Driving Digital Transformation While Mitigating …...Proprietary and confidential. Do not...

Driving Digital Transformation While Mitigating Risks And Ensuring Compliance

Terry Ray

SVP and Imperva Fellow

Proprietary and confidential. Do not distribute.

Agenda

2

● Challenges with Digital Transformation

● Traditional Security Approach

● Risk Assessment Approach

● How Imperva can Help

● Q&A


Challenges with Digital Transformation

3


Transformation is Happening

Drive revenue vs. Reduce cost

4

Methods Waterfall Agile DevOps

Architecture Monolithic Tiers Micro-Services

Servers Physical Virtual Containers

Infrastructure Datacenter Hosted Cloud

Methods Waterfall Agile DevOps

Architecture Monolithic Tiers Micro-Services

Servers Physical Virtual Containers

Infrastructure Datacenter Hosted Cloud

Risks

• Unnoticed attacks

• Too much data, EVERYWHERE

• Lack of visibility into who accesses what data, how

• No assurance in existing controls

• Security isn’t part of DevOps


Pressures in Financial Services Industry

Risk Mitigation, Transformation, Compliance

5

Risk Mitigation

Transformation

Compliance • Innovative Fintech

models

• Big Tech

• Open Banking

• Complex legacy system

• Digital application

• Cloud adoption

• More data, EVERYWHERE

• Increased competition

• Stricter regulations


6

Compliance

Data Breach Risks

Proprietary and confidential. Do not distribute. 7

Why is Detection so Difficult

Incident overload and alert fatigue

54% of companies

admitted that they tend to ignore security alerts2

Lack of skilled security professional

70% of CISOs consider

it their top concern3

Source: 1 https://www.techradar.com/uk/news/the-dangers-of-password-sharing-at-work 2 Security Operations Challenges, Priorities, and Strategies, ESG, 2017 3 What CISOs worry about in 2018, Ponemon Institute, 2018 4 CERT National Insider Threat Center, 2019

Insider threats

Fraud is the most

frequent insider threat incident type for financial services4

More legitimate data access

34% of workers said

they share passwords or accounts with their

coworkers1

https://www.techradar.com/uk/news/the-dangers-of-password-sharing-at-work















Traditional Security Approach

8


Security Spending

Spending in Perimeter-based & Identity-based security continues to grow

9


Challenges of Traditional Security Approach

10

Perimeter-based

Security

Identity & Access

Management • Ex: Endpoint, network security

• False assumption: “Trusted” internal

network where data is safe

• Can’t protect against insider threats

• Fail to empower a digital workforce to

better serve customers while

protecting data

• Ex: User authentication

• Identity-aware is a must but not

sufficient

• Not designed to detect breaches but to

make decisions whether to enable

access

• Can’t protect against insider threats


Data Breaches Still Happen

11


Risk Assessment Approach

12


Taking a Risk Assessment Approach

• Most organizations are evaluating the value of their security investments based on Ability to lower risk

Source: Dark Reading Report, 2018

13

Compliance related

Security related


Example: Gartner Risk Assessment Framework

Source: Develop a Financial Risk Assessment for Data Using Infonomics, Gartner 2018

14

• Get alignment with key stakeholders

• Priority = Identify assets + Assess liabilities

• Security = Mitigate prioritized risks


Example: Gartner Risk Assessment Framework


15

✓

⨯

• Start with balancing between business needs and risks

• Don’t jump to security products/solutions

• Enforce consistent policies across

hybrid environment


To Keep or not to Keep

16

Maintaining and securing data here is a no-brainer

The Problem is:

• Is there any data that you truly

don’t care?

• If so, can you delete it?



Enabling Digital Transformation while Mitigating Risks

17


Data Security is a Must

As the business becomes

digital, security must become

Data-Centric” – Forrester Research, 2018

18


On-Prem Hybrid Cloud

DATA APIs

APPs

Outside the Organization

External Partners

Customers

Contractors

Bad bots

Hackers

Inside the Organization

Trusted

Internal Partners

Malicious

Careless

Compromised

App & Data Security

WAF (Cloud and On-Prem)

RASP

CDN & LB

DDoS

Bot Protection

API Security

App & Data Security

Data Security

Data Insights

Data Audit & Compliance

Data

Classification & masking

WAF Gateway

RASP

Machine Learning & Analytics

Machine Learning

& Analytics

SIEM

*Internal API Security is planned for 2020

Imperva Security Defense In Depth Architecture

19


Example: Buy Down Risks with Data Security

20

Financial Services

Exposure of 100 million unique customer records (e.g. PII) If a breach happens…

All users in the system have to be notified

A physical mail costs $0.5

Fines (e.g. GDPR non-compliant)

Lawsuit

Loss of clients/vital data/productivity

Damage to reputation

Damage to business relationships

= $50 M

= >$50M

− Single query should not exceed 10,000 PII records

Result: Buying down ~$50M

Limits application

compromise down to

10,000 PII records

Improve breach

prevention

= $20,000

Prevent data breach

risks in non-prod.

environments

‒ Service account abuse

‒ Massive data records access

‒ Sensitive data access

‒ Reduce attack surface in non-production environment

• Data access control

• Identify suspicious data access

• Masking sensitive data


Key Takeaways- Start with What Matters Most

• Do you detect and and mitigate application vulnerabilities?

• Are vulnerable apps taken offline or is the risk accepted?

• Can your organization tolerate a DDoS longer than hours?

• Does your app security strategy up level periodically to detect

changing attack methods (i.e. Crypto-Jacking, ransomware)?

APPS

• Do you know where your sensitive data is?

• Can you tell who accesses what data, and how that data is used?

• Can you determine which data access is appropriate?

• Can you detect suspicious data access with high confidence?

• Do you have the necessary records for incident response?

DATA Compliance &

3rd Party Framework

GDPR

Art 5

Art 25

Art 32

Art 33

Art 34

Art 35

Art 44

PCI

DSS

Req. 2

Req. 3

Req.

6.1

Req.

6.6

Req. 7

Req.

8.5

Req. 10

Req. 12

MAS

TRM 2.0.1

2.0.5

5.1.2

5.1.7

12.1.6

SOX

302

404

409

NIST SANS

NYDFS

HIPAA

FISMA

GLBA

HITECH

CCPA

ISO etc.

Q&A Thank You

22

Terry Ray

[email protected]

mailto:[email protected]

Driving Digital Transformation While Mitigating …...Proprietary and confidential. Do not...

Documents

Transcript of Driving Digital Transformation While Mitigating …...Proprietary and confidential. Do not...