This session will discuss what attendees learned at The ISSA International Summit 2019, held on October 1-2 at in Irving/Dallas, TX.
Learn from one of the presenters at this conference and what cybersecurity professionals got to share and learn from the leaders in the industry.
Over the last 30 years ISSA international has grown into the global community of choice for international cybersecurity professionals. With over 100 domestic and international chapters, members have world wide support with daily cyber threats that are becoming increasingly intricate and difficult to prevent, detect, and re-mediate.
Report
Share
Report
Share
1 of 62
More Related Content
What i learned at issa international summit 2019
1. What I Learned at ISSA
International Summit 2019
Ulf Mattsson, TokenEx
2. 2ISSA International
• Over the last 30 years ISSA international has grown into the
global community of choice for international cybersecurity
professionals.
• With over 100 domestic and international chapters, members
have worldwide support with daily cyber threats that are
becoming increasingly intricate and difficult to prevent, detect,
and remediate.
• No cyber security professional can become an expert on all
these challenges without continuously educating themselves
on the industry’s latest trends, technologies, and solutions.
3. Ulf Mattsson
Head of Innovation at TokenEx
Chief Technology Officer at Protegrity
Chief Technology Officer at Atlantic BT Security Solutions
Chief Technology Officer at Compliance Engineering
Developer at IBM Research and Development
Inventor of 70+ issued US patents
Provided products and services for
Data Encryption and Tokenization,
Data Discovery,
Robotics, ERP, CRM in Manufacturing,
Cloud Application Security Broker,
Web Application Firewall,
Managed Security Services,
Security Operation Center,
Benchmarking/Gap-analysis
ISSA International 3
5. Cybersecurity in the 21st Century
ISSA International 5
Dr. Ross leads the Federal Information Security
Modernization Act (FISMA) Implementation Project,
which includes the development of security standards
and guidelines for the federal government, contractors,
and the United States critical infrastructure.
His publications include Federal Information Processing
Standards (FIPS) 199 (security categorization), FIPS 200
(security requirements), and NIST Special Publication
(SP) 800-39 (enterprise risk management), SP 800-53
(security and privacy controls), SP 800-53A (security
assessment), SP 800-37 (Risk Management Framework),
SP 800-30 (risk assessment), SP 800-160 Volumes 1 and 2
(systems security engineering and cyber resiliency), SP
800-171 (security requirements for nonfederal systems
and organizations), and SP 800-171A (security
assessments for nonfederal organizations).
7. Moving a Bank to Cloud
ISSA International 7
The gotchas, surprises, lessons learned, and
resulting strategic changes are presented to
raise awareness and prevent future mistakes
by attendees.
11. Applications and Cloud
ISSA International 11
This session will explore how companies can achieve
continuous security and compliance for their applications
in the public cloud. We will cover how application security
is as easy as learning your ABCs. You will learn how to stay
ahead of the latest application architectures such as
serverless and containerization. By bringing application
security earlier into the DevOps SDLC we will explore how
companies can decrease their risk. And lastly, making
application security and security in general a part of the
company culture will allow companies to trust that their
employees are doing their best every day to make the
security of the company's applications and its data a top
priority. We will explore the tools and processes necessary
to implement this ABC approach to application security in
the cloud.
12. Macro trends in Cloud security
Source: ISSA
ISSA International 12
13. Micro trends in Cloud security
Source: ISSA
ISSA International 13
14. Source: Tagore (TokenEx partner)
ISSA International 14
A Framework for Hybrid Cloud
PublicCloud
PrivateCloud
On-premices
19. Machine Learning
ISSA International 19
Machine learning is the latest buzzword for stopping zero-
day attacks but what is it and how do it work in preventing
threats? This session will look at what machine learning is,
and is not, and how it is used to identifying and stop
threats. It will provide examples of how machine learning
is used in threat protection tools today and how it is
expected to evolve in the future. This session will also take
a look at the limitations of machine learning and how
hackers are using it to fine tune their attacks.
26. Zero Trust
ISSA International 26
The Zero Trust approach ‘never trust, always verify' can be a
gamechanger that significantly streamlines and strengthens IT
security across the modern hybrid enterprise, but only if it's done
right. There are dozens of Zero Trust data, microsegmentation and
identity solutions being pushed to fight the bad guys once they get
past your firewall, but what about keeping the bad guys out in the
first place? That's where Zero Trust access comes in. This session
focuses on how organizations can use Zero Trust access to more
effectively protect their attack surface:
How to evaluate what is wrong with their current security
environment
Cutting through vendor hype to find a Zero Trust approach that works
Why identity alone is not enough to manage access, contrary to some
industry claims
How Zero Trust access takes the burden off the shoulders of end
users, providing a more secure way to access resources they need to
do their jobs from wherever they are working
The role least-privileged access plays in more securely managing
mobility by understanding a user's method and context of access
27. The Supply Chain
ISSA International 27
Vendors may support integral day-to-day operations of a
company or have access to critical and sensitive data.
However, the same vendors relied on by companies can
quickly become their greatest cyber threat. This
presentation will help participants understand the
importance of comprehensive vendor management
programs and how to successfully implement one. The
topics covered will include assessing contractual provisions
in vendor agreements, performing due diligence on
vendors, managing issues around data sharing and
confidentiality, risk identification and assessment,
information security standards, data breach response and
more.
28. Crypto Hygiene 101
ISSA International 28
What does ‘secure' even mean??? In cryptology, security is
a function of time relative to your acceptable threshold for
data loss or theft prevention. And cryptography itself is the
absolute foundation to WHAT you're protecting and HOW
it's being protected. The past, present and future of data
protection is dependent upon a proper understanding of
crypto-hygiene and practice. Join us in this entertaining
but educational session on Crypto-Hygiene 101 to learn
what buying a new toothbrush and picking the right
conditioner have to do with protecting your organizations'
most sensitive data. Through real-world examples from
historical incidents we will demonstrate some of the
common challenges associated with encryption-based
solutions. Our presentation will be rounded-out by
practical recommendations that can be put to use TODAY
to enact proper crypto hygiene and ultimately deliver
more confidentiality, availability and integrity for an
organization's most critical systems and information.
29. Insider Threats
ISSA International 29
Because we know that at least two-thirds – and perhaps as much as 80 percent – of all
data security incidents are the result of privileged user negligence or deliberate bad action,
information security professionals must focus more than ever before on monitoring and
limiting the access of insiders to the enterprise's data. Both human factors and automated
process must be used in concert to lower this increasing risk. This seminar will discuss both
types of controls that, when used together, provide a more effective solution to insider
threat. This allows detection of malicious outsiders and insiders who have gone rogue or
possibly benevolent users whose credentials may have been stolen. Role-based access,
combined with the increased use of human intelligence and technology capable of
creating a digital behavioral fingerprint for every authorized user, can more easily identify
anomalies in user activity and alert leadership when there are deviations from normal
behavior.
30. Metrics that Matter
ISSA International 30
Historically security metrics have not provided the value to
executives to understand the security return on
investment and the effectiveness in reducing risk. We will
cover previous challenges of metrics as well as identifying
methods to improve overall communication on the status
of your program.
Examples of metrics include:
Capability Metrics – Defining security capabilities, tracking
performance bands, reporting on exceptions
Operational Metrics: Time to Detect, Time to investigate,
Time to Respond, and Time to Mitigate
User Metrics: Touch points from security to employees,
phishing results, learn how to improve metrics through
playbook automation and machine learning.
Technology Value Metrics: How to determine if this tool is
operating up to expectation?
31. Black Box Blues
ISSA International 31
Increasingly, technology is becoming a black box to even
the most technically savvy among us. Machine learning
and big data analytics are beyond our comprehension by
design, while others like some blockchain implementations
elude the grasp of all but a select few. And still other
applications are protected as trade secrets and we are not
even given a chance to examine their inner workings. This
session will explore how to navigate the challenges of
evaluating and auditing such complex technologies for
important attributes such as effectiveness and bias both
for your own benefit and the benefit of less technical
business and management stakeholders.
32. Emerging Application and Data
Protection for Multi-Cloud
Personal data privacy will be the most prominent issue affecting how
businesses gather, store, process, and disclose data in public cloud.
Businesses have been inundated with information on what recent
privacy laws like GDPR and CCPA require, but many are still trying to
figure out how to comply with them on a practical level.
Many companies are focusing on data privacy from the legal and
security side, which are foundational, but are missing the focus on
data.
The good news is that these data privacy regulations compel
businesses to get a handle on personal data - how they get it, where
they get it from, which systems process it, where it goes internally and
externally, etc.
In other words, the new norms of data privacy require proactive data
management, which enables organizations to extract real business
value from their data, improve the customer experience, streamline
internal processes, and better understand their customers.
The new Verizon Data Breach Investigations Report (DBIR) provides
perspectives on how Criminals simply shift their focus and adapt their
tactics to locate and steal the data they find to be of most value.
This session will discuss Emerging Application and Data Protection for
Multi-cloud and review Differential privacy, Tokenization,
Homomorphic encryption, and Privacy-preserving computation (Multi
Party Computation).
ISSA International 32
33. Verizon Data Breach Investigations Report
Enterprises are losing ground in the fight against persistent cyber-attacks
We simply cannot catch the bad guys until it is too late. This picture is not
improving
Verizon reports concluded that less than 14% of breaches are detected by
internal monitoring tools
JP Morgan Chase data breach
Hackers were in the bank’s network for months undetected
Network configuration errors are inevitable, even at the largest banks
Capital One data breach
A hacker gained access to 100 million credit card applications and accounts
Amazon Web Services, the cloud hosting company that Capital One was
using
Facebook privacy breaches
And – according to the press – they now approved a settlement providing a
fine of roughly $ 5 billion for the privacy breaches committed by Facebook.
The US Justice Department still needs to approve the settlement, but it rarely
rejects settlements reached by the agency.
Imperva breach
A security breach which led to the compromise of customer data at Imperva
was caused by a stolen API key for one of its Amazon Web Services (AWS)
Enterprises Losing Ground Against Cyber-attacks
34. The Day When 3rd Party Security Providers
Disappear into Cloud
• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Public Cloud / Multi-
cloud
Example pricing:
10 % of on-premises alternatives
On-premises
35. Public Cloud / Multi-
cloud
• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Remaining User
Responsibilities:
1. User Identity Management
2. Application Security
3. Data Security
X
Data Protection for Multi-cloud
ISSA International 35
36. • WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Remaining User
Responsibilities
• User Identity Management
• Application Security
• Data Security
X
Emerging
Industry
Standards
Public Cloud / Multi-
cloud
Data Protection for Multi-cloud
ISSA International 36
37. • WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Remaining User
Responsibilities
1. User Identity Management
2. Application Security
3. Data Security
X
Public Cloud / Multi-
cloud
Security inside
the
application,
container
security, …
Data Protection for Multi-cloud
ISSA International 37
38. • WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Remaining User
Responsibilities
• User Identity Management
• Application Security
• Data Security
X
Public Cloud / Multi-
cloud
Data Tokenization / encryption
Secure
Cloud
Security Separation
Armor.co
m
Data Protection for Multi-cloud
ISSA International 38
45. New Privacy Regulations Emerge
Globally
ISSA International 45
• 1970, Germany passed the first national data protection law, first
data protection law in the world
• Sweden, The Data Act, a national data protection law went into
effect in 1974 and required licenses by the Swedish Data
Protection Authority for information systems handling personal
data
• The New York Privacy Act was introduced in 2019
• India is in the process of passing a comprehensive data protection
bill that would include GDPR-like requirements
• Japan is ready to implement changes to domestic legislation to
strengthen privacy protection in the country
• Brazil passing a comprehensive data protection regulation similar
to GDPR
• Finland's revamped Data Protection Act
46. Article 4 – Definitions
• (1) ‘personal data’ means any
information relating to an identified
or identifiable natural person
• (5) ‘pseudonymisation’ means the
processing personal data in such
a manner that the data can no
longer be attributed to a specific
data subject
EU General Data Protection
Regulation (GDPR)
What is Personal Data according to GDPR?
ISSA International 46
47. Privacy Fines
ISSA International 47
• British Airways was fined £183 million by the UK ICO for a series of data
breaches in 2018, followed by a £99 million fine against the Marriott
International hotel chain.
• French data protection regulator CNIL fined Google €50 million in 2019.
• Some companies narrowly avoided a GDPR-scale fine, as their data
incident occurred prior to GDPR's implementation date.
• Both Equifax and Facebook received the maximum fine possible -
£500,000 - as per the previous Data Protection Act 1998.
• In 2019, Facebook settled with the Federal Trade Commission in the
United States over privacy violations, a settlement that required the
social network to pay $5 billion
48. CCPA Redefines Personal Data
ISSA International 48
• According to “PI Vs PII: How CCPA Redefines What Is Personal Data” at
[2] the CCPA definition “creates the potential for extremely broad legal
interpretation around what constitutes personal information, holding
that personal information is any data that could be linked with a
California individual or household.”
• CCPA states that ”Personal information” means information that
identifies, relates to, describes, is capable of being associated with, or
could reasonably be linked, directly or indirectly, with a particular
consumer or household.“
• This goes well beyond data that is obviously associated with an
identity, such as name, birth date, or social security number, which is
traditionally regarded as PII.
• It’s ultimately this “indirect” information–such as product preference or
geolocation data that is material since it is much more difficult to
identify it and connect it with a person than well-structured personally
identifiable information
49. EU General Data Protection
Regulation (GDPR)
Source: IBM
Encryption and
Tokenization
Security
by Design
52. A Cross Border Data-centric Security project
Data sources
Data
Warehouse
In Italy
Complete policy-enforced
de-identification of
sensitive data across all
bank entities
53. Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information
55. Business Value from Data
User Productivity, Creativity and Data Access
ISSA International 55
Access
to
Data
High -
Low -
I I
User Productivity
Low High
High Risk Exposure
(Clear Data)
56. Business Value from Data
User Productivity, Creativity and Data Access
ISSA International 56
Access to
Data
Low High
High -
Low -
I I
High Risk Exposure
(Clear Data)
Low Exposure (Tokens)
Level
57. On Premise tokenization
• Limited PCI DSS scope reduction - must still
maintain a CDE with PCI data
• Higher risk – sensitive data still resident in
environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from
the environment
• Platform-focused security
• Lower associated costs – cyber insurance,
PCI audit, maintenance
Total Cost and Risk of Tokenization
Example: 50% Lower Total Cost
58. Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Mapping of data security and privacy techniques
to on-premises, public, and private cloud clouds
59. Encryption and Privacy Models
ISSA International 59
Source: INTERNATIONAL STANDARD
ISO/IEC 20889
Homomorphic Encryption (HE)
*: Multi Party Computation (MPC)
Oper
(Enc_D1,
Enc_D2)
HE
Dec
HE
Enc
HE
Enc
Clear
12
Protected Key
Clear
D2
Enc
D1
Enc
D2
“Untrusted
Party*”
Format Preserving Encryption (FPE), Homomorphic Encryption (HE)
and Multi Party Computation (MPC)
Clear
123
Format Preserving Encryption
(FPE)
FPE
Enc
Clear
D1
FPE
Dec
Clear
123
Protected Keys
897
60. Encryption and Privacy Models
ISSA International 60
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Differential Privacy
(DP)
k-Anonymity
Model
__
__
__
*: Example Apple and Google
Clear
Protected
Curator*
Filter
Clear
Cleanser
Filter
Cleanser
Filter
Clear
__
__
__
Protected
DB DB
Differential Privacy (Google, Apple) and k-Anonymity Model
The 2014 Verizon Data Breach Investigations Report concluded that enterprises are losing ground in the fight against persistent cyber-attacks. We simply cannot catch the bad guys until it is too late. This picture is not improving.
Verizon concluded that less than 14% of breaches are detected by internal security tools. Detection by third party entities increased from approximately 10% to 25% during the last three years.
Specifically theft of payment card information 99% of the cases that someone else told the victim they had suffered a breach.
One reason is that our current approach with monitoring and intrusion detection products can't tell you what normal looks like in your own systems and SIEM technology is simply too slowly to be useful for security analytics.
Big Data security analytics may help over time, but we don't have time to wait.
Biggest hacks and security breaches of 2014 include eBay, Target, Sony and Microsoft, Celebrity iCloud, NSA, Heartbleed, Sony
The successful attack on JP Morgan Chase surprised me most as the largest US bank lost personal information of 76 million households and it took several months to detect.
Protect PII Data Cross Border.
Achieve Compliance while moving, outsourcing, data, EVEN between countries. Data residency issue solved.
Example: A major bank performed a consolidation of all European operational data sources. This meant protecting Personally Identifiable Information (PII) in compliance with the EU Cross Border Data Protection Laws. In addition, they required access to Austrian and German customer data to be restricted to only people in each respective country.
CHALLENGES
The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
RESULT
Complete policy-enforced de-identification of sensitive data across all bank entities
End-to-end data protection from geographically distributed bank entities to HQ
All existing data secured at a granular level
Achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz 2000 - DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany
Implemented country-specific data access restrictions
Extremely high throughput of data Source
Protect PII Data Cross Border.
Achieve Compliance while moving, outsourcing, data, EVEN between countries. Data residency issue solved.
Example: A major bank performed a consolidation of all European operational data sources. This meant protecting Personally Identifiable Information (PII) in compliance with the EU Cross Border Data Protection Laws. In addition, they required access to Austrian and German customer data to be restricted to only people in each respective country.
CHALLENGES
The primary challenge was to protect PII – names and addresses, phone and email, policy and account numbers, birth dates, etc. – to the satisfaction of EU Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated at the Italian HQ.
RESULT
Complete policy-enforced de-identification of sensitive data across all bank entities
End-to-end data protection from geographically distributed bank entities to HQ
All existing data secured at a granular level
Achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz 2000 - DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany
Implemented country-specific data access restrictions
Extremely high throughput of data Source
Simply minimizing the data you collect doesn’t do anything to protect the information that’s left. This is something you should be doing no matter what, however…
…or the issue with “rolling your own” solution
Just moved the sensitive data from one area of your network to the other
Simply minimizing the data you collect doesn’t do anything to protect the information that’s left. This is something you should be doing no matter what, however…