11

Time to Re-think our

Security Process Ulf Mattsson, Chief Technology Officer, Compliance Engineering

umattsson@complianceengineers.comwww.complianceengineers.com

2

Ulf MattssonInventor of more than 25 US PatentsIndustry InvolvementPCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs

IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security

CSA - Cloud Security AllianceANSI - American National Standards Institute• ANSI X9 Tokenization Work Group

NIST - National Institute of Standards and Technology• NIST Big Data Working Group

User Groups• Security: ISSA & ISACA• Databases: IBM & Oracle

3

My work with PCI DSS StandardsPayment Card Industry Security Standards Council (PCI SSC)1. PCI SSC Tokenization Task Force2. PCI SSC Encryption Task Force3. PCI SSC Point to Point Encryption Task Force4. PCI SSC Risk Assessment SIG5. PCI SSC eCommerce SIG6. PCI SSC Cloud SIG7. PCI SSC Virtualization SIG8. PCI SSC Pre-Authorization SIG9. PCI SSC Scoping SIG Working Group10. PCI SSC 2013 – 2014 Tokenization Task Force

4

5

Encryption Usage - Mature vs. Immature Companies

Source: Ponemon - Encryption Application Trends Study • June 2016

Less u

se of e

ncrypt

ion

Do we know our sensitive

data?

Big Data

PublicCloud

6

Not Knowing Where Sensitive Data Is

Source: The State of Data Security Intelligence, Ponemon Institute, 2015

7

Not Managing Risks to Sensitive Data

Source: The State of Data Security Intelligence, Ponemon Institute, 2015

Access PatternsData Discovery

Data Access

8

9

Cloud Providers Not Becoming Security Vendors• There is great demand for security providers that can offer

orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure

• Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments

Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016

10

• Centrally managed security policy• Across unstructured and structured silos• Classify data, control access and monitoring• Protection – encryption, tokenization and masking• Segregation of duties – application users and privileged users• Auditing and reporting

2014: Data–Centric Audit and Protection (DCAP)

Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014

11

• IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable.

• Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents.

• By 2020, 60% of enterprise information security budgets will be allocated for rapid detection andr esponse approaches, up from less than 20% in 2015.

2016: Shift Cybersecurity Investment

Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016

12

Security Outsourcing Fastest Growth

The information security market is estimated to have grown 13.9% in revenue in 2015

with the IT security outsourcing segment recording the fastest growth (25%).

Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update

13

14

FS-ISAC Summit about “Know Your Data”• Encryption at rest has become the new norm • However, that’s not sufficient• Visibility into how and where it flows during the

course of normal business is critical

Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit

15

16

Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage

Discovery Results Supporting Compliance1. Limiting data storage amount and retention time to that which is required

for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored

cardholder data that exceeds defined retention.

Old PCI DSS Requirement 3.1

17

• PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.”

• PCI DSS v3.1 added data flow into a requirement.• PCI DSS v3.2 added data discovery into a requirement.

New PCI DSS 3.2 Standard – Data Discovery

Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers

1818

Example of A Discovery

Process

Scoping Asset Classification

Job Scan DefinitionScanningAnalysis

ReportingRemediation

PCI DSS 3.2 Requirement - Discovery

19

Example - Discovery Scanning Job Status List

20

Discovery Deployment Example

Example of Customer Provisioning:• Virtual host to load Software or Appliance• User ID with “Read Only” Access• Firewall Access

ApplianceDiscoveryAdmin

Examples

21

STEP 4:The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface

Discovery Process (Step 4) – Scanning Job Lists

22

I think it is Time to Re-think our

Security Process

23

Are You Ready for PCI DSS 3.2 Requirement –Security Control Failures?

24

SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC)

Managed Tools Security Service

Software as a Service (SaaS) data discovery solution

Security Tools and Integrated Services

Discovery

Security Toolsand

Integrated Services

25

Compliance Assessments • PCI DSS & PA Gap• HIPAA (2013 HITECH)• SSAE 16-SOC 2&3*• GLBA, SOX• FCRA, FISMA• SB 1385, ISO 27XXX• Security Posture Assessments (based on industry best practices)• BCP & DRP (SMB market)

Professional Security Services• Security Architecture • Engineering/Operations• Staff Augmentation• Penetration Testing• Platform Baseline Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows)• IDM/IAM/PAM architecture• SIEM design, operation and implementation• eGRC Readiness & Deployment

E Security & Vendor Products• Data Discovery• Managed Tools Security Service• Data Loss Protection • SIEM & Logging • Identity and Access Management• EndPoint Protection• Network Security Devices• Encryption• Unified Threat• Multi-factor Authentication

Managed Security Services• MSSP/SOC • SIEM 365• Data Center SOC• IDM/IAM Security Administration• Healthcare Infrastructure Solutions (2013 3rd Qtr.• Vulnerability Scans• Penetration Testing

Samples of Our Services

2626

Ulf Mattsson, Chief Technology Officer, Compliance Engineeringumattsson@complianceengineers.com

www.complianceengineers.com