Download - Driving Digital Transformation While Mitigating …...Proprietary and confidential. Do not distribute. Transformation is Happening Drive revenue vs. Reduce cost 4 Methods Waterfall

Driving Digital Transformation While Mitigating Risks And Ensuring Compliance

Terry Ray

SVP and Imperva Fellow

Proprietary and confidential. Do not distribute.

Agenda

2

● Challenges with Digital Transformation

● Traditional Security Approach

● Risk Assessment Approach

● How Imperva can Help

● Q&A


Challenges with Digital Transformation

3


Transformation is Happening

Drive revenue vs. Reduce cost

4

Methods Waterfall Agile DevOps

Architecture Monolithic Tiers Micro-Services

Servers Physical Virtual Containers

Infrastructure Datacenter Hosted Cloud

Methods Waterfall Agile DevOps

Architecture Monolithic Tiers Micro-Services

Servers Physical Virtual Containers

Infrastructure Datacenter Hosted Cloud

Risks

• Unnoticed attacks

• Too much data, EVERYWHERE

• Lack of visibility into who accesses what data, how

• No assurance in existing controls

• Security isn’t part of DevOps


Pressures in Financial Services Industry

Risk Mitigation, Transformation, Compliance

5

Risk Mitigation

Transformation

Compliance • Innovative Fintech

models

• Big Tech

• Open Banking

• Complex legacy system

• Digital application

• Cloud adoption

• More data, EVERYWHERE

• Increased competition

• Stricter regulations


6

Compliance

Data Breach Risks

Proprietary and confidential. Do not distribute. 7

Why is Detection so Difficult

Incident overload and alert fatigue

54% of companies

admitted that they tend to ignore security alerts2

Lack of skilled security professional

70% of CISOs consider

it their top concern3

Source: 1 https://www.techradar.com/uk/news/the-dangers-of-password-sharing-at-work 2 Security Operations Challenges, Priorities, and Strategies, ESG, 2017 3 What CISOs worry about in 2018, Ponemon Institute, 2018 4 CERT National Insider Threat Center, 2019

Insider threats

Fraud is the most

frequent insider threat incident type for financial services4

More legitimate data access

34% of workers said

they share passwords or accounts with their

coworkers1

https://www.techradar.com/uk/news/the-dangers-of-password-sharing-at-work















Traditional Security Approach

8


Security Spending

Spending in Perimeter-based & Identity-based security continues to grow

9


Challenges of Traditional Security Approach

10

Perimeter-based

Security

Identity & Access

Management • Ex: Endpoint, network security

• False assumption: “Trusted” internal

network where data is safe

• Can’t protect against insider threats

• Fail to empower a digital workforce to

better serve customers while

protecting data

• Ex: User authentication

• Identity-aware is a must but not

sufficient

• Not designed to detect breaches but to

make decisions whether to enable

access

• Can’t protect against insider threats


Data Breaches Still Happen

11


Risk Assessment Approach

12


Taking a Risk Assessment Approach

• Most organizations are evaluating the value of their security investments based on Ability to lower risk

Source: Dark Reading Report, 2018

13

Compliance related

Security related


Example: Gartner Risk Assessment Framework

Source: Develop a Financial Risk Assessment for Data Using Infonomics, Gartner 2018

14

• Get alignment with key stakeholders

• Priority = Identify assets + Assess liabilities

• Security = Mitigate prioritized risks


Example: Gartner Risk Assessment Framework


15

✓

⨯

• Start with balancing between business needs and risks

• Don’t jump to security products/solutions

• Enforce consistent policies across

hybrid environment


To Keep or not to Keep

16

Maintaining and securing data here is a no-brainer

The Problem is:

• Is there any data that you truly

don’t care?

• If so, can you delete it?



Enabling Digital Transformation while Mitigating Risks

17


Data Security is a Must

As the business becomes

digital, security must become

Data-Centric” – Forrester Research, 2018

18


On-Prem Hybrid Cloud

DATA APIs

APPs

Outside the Organization

External Partners

Customers

Contractors

Bad bots

Hackers

Inside the Organization

Trusted

Internal Partners

Malicious

Careless

Compromised

App & Data Security

WAF (Cloud and On-Prem)

RASP

CDN & LB

DDoS

Bot Protection

API Security

App & Data Security

Data Security

Data Insights

Data Audit & Compliance

Data

Classification & masking

WAF Gateway

RASP

Machine Learning & Analytics

Machine Learning

& Analytics

SIEM

*Internal API Security is planned for 2020

Imperva Security Defense In Depth Architecture

19


Example: Buy Down Risks with Data Security

20

Financial Services

Exposure of 100 million unique customer records (e.g. PII) If a breach happens…

All users in the system have to be notified

A physical mail costs $0.5

Fines (e.g. GDPR non-compliant)

Lawsuit

Loss of clients/vital data/productivity

Damage to reputation

Damage to business relationships

= $50 M

= >$50M

− Single query should not exceed 10,000 PII records

Result: Buying down ~$50M

Limits application

compromise down to

10,000 PII records

Improve breach

prevention

= $20,000

Prevent data breach

risks in non-prod.

environments

‒ Service account abuse

‒ Massive data records access

‒ Sensitive data access

‒ Reduce attack surface in non-production environment

• Data access control

• Identify suspicious data access

• Masking sensitive data


Key Takeaways- Start with What Matters Most

• Do you detect and and mitigate application vulnerabilities?

• Are vulnerable apps taken offline or is the risk accepted?

• Can your organization tolerate a DDoS longer than hours?

• Does your app security strategy up level periodically to detect

changing attack methods (i.e. Crypto-Jacking, ransomware)?

APPS

• Do you know where your sensitive data is?

• Can you tell who accesses what data, and how that data is used?

• Can you determine which data access is appropriate?

• Can you detect suspicious data access with high confidence?

• Do you have the necessary records for incident response?

DATA Compliance &

3rd Party Framework

GDPR

Art 5

Art 25

Art 32

Art 33

Art 34

Art 35

Art 44

PCI

DSS

Req. 2

Req. 3

Req.

6.1

Req.

6.6

Req. 7

Req.

8.5

Req. 10

Req. 12

MAS

TRM 2.0.1

2.0.5

5.1.2

5.1.7

12.1.6

SOX

302

404

409

NIST SANS

NYDFS

HIPAA

FISMA

GLBA

HITECH

CCPA

ISO etc.

Q&A Thank You

22

Terry Ray

[email protected]

mailto:[email protected]