a FoodFolio app for personalized dietary tracking and health o...
AustinLiamAndres
 
PDF
Company Presentation pada Perusahaan ADB.pdf
didikfahmi
 
Web_Engineering_Assignment_Clean.pptxfor college
HUSNAINAHMAD39
 
Introduction to Data Analytics and Data Science
KavithaCIT
 
blockchain123456789012345678901234567890
tanvikhunt1003
 
CH2-MODEL-SETUP-v2017.1-JC-APR27-2017.pdf
jcc00023con
 
Complete_STATA_Introduction_Beginner.pptx
mbayekebe
 
Grade 5 PPT_Science_Q2_W6_Methods of reproduction.ppt
AaronBaluyut
 
Data Security Breach: Immediate Action Plan
varmabhuvan266
 
A Systems Thinking Approach to Algorithmic Fairness.pdf
Epistamai
 
Classifcation using Machine Learning and deep learning
bhaveshagrawal35
 
World-population.pptx fire bunberbpeople
umutunsalnsl4402
 
Measurement of Afordability for Water Supply and Sanitation in Bangladesh .pptx
akmibrahimbd
 
Chad Readey - An Independent Thinker
Chad Readey
 
Probability systematic sampling methods.pptx
PrakashRajput19
 
Company Profile 2023 PT. ZEKON INDONESIA.pdf
hendranofriadi26
 
Technical Writing Module-I Complete Notes.pdf
VedprakashArya13
 
Web dev -ppt that helps us understand web technology
shubhragoyal12
 
Economic Sector Performance Recovery.pptx
yulisbaso2020
 
Pipeline Automatic Leak Detection for Water Distribution Systems
Sione Palu
 
Research about a FoodFolio app for personalized dietary tracking and health o...
AustinLiamAndres
 
Company Presentation pada Perusahaan ADB.pdf
didikfahmi
 

FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets

  • 1. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 1 Of Crown Jewels and Data Assets April 2017
  • 2. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 2 The threat landscape
  • 3. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 3 It’s all in the news You cannot hide
  • 4. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 4 The changing threat landscape According to Information Security Forum (ISF), Threat Horizon 2018 report information security threats are set to worsen. Organisations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, proliferation of data, increased regulation, and a debilitating skills shortage.
  • 5. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 5 So what do we know
  • 6. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 6 Industry 4.0 The outcome of being “smart” The rise of the extended kinetic enterprise 1st industrial revolution Through introduction of mechanical production facilities with the help of water and steam power 2nd industrial revolution Through introduction of mass production with the help of electrical energy 3rd industrial revolution Through application of electronics and IT to further automate production 4th industrial revolution On the basis of cyber-physical production systems (CPPS), merging of real and virtual worlds Industry 4.0 Industry 3.0 Industry 2.0 Industry 1.0 First mechanical weaving loom 1784 End of 18th century Beginning of 20th century Beginning of 1970s of 20th century Today Degreeofcomplexity First assembly line 1870 First programmable logic control system 1969 Internet of things Internet of services Internet of data Internet of people Industry 4.0 Smart Buildings Smart Mobility Smart Homes Smart Grid Smart Logistics Social Web Business Web CPPS Smart Factory
  • 7. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 7 What it means for you… Given the breadth of the cyber ecosystem the attack surface or opportunity for malicious attack, it is imperative that there is acknowledgement that organisations need to move their focus to a data first approach. MAGNITUDE RISK TIME STAGES TECHNOLOGIES VALUE DRIVERS Discernment of patterns among data that leads to action, descriptions or predictions Gathering information created at different times or from different sources Initiating, changing or maintaining an event or state Use of sensors to generate data about a physical event or state Transmission of information from generation to processing location
  • 8. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 8 What it means for you… Understand the lifecycle of your data and know the worth of risk in today’s connected enterprise … focus on data
  • 9. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 9 Cyber Risk ≠ Cyber Security Cyber risk and cyber security are often used interchangeably however they are two different concepts. Often inadvertently the focus is on cyber security, neglecting broader cyber risk management. Cyber security is a category of solutions that partially address cyber risk. Cyber security is based on the principles of confidentiality, integrity and availability Cyber risk is a category of business risks that have strategic, operational and regulatory implications. Cyber risk management assesses threats, vulnerabilities and its potential impact to the broader organisation Cyber Risk Cyber Security
  • 10. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 10 Cyber Risk ≠ Cyber Security The end game will be a bigger digital objective of which Cyber is just one of the many key ingredients. Cyber Risk Cyber Security Cyber • Internet of Things • Big Data • Cloud • Social / Mobility • Blockchain • Augmented Reality • Digital Platforms • CX / UX • Open Data Networks • Process Automation • Right Speed IT • Information Management • Core Systems Reinvention Digital Enablement
  • 11. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 11 So how do we protect our data assets
  • 12. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 12 Data Protection Fundamental changes to how organizations approach data protection need to occur in order for the risk landscape to improve. Organizations are not investing in the right areas to address the risks and threats which are most impactful and likely. Recent attacks demonstrate that we need to change the game 3. Implementing solutions to protect data and monitor for data loss at the “data layer” 1. Risk mitigation versus compliance requirements 2. Building and maintaining a comprehensive inventory of sensitive assets and data 4. Consistently executing the security fundamentals
  • 13. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 13 Data Protection Why is protecting data so difficult? Explosive data growth… Data is doubling in size every two years and by 2020, it will reach 44 zettabytes5. …and data proliferation The average organisation shares documents with 826 external domains / organisations6 Technology flawed by design 6,488 new security vulnerabilities8 were added to the National Vulnerability Database (NVD) in 2015. This means an average of Compliance focused mindset Cyber Risk standards, laws, and regulations have not and cannot keep up with both business and technological change and evolving adversaries. Consistently failing to implement security fundamentals Many companies lack the standard data protection capabilities (i.e., malware protection, data lifecycle management). 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published2. Business and technology innovation Innovations are creating additional cyber risk for organisations. Many organisations have started moving mission critical applications to the cloud. The average company uses 1 2020 4.4 ZB 44 ZB This could fill up the library of congress more than 10 million times 2013 3 4 5 2 By 2020, there will be Internet of Things (IoT) devices2. Although PCI compliance among organizations has increased from 20% to 29% from 2014 to 20152, the number of data breaches has also increased during that time period from 1300 to 2100. 2015 2,100 breaches 2014 1,300 breaches This is more than 10x what IT expects. 17 new vulnerabilities each day 5 Billion 738 cloud services7 Top Trends Autonomic Platforms Internet of Things Cloud Enablement Digital Enablement Extended Enterprise & Third Party Risk
  • 14. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 14 Data breach root causes Let’s keep it simple It’s not due to lack of funding It’s because most organisations do not use a data-centric approach to protection 1. Organizations do not have enough experienced Cyber Security resources to appropriately protect all IT infrastructure and sensitive data 2. The end user continues to be targeted and exploited via spear-phishing, drive-by- exploits, and social engineering attacks 3. Many companies often release insecure software before sufficient testing can be performed due to the need for quick release into the market 4. Attackers are profiting and succeeding so they are not going away and not giving up 5. The level of sophistication in hacker goals and hacker tools continues to rise.
  • 15. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 15 What is Data-centric protection? Data protection is one of the key focus areas for leading regulations and standards. Rules around data security are becoming more prevalent, stringent and mandatory increasing with the assumption that adversaries are in. This assumption means organisations needs to focus on the what is important to them. Their Most Valuable Information. Rather than data than just keeping the attackers out. Principle Description DataSecurity Know what Data is important and where it is Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection. Apply Data-level protection capabilities Implementing Data-layer protection capabilities can help to both prevent and detect Data breaches at an organisation’s “last line of defence”. Know what Data is important Inventorying and classifying sensitive Data and assets, as well as maintaining the inventory, is foundational, and incredibly important to Data protection. CorePrincipals Data Gov. Data agenda Set a data agenda to manage the explosive growth in data. Define the data Ensure that requirements and definitions must be driven by the business and not IT. Data-centric processes Established data centric processes with data at the heart of the conversation to drive the standardisation of shared concepts. Privacy Understand obligations Understand your privacy requirements, risks and personal information assets you hold. Monitor and manage Continuously monitor, measure and improve privacy risk management processes. Ready to respond Be resilient to respond to privacy risk.
  • 16. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 16 How to change the game Data protection capabilities should occur from the “inside out”, in addition to the “outside in”. Assume your adversaries are “in”, and limit what they can do, and the impact they can cause. Data protection from the inside out Focus on scope Invest in areas that maximize return on investment Focusing at the data layer makes it harder for attackers to get hold of sensitive information Top Goals Discourage Attackers: Make attacks harder, more time consuming and costly Engineer for Control Failure: Protect data assuming other traditional controls will fail Minimise Breach Impact: Any data loss should result in the least possible impact Play the Percentages: Invest in areas that maximise return on investment Business Centric Capabilities – Third-party access – Business impact to data – Operational risk profiling of data – Data ownership – Data lifecycle ownership – Data lifecycle management Data Centric Capabilities Focus on the sensitive data itself – Identify and maintain an inventory of the most critical assets through enterprise data discovery, classification and management programs – Render compromised data useless through tokenisation, encryption and obfuscation – Zero in on the most likely targets for attacks – Monitor for data access or exfiltration at database layer and endpoints Illustrative Supplemental Capabilities Close access paths through fundamental security controls – Strong Authentication – Malware Detection – Privileged User Management – Vulnerability and Patch Management – Configuration Management Data Application Platform Network
  • 17. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 17 Data protection framework Growth / Innovation Privacy Risk management Regulatory compliance Business Value Business objectives • Policies and standards covering each of the Data Protection capabilities • Operational procedures and supporting guides • Data protection reference architecture • Risk Reporting framework and dashboards • KRIs and KPIs • Embedding data protection culture across the business (IT, HR, etc.) • Data protection training and awareness • Data risk management lifecycle including identification, testing, response, and treatment • Threat modeling and data risk identification • Data Protection strategy and roadmap • Data Protection organization structure and accountability • Regulatory compliance and exam management Strategy and operating model Policies, standards, and architecture Risk reporting and culture Governance Data Protection Technology Capabilities Data Security Governance (Operational Capabilities) Data discovery and inventory Data classification Data encryption, tokenization, and obfuscation Key and certificate management Information rights management Payments security Data retention and destruction Data loss prevention Data access governance Database security • Business Impact & Readiness • IT Operations & Readiness • Stakeholder Management & Communication • Collaboration & Information Life Cycle Tools • Master Data Management and Sharing • Data Security & Architecture • Data Workflow • Metadata Repository • Progress Tracking • Issue monitoring • Continuous improvement • Score carding • Data analytics Controls set (e.g. ISF, NIST, Privacy regulation, NAB SKCA)Assessment
  • 18. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 18 It’s not all about frameworks and policies INTEGRATED FRAMEWORK FOR DATA PROTECION Data Collection / Creation Data Storage Data Usage and Sharing Data Retention and Destruction Data Classification Data Security Architecture Security Metrics and Reporting, Board Reporting Awareness and Culture, Secure Data Lifecycle, Data Management, Third Party Security Encryption and Tokenisation, Privacy Assessment Platform, Third Party Security Platform Discovery and Classification Data Loss Prevention User Behavior Analytics CASB Analytics and Reporting DataProtectionCapabilities Data Classification Discovery and Classification Data Loss Prevention CASB
  • 19. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 19 Protection across the data lifecycle Data Collection Data Storage Data Usage and Sharing Data Retention and Destruction Sensitive data is collected by an organization as part of its day- to-day operations via point of sale devices, application forms, data from credit bureaus, etc. Collected data is stored across multiple solutions such as databases, backup locations, third party storage, etc., for further use by applications and users Data is transmitted from storage solutions for processing on internal and external servers, applications, end-user devices, and other devices within and outside the network Data is retained or destroyed by organization per regulatory, internal compliance or business requirements, using electronic or physical media for retention DataTargets -MITM attack -Malicious insider -POS Malware -Stolen Device -Eavesdropping -Data Exfiltration -Remnant data -Backup Failure DataProtection Capabilities Data Web applications Databases and storage devices Cloud data transfers Retain data on storage devices Data encryption, tokenization, and obfuscation / Key and certificate management / Payment security Data loss prevention Data discovery, inventory, and classification Data access governance Data retention and destructionInformation rights management Database security End user reporting Application data transfers Scanning and printing devices Physical documents Destroy electronic data and physical documents after use Threats -Data Exfiltration -Corrupt backup
  • 20. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 20 How would it work – its all about options There are many ways to get started, depending on the needs, priorities and maturity of an individual organization’s data protection program. Data Discovery Exercise Perform a data discovery exercise to understand where structured and structured sensitive data exists across the organization. Provide recommendations on how to protect and manage sensitive data identified. Conduct a risk assessment to identify areas in the organization that is most at risk for data being exfiltrated. Provide recommendations on remediation activities to strengthen those areas. Data Exfiltration Risk Assessment Assist with the implementation and deployment of data protection technology solutions and capabilities. We can provide full scale technology implementation support. Data Protection Technology and Capability Implementation Develop supporting capabilities (eg: governance, operating model, key risk indicators, key performance indicators, etc) to enhance and strengthen the data protection program Data Protection Program Foundation Development Conduct a data protection assessment of the opportunity to understand key risks the organization is facing as well as capability maturity and any gaps that exist. Develop a data protection strategy and roadmap to define the components and capabilities needed to build a Data Protection program. Data Protection Assessment and Strategy Perform service level agreement (SLA) based for Data Loss Prevention (DLP) tools, including event analysis, system maintenance, reporting and other operational tasks. Managed Services
  • 21. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 21 Manage it as a program Identify PU Stakeholders Strategy Operations Planning and Design Discover and Classify Monitor and RespondDeploy Protection Mechanisms Identify Senior Management and Stakeholders Identify Applicable Data Protection Laws and Regulations Develop Assessment Project Plan & Team Develop Program Vision and Objectives Define Requirements and Controls Management Processes Data Protection Governance Strategy Develop Strategy and Roadmap Training & Awareness Plan and Materials Procure and Deploy Data Discovery, Classification and Inventory Tools Data Types Most Valuable to the Business Data Flow Mapping of Valuable Data Assessment of Risk & Controls Remediation and Action Plan Prioritise Data Protection Implementation based upon Data Classification Scheme Design and Implement Data Protection Solution across the Data Lifecycle Stages Integrate Applications, Business Processes, Platform and Systems with the Data Protection Solutions Deploy Fundamental Security Controls to Enhance Broader Data Protection Posture Deploy Data Monitoring Tools Processes Define and Implement Incident Response Processes Implement Metrics, Monitoring Reporting (including Board) Report on Outcomes
  • 22. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 22 Of Crown Jewels and Data Assets
  • 23. Of Crown Jewels and Data Assets© 2017 Deloitte Risk Advisory Pty Ltd 23 This document and the information contained in it is confidential and should not be used or disclosed in any way without our prior consent. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. The entity named herein is a legally separate and independent entity. In providing this document, the author only acts in the named capacity and does not act in any other capacity. Nothing in this document, nor any related attachments or communications or services, have any capacity to bind any other entity under the ‘Deloitte’ network of member firms (including those operating in Australia). Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence. About Deloitte Australia In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit our web site at www.deloitte.com.au. Liability limited by a scheme approved under Professional Standards Legislation. Member of Deloitte Touche Tohmatsu Limited © 2017 Deloitte Risk Advisory Pty Ltd Puneet Kukreja National Lead Partner – Data Protection Group National Cyber Leader – Banking and Financial Services Cyber Risk Advisory T: +61403037010 E: [email protected] Thank you.

Editor's Notes

  • #13: 1. Risk mitigation versus compliance requirements Many organisations are heavily focused on addressing audit and regulatory findings, but often the solutions implemented do not help reduce risk or address threats that the company faces. 2. Building and maintaining a comprehensive inventory of sensitive assets and data Many organizations don’t know where their data is. It’s very difficult to appropriately protect data if you don’t know where it is collected, stored, used, and transferred both inside and outside the organisation. 3. Implementing solutions to protect data and monitor for data loss at the “data layer” Many organizations are not effectively implementing critical capabilities such as encryption and database activity monitoring, among others. 4. Consistently executing the security fundamentals Many organisations are still not consistently executing fundamental data protection capabilities (e.g. patching, privileged access, asset management) which leaves sensitive data even more vulnerable.