confusion and deception new tools for data protection

SESSIONID:SESSIONID:

#RSAC

CraigAstrich

ConfusionandDeception:NewToolsforDataProtection

PDAC-T11

ManagingDirector|DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP

DanielFrankPrincipal|DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP

#RSAC

Agenda

1. Thedemandfordataprotection

2. Dataprotectionfromthe“inside-out”

3. Dataprotectionfromthe“outside-in”

4. Examples:“inside-out”and“outside-in”techniques

#RSAC

Thedemandfordataprotection

#RSAC

Growth

Demandfordata-centricprotectionisgrowing

Base:741NorthAmericanandEuropeanclientsecuritydecision-makers(20+employees)

Source:UnderstandtheStateOfDataSecurityandPrivacy:2016to2017”,ForresterResearchInc.,December7,2016

Implementing/Implemented

Expanding/upgradingimplementation

Planningtoimplementwithin12months

40%

39%

37%

37%

37%

37%

36%

38%

39%

38%

37%

37%

37%

#RSACWhydemandfordata-centricprotectioncontinuestogrow

1. Forbes, “Cybersecurity Market Reaches $75 Billion In 2015” 2. Verizon, 2016 Data Breach Investigations Report3. Symantec, Internet Security Threat Report 2016 4. Ponemon Institute, 2015 Cost of a Data Breach

Projectedtotalcostofcybersecurityin20151

~$75Billion

Numberofrecordsbreachedin20153

429Million

Estimatedyearlytotalcostfrombreaches4

~107Billion

Numberofdatabreachesreportedin20152

2,260Breaches

#RSAC

2 Business and technology innovationInnovations are creating additional cyber risk fororganizations,suchasmoving mission critical applications tothe cloud.Theaverage company nowuses:738 cloud services6

6,488securityvulnerabilities7 wereaddedtotheNationalVulnerabilityDatabase(NVD)in2015,anaverageof17newvulnerabilitieseachday:

Whythebreacheshaven’tstopped…andwon’t

1Explosive data growth…Data is doubling in size every two years and by 2020, itwillreach 44 zettabytes55

20202013 4.4 ZB 44 ZB

6 UnderestimatingtheadversariesOrganizationsfailtorecognize/understandtheexternalthreatactorsandadversariestryingtoaccesstheircrownjewels

4 Compliance versusrisk-focusedmindsetCybersecurity standards, laws,and regulations cannotkeep up with both businessand technological change and yourevolving adversaries.

2014 2015

5 Consistently failing to implement securityfundamentalsManycompanieslackfundamentaldataprotectioncapabilities.

99.9%ofexploitedvulnerabilitieswerecompromisedmorethanayearaftertheCVEwaspublished8.

5. “The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things”, EMC Digital Universe with Research & Analysis by IDC

6. 12 Must-Know Statistics on Cloud Usage in the Enterprise”, Skyhigh7. National Vulnerability Database (NVD)8. Verizon, “2015 Data Breach Investigations Report”

3 Technologyflawedbydesign

~1,300 breaches4 ~2,100 breaches8

#RSAC

Cyberattacksperforminconcert

Attackpatternsconstantlychangeandadapt.Itisimportanttounderstandhowtocounterthesethreatsanduseadversaries’methodsagainstthemtoprotectour“crownjewels.”

Malwaredelivery

Internalreconnaissance

Obfuscation&deception

Remotecontrol

#RSACAreyouaskingtherightquestionsaboutcyberthreats?

How can public information be used

against me?

Who is putting us at risk (insiders and outsiders)?

Where are the “crown jewels” that adversaries

are after?What does my

organization look like to an adversary?

What are my organization’s“crown jewels”?

Assuming adversaries will get to my “crown jewels,” what can I do toprevent & detect compromise?

Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.

#RSAC

Organizationsshouldconsideranapproachthatprotects“crownjewels”fromtheinside,whilesimultaneouslyemployingdeceptionmethodsfromtheoutside.

Timetochangethegame:protectiontodeception

Protectionfromtheinsideout

DEVALUATION

CONFUSION

OBFUSCATION

DIFFUSION

INVENTORY&CLASSIFICATION

DATALOSSPREVENTION

ENCRYPTION&TOKENIZATION

RIGHTSMANAGEMENT

Deceptionfromtheoutsidein

DESTRUCTIONDETONATION


#RSAC

Dataprotectionfromthe“inside-out”

#RSAC

Dataprotectionfromthe“inside-out”

Yourorganization

Valuables

Videocameras

Securedoor

Securityalarms

Yourhome

Fence Networkcontrols

Firewalls Intrusionprevention

Infrastructure&applicationcontrols

Patchmanagement

Identity&accessmanagement

S-SDLC* Sensitivedata

*Securesoftwaredevelopmentlifecycle


#RSAC

Dataprotectionfromthe“inside-out”principles

Fundamentally,dataprotectionfromtheinsideoutfocusesonthreeimportantprinciples:

1 Inventoryingandclassifyingsensitivedataandassets,aswellasmaintainingtheinventory,isfoundational,andincrediblyimportanttodataprotection.

Implementingandmaturingdata-layerprotectioncapabilities canhelptobothpreventanddetectdatabreachesatanorganization’s“lastlineofdefense.”

Reducingthevalueofsensitivedataisperhapsthemostimportantprinciple,andisbasedonthepremisethatit’snot“if,”but“when” adversarieswillgettoyourdata.

2

3

Aligne

dda

taprotectiontechno

logies

• Datadiscoveryandinventory• Dataclassification

• Datalossprevention(DLP)• Dataaccessgovernance(DAG)• Informationrightsmanagement(IRM)• Databasesecurity

• Dataencryption,tokenization,andobfuscation

• Datadestruction


#RSAC

Datacollection Datastorage Datausageandsharing

Dataretentionanddestruction

Datata

rgets

Dataprotection

capabilities

Webapps

Databasesandstoragedevices

DatalosspreventionDataaccessgovernance

DatadestructionInformationrightsmanagement

Databasesecurity

Clouddatatransfers

Enduserreporting

Applicationdatatransfers

Retaindataonstoragedevices Destroyelectronic

dataandphysicaldocumentsafteruse

Data Scanners/printers

Physicaldocuments

Dataclassification

Data

lifecycle

Siloeddataprotectiondoesn’twork

Dataencryption,tokenization,andobfuscationKeyandcertificatemanagement

Datadiscoveryandinventory


#RSAC

Dataprotectionfromthe“outside-in”

#RSAC

Valueforcombiningprotectionanddeception

15

Identifyanomalousactivitywithinthe“noise”oftheenterprise

Confusetheadversary

Executeandmonitor

1

2

3

Controlyourenterprise

Decreasetheimpactofanincident

Maintainpositivecontrolofyourorganization’sdata

VALUE IMPACT


#RSAC

Deceptionmethodsfromthe“outside-in”

Dataflooding

Honeypots/honeysticks/IoT

pot

Simulatedservers

Intentionalmisconfiguration

Automatedanomaly

characterization

Fakedata

Insertion

Automatedanomalyresponse

Trafficmisdirection


#RSAC

Structurefordeception

Developinfrastructureprofile

Developingdeceptioncharacteristics

Developdeceptionplan

Deceptioninfrastructureactivation

GRIDmonitoring/collection

• Performcyberreconnaissanceonorganizationtodetermineexternalfootprint&profile• Performinternalmapping(ofbusiness,network,systems,&activity)

• DeterminethreatsophisticationforDeceptionGRID(basedonorganizationalcharacteristics)

• Identifyoperationalcharacteristics(i.e.,weaknesses/vulnerabilities)

• Developsize,scale,mockdata,scalingcharacteristics,requireddevices,&mocksystems/applications

• Determinemonitoringmethodsandnotificationprocedures

• Developactivationprocedures(andrequiredsecondaryactivities)• PlacedeceptionGRIDinto(hostileorsecondary)environment(remote,local,device,or

cross-connected)

• Placemonitoringsystems(externalandinternal)• Initiatemonitoringcollectionforanomaliesandindicators• Recover,collect,and/orkill/wipeDeceptionGRID(fordeepanalysis)


#RSAC

Examplesandapplication:Integrationof“inside-out”and“outside-in”techniques

#RSAC

Combinedapproachtoprotectionanddeception

19

Recon Assembly of malware

Malware delivery Exploitation Malware

installationInternal networkreconnaissance

Obfuscation & deception

Remote control (of a botnet)

Multiple probes & attempts

Example attack model

Classification Encryption Data loss preventionDatabase activity monitoring

Information rights management

Data flooding Automated anomaly response

Intentional misconfiguration

HoneypotsTraffic misdirection


#RSAC

Example1:Combinedapproachapplied

Trafficmisdirection

Honeypots

Fakedata

Dataflooding

Badactormonitoring

Inside-OutOutside-In

CrownJewelsprotectedfrommalwareviapreviouslyimplemented inside-outcontrols

CrownJeweldatacreatedandclassified

Confidential dataaccessgovernance

CrownJeweldataencrypted atstorage;accesslimitedbyDAG

Encryption&

Crownjewelusageandsharingmonitored andblocked byDLPandrightsmanagementservices(RMS)

DLP

RMS

Crownjewelsdiscovered,thenquarantined,encrypted,ordestroyedviaclassificationandDLP

YourorganizationBadactors

Malwaredelivery

Reconnaissance

Malwareassembly

Exploitation

Malwareinstallation



Covertchannel

Remotecontrol


#RSAC

Example2:Combinedapproachapplied

YourorganizationCrownJeweldatacreated

andclassified

Confidential

CrownJewelusageandsharingmonitored andblocked byDLP+RMS

DLP

RMS

CrownJewelsdiscovered,thenquarantined,encrypted,ordestroyedviaclassification+DLP

Trafficmisdirection

Honeypots

Fakedata

Dataflooding

Badactormonitoring

Inside-outOutside-in

Badactors

Malwaredelivery

Reconnaissance

Malwareassembly

Exploitation

Malwareinstallation



Covertchannel

Remotecontrol

rightsmanagement

CrownJeweldataencrypted atstorage;accesslimitedbyDAG

Encryptionand

Deceptiontechniquesdevaluedatawhileinside-outmethodskeeptruedatasecureCopyright©2017DeloitteDevelopmentLLC.Allrightsreserved.

#RSAC

Applyingdataprotectionanddeception

Now

Next

Future

“Inside-out” “Outside-in”• Inventoryandclassifyyour“crown

jewels”andestablishprocessestomaintaintheinventoryandclassify “bydesign”

• Gettoknowyour adversaries• Performinternalandexternal

reconnaissancetounderstandyournetworkfootprint

• Implementadditionalinside-outdataprotectionsolutionsbasedonyourriskprofileandtolerance

• Identifydeceptionpracticestocounteryouradversaries: developsize,scale,andmockdatacorrespondingtorequireddevicesinthedeceptionschema

• Integrate inside-outdataprotectionsolutionsformore“holistic”dataprotectionatyourlastlineofdefense

• Monitor threatinformationfrominternalandexternalsensors

• Applywhatyoulearnfromcyberincidents againstyouradversary


#RSAC

Questions

23

111SWackerDr.Chicago,IL60606-4301

DanFrankPrincipal|DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP Tel:+13124010125

[email protected]

1919NLynnSt.Arlington,VA22209

CraigAstrichManagingDirector |DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP Tel:+12022567405

[email protected]

ThispresentationcontainsgeneralinformationonlyandDeloitteisnot,bymeansofthispresentation,renderingaccounting,business,financial,investment,legal,tax,orotherprofessionaladviceorservices.Thispresentationisnotasubstituteforsuchprofessionaladviceorservices,norshoulditbeusedasabasisforanydecisionoractionthatmayaffectyourbusiness.Beforemakinganydecisionortakinganyactionthatmayaffectyourbusiness,youshouldconsultaqualifiedprofessionaladvisor.Deloitteshallnotberesponsibleforanylosssustainedbyanypersonwhoreliesonthispresentation.

AboutDeloitteDeloittereferstooneormoreofDeloitteToucheTohmatsuLimited,aUKprivatecompanylimitedbyguarantee(“DTTL”),itsnetworkofmemberfirms,andtheirrelatedentities.DTTLandeachofitsmemberfirmsarelegallyseparateandindependententities.DTTL(alsoreferred toas“DeloitteGlobal”)doesnotprovideservicestoclients.IntheUnitedStates,DeloittereferstooneormoreoftheUSmemberfirmsofDTTL,their relatedentitiesthatoperateusingthe“Deloitte”nameintheUnitedStatesandtheirrespectiveaffiliates.Certainservicesmaynotbeavailable to attestclientsundertherulesandregulationsofpublicaccounting.Pleaseseewww.deloitte.com/abouttolearnmoreaboutourglobalnetworkofmemberfirms.