confusion and deception new tools for data protection
TRANSCRIPT
SESSIONID:SESSIONID:
#RSAC
CraigAstrich
ConfusionandDeception:NewToolsforDataProtection
PDAC-T11
ManagingDirector|DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP
DanielFrankPrincipal|DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP
#RSAC
Agenda
1. Thedemandfordataprotection
2. Dataprotectionfromthe“inside-out”
3. Dataprotectionfromthe“outside-in”
4. Examples:“inside-out”and“outside-in”techniques
#RSAC
Thedemandfordataprotection
#RSAC
Growth
Demandfordata-centricprotectionisgrowing
Base:741NorthAmericanandEuropeanclientsecuritydecision-makers(20+employees)
Source:UnderstandtheStateOfDataSecurityandPrivacy:2016to2017”,ForresterResearchInc.,December7,2016
Implementing/Implemented
Expanding/upgradingimplementation
Planningtoimplementwithin12months
40%
39%
37%
37%
37%
37%
36%
38%
39%
38%
37%
37%
37%
#RSACWhydemandfordata-centricprotectioncontinuestogrow
1. Forbes, “Cybersecurity Market Reaches $75 Billion In 2015” 2. Verizon, 2016 Data Breach Investigations Report3. Symantec, Internet Security Threat Report 2016 4. Ponemon Institute, 2015 Cost of a Data Breach
Projectedtotalcostofcybersecurityin20151
~$75Billion
Numberofrecordsbreachedin20153
429Million
Estimatedyearlytotalcostfrombreaches4
~107Billion
Numberofdatabreachesreportedin20152
2,260Breaches
#RSAC
2 Business and technology innovationInnovations are creating additional cyber risk fororganizations,suchasmoving mission critical applications tothe cloud.Theaverage company nowuses:738 cloud services6
6,488securityvulnerabilities7 wereaddedtotheNationalVulnerabilityDatabase(NVD)in2015,anaverageof17newvulnerabilitieseachday:
Whythebreacheshaven’tstopped…andwon’t
1Explosive data growth…Data is doubling in size every two years and by 2020, itwillreach 44 zettabytes55
20202013 4.4 ZB 44 ZB
6 UnderestimatingtheadversariesOrganizationsfailtorecognize/understandtheexternalthreatactorsandadversariestryingtoaccesstheircrownjewels
4 Compliance versusrisk-focusedmindsetCybersecurity standards, laws,and regulations cannotkeep up with both businessand technological change and yourevolving adversaries.
2014 2015
5 Consistently failing to implement securityfundamentalsManycompanieslackfundamentaldataprotectioncapabilities.
99.9%ofexploitedvulnerabilitieswerecompromisedmorethanayearaftertheCVEwaspublished8.
5. “The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things”, EMC Digital Universe with Research & Analysis by IDC
6. 12 Must-Know Statistics on Cloud Usage in the Enterprise”, Skyhigh7. National Vulnerability Database (NVD)8. Verizon, “2015 Data Breach Investigations Report”
3 Technologyflawedbydesign
~1,300 breaches4 ~2,100 breaches8
#RSAC
Cyberattacksperforminconcert
Attackpatternsconstantlychangeandadapt.Itisimportanttounderstandhowtocounterthesethreatsanduseadversaries’methodsagainstthemtoprotectour“crownjewels.”
Malwaredelivery
Internalreconnaissance
Obfuscation&deception
Remotecontrol
#RSACAreyouaskingtherightquestionsaboutcyberthreats?
How can public information be used
against me?
Who is putting us at risk (insiders and outsiders)?
Where are the “crown jewels” that adversaries
are after?What does my
organization look like to an adversary?
What are my organization’s“crown jewels”?
Assuming adversaries will get to my “crown jewels,” what can I do toprevent & detect compromise?
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Organizationsshouldconsideranapproachthatprotects“crownjewels”fromtheinside,whilesimultaneouslyemployingdeceptionmethodsfromtheoutside.
Timetochangethegame:protectiontodeception
Protectionfromtheinsideout
DEVALUATION
CONFUSION
OBFUSCATION
DIFFUSION
INVENTORY&CLASSIFICATION
DATALOSSPREVENTION
ENCRYPTION&TOKENIZATION
RIGHTSMANAGEMENT
Deceptionfromtheoutsidein
DESTRUCTIONDETONATION
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Dataprotectionfromthe“inside-out”
#RSAC
Dataprotectionfromthe“inside-out”
Yourorganization
Valuables
Videocameras
Securedoor
Securityalarms
Yourhome
Fence Networkcontrols
Firewalls Intrusionprevention
Infrastructure&applicationcontrols
Patchmanagement
Identity&accessmanagement
S-SDLC* Sensitivedata
*Securesoftwaredevelopmentlifecycle
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Dataprotectionfromthe“inside-out”principles
Fundamentally,dataprotectionfromtheinsideoutfocusesonthreeimportantprinciples:
1 Inventoryingandclassifyingsensitivedataandassets,aswellasmaintainingtheinventory,isfoundational,andincrediblyimportanttodataprotection.
Implementingandmaturingdata-layerprotectioncapabilities canhelptobothpreventanddetectdatabreachesatanorganization’s“lastlineofdefense.”
Reducingthevalueofsensitivedataisperhapsthemostimportantprinciple,andisbasedonthepremisethatit’snot“if,”but“when” adversarieswillgettoyourdata.
2
3
Aligne
dda
taprotectiontechno
logies
• Datadiscoveryandinventory• Dataclassification
• Datalossprevention(DLP)• Dataaccessgovernance(DAG)• Informationrightsmanagement(IRM)• Databasesecurity
• Dataencryption,tokenization,andobfuscation
• Datadestruction
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Datacollection Datastorage Datausageandsharing
Dataretentionanddestruction
Datata
rgets
Dataprotection
capabilities
Webapps
Databasesandstoragedevices
DatalosspreventionDataaccessgovernance
DatadestructionInformationrightsmanagement
Databasesecurity
Clouddatatransfers
Enduserreporting
Applicationdatatransfers
Retaindataonstoragedevices Destroyelectronic
dataandphysicaldocumentsafteruse
Data Scanners/printers
Physicaldocuments
Dataclassification
Data
lifecycle
Siloeddataprotectiondoesn’twork
Dataencryption,tokenization,andobfuscationKeyandcertificatemanagement
Datadiscoveryandinventory
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Dataprotectionfromthe“outside-in”
#RSAC
Valueforcombiningprotectionanddeception
15
Identifyanomalousactivitywithinthe“noise”oftheenterprise
Confusetheadversary
Executeandmonitor
1
2
3
Controlyourenterprise
Decreasetheimpactofanincident
Maintainpositivecontrolofyourorganization’sdata
VALUE IMPACT
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Deceptionmethodsfromthe“outside-in”
Dataflooding
Honeypots/honeysticks/IoT
pot
Simulatedservers
Intentionalmisconfiguration
Automatedanomaly
characterization
Fakedata
Insertion
Automatedanomalyresponse
Trafficmisdirection
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Structurefordeception
Developinfrastructureprofile
Developingdeceptioncharacteristics
Developdeceptionplan
Deceptioninfrastructureactivation
GRIDmonitoring/collection
• Performcyberreconnaissanceonorganizationtodetermineexternalfootprint&profile• Performinternalmapping(ofbusiness,network,systems,&activity)
• DeterminethreatsophisticationforDeceptionGRID(basedonorganizationalcharacteristics)
• Identifyoperationalcharacteristics(i.e.,weaknesses/vulnerabilities)
• Developsize,scale,mockdata,scalingcharacteristics,requireddevices,&mocksystems/applications
• Determinemonitoringmethodsandnotificationprocedures
• Developactivationprocedures(andrequiredsecondaryactivities)• PlacedeceptionGRIDinto(hostileorsecondary)environment(remote,local,device,or
cross-connected)
• Placemonitoringsystems(externalandinternal)• Initiatemonitoringcollectionforanomaliesandindicators• Recover,collect,and/orkill/wipeDeceptionGRID(fordeepanalysis)
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Examplesandapplication:Integrationof“inside-out”and“outside-in”techniques
#RSAC
Combinedapproachtoprotectionanddeception
19
Recon Assembly of malware
Malware delivery Exploitation Malware
installationInternal networkreconnaissance
Obfuscation & deception
Remote control (of a botnet)
Multiple probes & attempts
Example attack model
Classification Encryption Data loss preventionDatabase activity monitoring
Information rights management
Data flooding Automated anomaly response
Intentional misconfiguration
HoneypotsTraffic misdirection
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Example1:Combinedapproachapplied
Trafficmisdirection
Honeypots
Fakedata
Dataflooding
Badactormonitoring
Inside-OutOutside-In
CrownJewelsprotectedfrommalwareviapreviouslyimplemented inside-outcontrols
CrownJeweldatacreatedandclassified
Confidential dataaccessgovernance
CrownJeweldataencrypted atstorage;accesslimitedbyDAG
Encryption&
Crownjewelusageandsharingmonitored andblocked byDLPandrightsmanagementservices(RMS)
DLP
RMS
Crownjewelsdiscovered,thenquarantined,encrypted,ordestroyedviaclassificationandDLP
YourorganizationBadactors
Malwaredelivery
Reconnaissance
Malwareassembly
Exploitation
Malwareinstallation
Internalreconnaissance
Obfuscation&deception
Covertchannel
Remotecontrol
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Example2:Combinedapproachapplied
YourorganizationCrownJeweldatacreated
andclassified
Confidential
CrownJewelusageandsharingmonitored andblocked byDLP+RMS
DLP
RMS
CrownJewelsdiscovered,thenquarantined,encrypted,ordestroyedviaclassification+DLP
Trafficmisdirection
Honeypots
Fakedata
Dataflooding
Badactormonitoring
Inside-outOutside-in
Badactors
Malwaredelivery
Reconnaissance
Malwareassembly
Exploitation
Malwareinstallation
Internalreconnaissance
Obfuscation&deception
Covertchannel
Remotecontrol
rightsmanagement
CrownJeweldataencrypted atstorage;accesslimitedbyDAG
Encryptionand
Deceptiontechniquesdevaluedatawhileinside-outmethodskeeptruedatasecureCopyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Applyingdataprotectionanddeception
Now
Next
Future
“Inside-out” “Outside-in”• Inventoryandclassifyyour“crown
jewels”andestablishprocessestomaintaintheinventoryandclassify “bydesign”
• Gettoknowyour adversaries• Performinternalandexternal
reconnaissancetounderstandyournetworkfootprint
• Implementadditionalinside-outdataprotectionsolutionsbasedonyourriskprofileandtolerance
• Identifydeceptionpracticestocounteryouradversaries: developsize,scale,andmockdatacorrespondingtorequireddevicesinthedeceptionschema
• Integrate inside-outdataprotectionsolutionsformore“holistic”dataprotectionatyourlastlineofdefense
• Monitor threatinformationfrominternalandexternalsensors
• Applywhatyoulearnfromcyberincidents againstyouradversary
Copyright©2017DeloitteDevelopmentLLC.Allrightsreserved.
#RSAC
Questions
23
111SWackerDr.Chicago,IL60606-4301
DanFrankPrincipal|DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP Tel:+13124010125
1919NLynnSt.Arlington,VA22209
CraigAstrichManagingDirector |DeloitteAdvisoryCyberRiskServicesDeloitte&ToucheLLP Tel:+12022567405
ThispresentationcontainsgeneralinformationonlyandDeloitteisnot,bymeansofthispresentation,renderingaccounting,business,financial,investment,legal,tax,orotherprofessionaladviceorservices.Thispresentationisnotasubstituteforsuchprofessionaladviceorservices,norshoulditbeusedasabasisforanydecisionoractionthatmayaffectyourbusiness.Beforemakinganydecisionortakinganyactionthatmayaffectyourbusiness,youshouldconsultaqualifiedprofessionaladvisor.Deloitteshallnotberesponsibleforanylosssustainedbyanypersonwhoreliesonthispresentation.
AboutDeloitteDeloittereferstooneormoreofDeloitteToucheTohmatsuLimited,aUKprivatecompanylimitedbyguarantee(“DTTL”),itsnetworkofmemberfirms,andtheirrelatedentities.DTTLandeachofitsmemberfirmsarelegallyseparateandindependententities.DTTL(alsoreferred toas“DeloitteGlobal”)doesnotprovideservicestoclients.IntheUnitedStates,DeloittereferstooneormoreoftheUSmemberfirmsofDTTL,their relatedentitiesthatoperateusingthe“Deloitte”nameintheUnitedStatesandtheirrespectiveaffiliates.Certainservicesmaynotbeavailable to attestclientsundertherulesandregulationsofpublicaccounting.Pleaseseewww.deloitte.com/abouttolearnmoreaboutourglobalnetworkofmemberfirms.