2016 data protection benchmark study: are you at risk?
TRANSCRIPT
© 2016 ISACA. All Rights Reserved
ARE YOU AT RISK?2016 DATA PROTECTION BENCHMARK STUDY
Rob Gresham, Foundstone Threat Hunting Practice Lead, Intel Security
10 Nov 2016
WELCOME
• Have a question for the speaker? Text it in using the Ask A Question button!
• Audio is streamed over your computer
• Technical issues? Click the ? button
• Use the Feedback button to share your feedback about today’s event
• Questions or suggestions?Visit https://support.isaca.org
Use the Attachments Button to find the following:
• PDF Copy of today’s presentation
• Link to the Event Home Page where ISACA members can find the CPE Quiz
• Upcoming ISACA Events
• More assets from today’s webcast
© 2016 ISACA. All Rights Reserved
2
© 2016 ISACA. All Rights Reserved
TODAY’S SPEAKER
3
Rob Gresham
Practice Lead, Threat Hunting
Foundstone Services
© 2016 ISACA. All Rights Reserved
AGENDA
Latest Research Results
Most Risky Industries
Best Practices and Recommendations
4
© 2016 ISACA. All Rights Reserved
DEMOGRAPHICS AT A GLANCE
6
1000 companies surveyed
Australia7%
New Zealand2%
Singapore6%
India20%
Canada5%
US40%
UK20% Financial
services22%
Government20%
Healthcare17%
Manufacturing18%
Retail23%
By Country By IndustrySource: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
REASONS FOR HAVING DLP
7
77%
56%
52%
39%
30%
0% 20% 40% 60% 80% 100%
Protect data
Industry regulatory compliance
Legal legislation
As a direct result of a data loss incident
Understand and manage the data we have
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
POINTS OF DLP VISIBILITY
8
51%
37%
12%
7%
0%
10%
20%
30%
40%
50%
60%
Network (data in motion,egress points)
Endpoint (data in use e.g.end user activity, i.e. USB,
print and email)
Cloud Discovery (data at rest)Network & Discover Endpoint
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
57%
48%
38%
0%
10%
20%
30%
40%
50%
60%
Inappropriate use of companyfinancial data (e.g. sending financial
report via email)
Sharing of or access to PCI data(personal credit information)
Sharing of or acces to employeeand customer PII/PHI data
Pe
rce
nt
of
res
po
nd
en
tsTYPES OF ACTIVITIES BEING MONITORED
9
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
21
17
16
14
15
12
0 5 10 15 20 25 30
Suspicious uses of email (e.g. use of email tocommunicate with primary competitors)
Sharing of or access to employee PII/PHI data (personallyidentifiable information/personal health information)
Inappropriate use of company financial data (e.g. sendingfinancial report via email)
Sharing of or access to customer PII/PHI data (personallyidentifiable information/personal health information)
Sharing of or access to PCI data (personal creditinformation)
Sharing of or access to confidential company IntellectualProperty (IP) data (e.g. strategic plans, designs, CAD…
Number of daily incidents
AVERAGE NUMBER OF DAILY INCIDENTS GENERATED
10
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
40%38%
35%33%
29%25% 25% 24%
15%
0%
20%
40%
60%
New projectdeployment (e.g.
marketingcampaigns,promotional
pricing)
Internalreorganization
New productlaunches (e.g.hardware or
software)
Corporatestrategic planning
activities (e.g.corporate
announcements)
Peak seasons ofdemand
Merger/acquisitionor divestiture
Financialdisclosures (e.g.annual/quarterlyearnings report)
Employees' use ofsocial media
Nothing inparticular
increases this
KEY CAUSES FOR INCREASED INCIDENTS
11
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
0% 20% 40% 60% 80% 100%
Manufacturing
Retail
Government
Healthcare
Financial services
Protect data Industry regulatory compliance
Legal legislation As a direct result of a data loss incident
Understand and manage the data we have
REASONS FOR HAVING DLP BY VERTICAL INDUSTRY
13
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
17
1920
22 22
0
5
10
15
20
25
30
Manufacturing Healthcare Retail Government Financial services
Ave
rag
e n
um
ber
of
inc
ide
nts
pe
r d
ay
AVERAGE NUMBER OF DAILY INCIDENTS
14
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
17
1920
22 22
0
5
10
15
20
25
30
Manufacturing Healthcare Retail Government Financial services
Ave
rag
e n
um
ber
of
inc
ide
nts
pe
r d
ay
AVERAGE COST OF DATA BREACH PER RECORD
15
$355
$221
$172$156
$80
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
0%
5%
10%
15%
20%
25%
30%
35%
40%
1-5 6-10 11-20 21-30 31-50 51-75 More than 75
Low Medium High
Pe
rce
nt
of
res
po
nd
en
ts
Total Financial services Healthcare Government Retail Manufacturing
NUMBER OF INCIDENTS GENERATED PER DAY
16
Average
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
0%
20%
40%
60%
Financial services Healthcare Government Retail ManufacturingNew project deployment (e.g. marketing campaigns, promotional pricing)Internal reorganizationNew product launchesCorporate strategic planning activities (e.g. corporate announcements)Peak seasons of demandMerger/acquisition or divestitureFinancial disclosures (e.g. annual/quarterly earnings report)
KEY CAUSES FOR INCREASED INCIDENTS
17
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
63% 65% 65%70%
73%
37% 35% 35%30%
27%
0%
20%
40%
60%
80%
Financial services Government Healthcare Manufacturing Retail
Outputs from our DLP are kept within the security team
Outputs from our DLP are shared across functions with business leaders
WHO IS SHARING?
18
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
34%
49%
14%
2%
2%
0% 20% 40% 60%
5 - we have a fully deployed solution that meets all of ourrequirements
4 – we have a fully deployed solution that meets most of our requirements
3 – we have a partially deployed solution that meets some of our requirements
2 – we only have a limited solution that needs development
1 – we are still in the early stages of adopting a solution
Percent of respondents
WHERE IS EVERYONE TODAY
20
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
5%
19%
10%
12%
14% 14%
9%
18%
0%
5%
10%
15%
20%
Pe
rce
nt
of
res
po
nd
en
ts
DLP CONFIGURATIONS USED BY YOUR PEERS
21
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
No plans to turn on blocking
1%
Not yet turned on blocking, but plan
to9%
Turned on blocking since initial deployment
35%
Turned on blocking at initial
deployment55%
WHO IS BLOCKING IN ADDITION TO MONITORING?
22
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
WHERE ARE YOU TODAY?
23
Initial Developing Optimizing
Blocking
Device Control &
Encryption
Monitoring Network & Endpoint
Traffic
Discovery & Classification
Policy Creation
End-user Awareness & Enforcement
Visibility & Control
What most companies are doing?
© 2016 ISACA. All Rights Reserved
WHERE ARE YOU TODAY?
24
Initial Developing Optimizing
Blocking
Device Control &
Encryption
Monitoring Network & Endpoint
Traffic
Discovery & Classification
Policy Creation
End-user Awareness & Enforcement
Visibility & Control
What you should be doing!
© 2016 ISACA. All Rights Reserved
Yes, 86%
No, 12%
I don’t know, 2%
MANY ORGANIZATIONS TRAIN THEIR EMPLOYEES
25
Q: Are You training your employees on safe handling of sensitive data?
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
Outputs from our DLP are kept within the
security team67%
Outputs from our DLP are shared across
functions with business leaders
33%
FEW ARE SHARING DLP RESULTS WITH BUSINESS UNITS
26
Source: 2016 Data Protection Benchmark Study, September, 2016, Intel Security
© 2016 ISACA. All Rights Reserved
The Data Protection plan is a whole organization effort for
successful prevention.
• Identify the Corporate Champion
• Convey the principle and the risk
• Provide the overarching guidance
• Educate your end-users
TREAT IT AS A BUSINESS PROCESS
27
Compliance
Governance
Classification
Remediation
Awareness
Discovery
Policies
Risk Assessment
DLP
© 2016 ISACA. All Rights Reserved
ACCOUNTABLE
CEO, Business Units, Data
Owners/Creators
RESPONSIBLE
CIO, CISO, PrivacyOfficer, Risk Officer
CONSULT
Legal, Privacy
Human Resources
INFORM
Managers, Human Resources, End-users
Team Data Governance
It takes a village
• Set up a Data Governance team
early
• Include data owners and creators
• Utilize Responsible, Accountable,
Counseled, Informed (RACI)
UNDERSTAND YOUR STAKEHOLDERS
28
© 2016 ISACA. All Rights Reserved
The lower the sensitivity increases false negative and the inverse is increases false positives
MANAGING RISK THRESHOLD
30
10010
False FalseSensitivity
Risk Threshold
© 2016 ISACA. All Rights Reserved
Triage your rules
• Analyze and understand your data flows
• Add specificity to sensitivity
• Reduce the noise of false positives
• Develop context over content
SENSITIVITY AND SPECIFICITY
© 2016 ISACA. All Rights Reserved
• Finding content relatively easy
• Finding contextually relevant data is harder
• Context is the information that makes the content understandable
• Contextual content is indisputable
SSN 153-34-2359 Gresham Robert DOB 01/09/05
153-34-2359 Gresham Robert 01/09/05
153-34-2359 G R 01/09/05
CREATING CONTEXT
32
© 2016 ISACA. All Rights Reserved
Content Classification FTW - Enter Content Classification
• AND | OR | NOT ( + - ! )
• Use compounding logical statements
• Keywords AND SSN AND (First Name AND Last Name)
• Keywords AND SSN > 10 AND NOT SSN >100 AND (First Name AND Last Name > 10)
• Keywords AND SSN > 10 AND NOT SSN >100 AND (First Name AND Last Name > 10) and (EPHI OR DOB)
EXPRESSIVE CONCEPTS
33
© 2016 ISACA. All Rights Reserved
Revised rules situation
INCIDENT RISK THRESHOLD
34
Info
• Used for Testing purposes
• <10 Numbers
Major (>100)
• Keywords & Names
• CCN
• SSN
• Acct #
Critical (>1000)
• Keywords & Names
• SSN
• CCN
• Acct #'s
• >1000 SSN, CCN, Acct's
Warning (>10)
• [Secure]
• CCN
• SSN
• Acct #
Minor (>100)
• Keywords &
• CCN
• SSN
• Acct #
© 2016 ISACA. All Rights Reserved
Block the worst first
INCIDENT RISK THRESHOLD
35
Info
• Used for Testing purposes
• <10 Numbers
Major (>100)
• Keywords & Names
• CCN
• SSN
• Acct #
Critical (>1000)
• Keywords & Names
• SSN
• CCN
• Acct #'s
• >1000 SSN, CCN, Acct's
Warning (>10)
• [Secure]
• CCN
• SSN
• Acct #
Minor (>100)
• Keywords &
• CCN
• SSN
• Acct #
Threshold
Incidents
Threshold
Events
Blocked
© 2016 ISACA. All Rights Reserved
Block the worst first
INCIDENT RISK THRESHOLD
36
Info
• Used for Testing purposes
• <10 Numbers
Major (>100)
• Keywords & Names
• CCN
• SSN
• Acct #
Critical (>1000)
• Keywords & Names
• SSN
• CCN
• Acct #'s
• >1000 SSN, CCN, Acct's
Warning (>10)
• [Secure]
• CCN
• SSN
• Acct #
Minor (>100)
• Keywords &
• CCN
• SSN
• Acct #
Incidents
Threshold
Blocked
© 2016 ISACA. All Rights Reserved
Get to Blocking ASAP!
• Monitor all others
• Classify contextual rules by severity
• Analyze false positives to improve blocking efficiency
• Communicate to the business customer and value the feedback
• Maximize resources by blocking
• Don’t give out the particulars, convey the principles
• Initial blocking ratio is 5-10% false positives
YOUR CALL TO ACTION
37
Questions?
© 2016 ISACA. All Rights Reserved
Intel and the Intel and McAfee logos are trademarks of Intel Corporation in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 Intel Corporation.
For more information, visit www.foundstone.com
THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
© 2016 ISACA. All Rights Reserved
39