2016 data protection benchmark study: are you at risk?

© 2016 ISACA. All Rights Reserved

ARE YOU AT RISK?2016 DATA PROTECTION BENCHMARK STUDY

Rob Gresham, Foundstone Threat Hunting Practice Lead, Intel Security

10 Nov 2016

WELCOME

• Have a question for the speaker? Text it in using the Ask A Question button!

• Audio is streamed over your computer

• Technical issues? Click the ? button

• Use the Feedback button to share your feedback about today’s event

• Questions or suggestions?Visit https://support.isaca.org

Use the Attachments Button to find the following:

• PDF Copy of today’s presentation

• Link to the Event Home Page where ISACA members can find the CPE Quiz

• Upcoming ISACA Events

• More assets from today’s webcast


2


TODAY’S SPEAKER

3

Rob Gresham

Practice Lead, Threat Hunting

Foundstone Services


AGENDA

Latest Research Results

Most Risky Industries

Best Practices and Recommendations

4


KEY FINDINGS AT A GLANCE

5


DEMOGRAPHICS AT A GLANCE

6

1000 companies surveyed

Australia7%

New Zealand2%

Singapore6%

India20%

Canada5%

US40%

UK20% Financial

services22%

Government20%

Healthcare17%

Manufacturing18%

Retail23%

By Country By IndustrySource: 2016 Data Protection Benchmark Study, September, 2016, Intel Security


REASONS FOR HAVING DLP

7

77%

56%

52%

39%

30%

0% 20% 40% 60% 80% 100%

Protect data

Industry regulatory compliance

Legal legislation

As a direct result of a data loss incident

Understand and manage the data we have

Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security


POINTS OF DLP VISIBILITY

8

51%

37%

12%

7%

0%

10%

20%

30%

40%

50%

60%

Network (data in motion,egress points)

Endpoint (data in use e.g.end user activity, i.e. USB,

print and email)

Cloud Discovery (data at rest)Network & Discover Endpoint



57%

48%

38%

0%

10%

20%

30%

40%

50%

60%

Inappropriate use of companyfinancial data (e.g. sending financial

report via email)

Sharing of or access to PCI data(personal credit information)

Sharing of or acces to employeeand customer PII/PHI data

Pe

rce

nt

of

res

po

nd

en

tsTYPES OF ACTIVITIES BEING MONITORED

9



21

17

16

14

15

12

0 5 10 15 20 25 30

Suspicious uses of email (e.g. use of email tocommunicate with primary competitors)

Sharing of or access to employee PII/PHI data (personallyidentifiable information/personal health information)

Inappropriate use of company financial data (e.g. sendingfinancial report via email)

Sharing of or access to customer PII/PHI data (personallyidentifiable information/personal health information)

Sharing of or access to PCI data (personal creditinformation)

Sharing of or access to confidential company IntellectualProperty (IP) data (e.g. strategic plans, designs, CAD…

Number of daily incidents

AVERAGE NUMBER OF DAILY INCIDENTS GENERATED

10



40%38%

35%33%

29%25% 25% 24%

15%

0%

20%

40%

60%

New projectdeployment (e.g.

marketingcampaigns,promotional

pricing)

Internalreorganization

New productlaunches (e.g.hardware or

software)

Corporatestrategic planning

activities (e.g.corporate

announcements)

Peak seasons ofdemand

Merger/acquisitionor divestiture

Financialdisclosures (e.g.annual/quarterlyearnings report)

Employees' use ofsocial media

Nothing inparticular

increases this

KEY CAUSES FOR INCREASED INCIDENTS

11



MOST RISKY INDUSTRIES

12


0% 20% 40% 60% 80% 100%

Manufacturing

Retail

Government

Healthcare

Financial services

Protect data Industry regulatory compliance

Legal legislation As a direct result of a data loss incident

Understand and manage the data we have

REASONS FOR HAVING DLP BY VERTICAL INDUSTRY

13



17

1920

22 22

0

5

10

15

20

25

30

Manufacturing Healthcare Retail Government Financial services

Ave

rag

e n

um

ber

of

inc

ide

nts

pe

r d

ay

AVERAGE NUMBER OF DAILY INCIDENTS

14



17

1920

22 22

0

5

10

15

20

25

30

Manufacturing Healthcare Retail Government Financial services

Ave

rag

e n

um

ber

of

inc

ide

nts

pe

r d

ay

AVERAGE COST OF DATA BREACH PER RECORD

15

$355

$221

$172$156

$80



0%

5%

10%

15%

20%

25%

30%

35%

40%

1-5 6-10 11-20 21-30 31-50 51-75 More than 75

Low Medium High

Pe

rce

nt

of

res

po

nd

en

ts

Total Financial services Healthcare Government Retail Manufacturing

NUMBER OF INCIDENTS GENERATED PER DAY

16

Average



0%

20%

40%

60%

Financial services Healthcare Government Retail ManufacturingNew project deployment (e.g. marketing campaigns, promotional pricing)Internal reorganizationNew product launchesCorporate strategic planning activities (e.g. corporate announcements)Peak seasons of demandMerger/acquisition or divestitureFinancial disclosures (e.g. annual/quarterly earnings report)

KEY CAUSES FOR INCREASED INCIDENTS

17



63% 65% 65%70%

73%

37% 35% 35%30%

27%

0%

20%

40%

60%

80%

Financial services Government Healthcare Manufacturing Retail

Outputs from our DLP are kept within the security team

Outputs from our DLP are shared across functions with business leaders

WHO IS SHARING?

18



RENEWING YOUR DLP PROGRAM

19


34%

49%

14%

2%

2%

0% 20% 40% 60%

5 - we have a fully deployed solution that meets all of ourrequirements

4 – we have a fully deployed solution that meets most of our requirements

3 – we have a partially deployed solution that meets some of our requirements

2 – we only have a limited solution that needs development

1 – we are still in the early stages of adopting a solution

Percent of respondents

WHERE IS EVERYONE TODAY

20



5%

19%

10%

12%

14% 14%

9%

18%

0%

5%

10%

15%

20%

Pe

rce

nt

of

res

po

nd

en

ts

DLP CONFIGURATIONS USED BY YOUR PEERS

21



No plans to turn on blocking

1%

Not yet turned on blocking, but plan

to9%

Turned on blocking since initial deployment

35%

Turned on blocking at initial

deployment55%

WHO IS BLOCKING IN ADDITION TO MONITORING?

22



WHERE ARE YOU TODAY?

23

Initial Developing Optimizing

Blocking

Device Control &

Encryption

Monitoring Network & Endpoint

Traffic

Discovery & Classification

Policy Creation

End-user Awareness & Enforcement

Visibility & Control

What most companies are doing?


WHERE ARE YOU TODAY?

24

Initial Developing Optimizing

Blocking

Device Control &

Encryption

Monitoring Network & Endpoint

Traffic

Discovery & Classification

Policy Creation

End-user Awareness & Enforcement

Visibility & Control

What you should be doing!


Yes, 86%

No, 12%

I don’t know, 2%

MANY ORGANIZATIONS TRAIN THEIR EMPLOYEES

25

Q: Are You training your employees on safe handling of sensitive data?



Outputs from our DLP are kept within the

security team67%

Outputs from our DLP are shared across

functions with business leaders

33%

FEW ARE SHARING DLP RESULTS WITH BUSINESS UNITS

26



The Data Protection plan is a whole organization effort for

successful prevention.

• Identify the Corporate Champion

• Convey the principle and the risk

• Provide the overarching guidance

• Educate your end-users

TREAT IT AS A BUSINESS PROCESS

27

Compliance

Governance

Classification

Remediation

Awareness

Discovery

Policies

Risk Assessment

DLP


ACCOUNTABLE

CEO, Business Units, Data

Owners/Creators

RESPONSIBLE

CIO, CISO, PrivacyOfficer, Risk Officer

CONSULT

Legal, Privacy

Human Resources

INFORM

Managers, Human Resources, End-users

Team Data Governance

It takes a village

• Set up a Data Governance team

early

• Include data owners and creators

• Utilize Responsible, Accountable,

Counseled, Informed (RACI)

UNDERSTAND YOUR STAKEHOLDERS

28


LAYERING YOUR SUCCESS

29


The lower the sensitivity increases false negative and the inverse is increases false positives

MANAGING RISK THRESHOLD

30

10010

False FalseSensitivity

Risk Threshold


Triage your rules

• Analyze and understand your data flows

• Add specificity to sensitivity

• Reduce the noise of false positives

• Develop context over content

SENSITIVITY AND SPECIFICITY


• Finding content relatively easy

• Finding contextually relevant data is harder

• Context is the information that makes the content understandable

• Contextual content is indisputable

SSN 153-34-2359 Gresham Robert DOB 01/09/05

153-34-2359 Gresham Robert 01/09/05

153-34-2359 G R 01/09/05

CREATING CONTEXT

32


Content Classification FTW - Enter Content Classification

• AND | OR | NOT ( + - ! )

• Use compounding logical statements

• Keywords AND SSN AND (First Name AND Last Name)

• Keywords AND SSN > 10 AND NOT SSN >100 AND (First Name AND Last Name > 10)

• Keywords AND SSN > 10 AND NOT SSN >100 AND (First Name AND Last Name > 10) and (EPHI OR DOB)

EXPRESSIVE CONCEPTS

33


Revised rules situation

INCIDENT RISK THRESHOLD

34

Info

• Used for Testing purposes

• <10 Numbers

Major (>100)

• Keywords & Names

• CCN

• SSN

• Acct #

Critical (>1000)


• SSN

• CCN

• Acct #'s

• >1000 SSN, CCN, Acct's

Warning (>10)

• [Secure]

• CCN

• SSN

• Acct #

Minor (>100)

• Keywords &

• CCN

• SSN

• Acct #


Block the worst first


35

Info


• <10 Numbers

Major (>100)


• CCN

• SSN

• Acct #

Critical (>1000)


• SSN

• CCN

• Acct #'s


Warning (>10)

• [Secure]

• CCN

• SSN

• Acct #

Minor (>100)

• Keywords &

• CCN

• SSN

• Acct #

Threshold

Incidents

Threshold

Events

Blocked


Block the worst first


36

Info


• <10 Numbers

Major (>100)


• CCN

• SSN

• Acct #

Critical (>1000)


• SSN

• CCN

• Acct #'s


Warning (>10)

• [Secure]

• CCN

• SSN

• Acct #

Minor (>100)

• Keywords &

• CCN

• SSN

• Acct #

Incidents

Threshold

Blocked


Get to Blocking ASAP!

• Monitor all others

• Classify contextual rules by severity

• Analyze false positives to improve blocking efficiency

• Communicate to the business customer and value the feedback

• Maximize resources by blocking

• Don’t give out the particulars, convey the principles

• Initial blocking ratio is 5-10% false positives

YOUR CALL TO ACTION

37

Questions?


Intel and the Intel and McAfee logos are trademarks of Intel Corporation in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Intel Corporation.

For more information, visit www.foundstone.com

THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL

FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING

THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-

INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.

YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS

DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND

THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE

PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR

CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF

THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING

PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE

APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This

webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or

transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).


39


THANK YOUFOR ATTENDING THIS WEBINAR

2016 data protection benchmark study: are you at risk?

Internet