What i learned at issa international summit 2019

What I Learned at ISSA
International Summit 2019
Ulf Mattsson, TokenEx

2ISSA International
• Over the last 30 years ISSA international has grown into the
global community of choice for international cybersecurity
professionals.
• With over 100 domestic and international chapters, members
have worldwide support with daily cyber threats that are
becoming increasingly intricate and difficult to prevent, detect,
and remediate.
• No cyber security professional can become an expert on all
these challenges without continuously educating themselves
on the industry’s latest trends, technologies, and solutions.

Ulf Mattsson
 Head of Innovation at TokenEx
 Chief Technology Officer at Protegrity
 Chief Technology Officer at Atlantic BT Security Solutions
 Chief Technology Officer at Compliance Engineering
 Developer at IBM Research and Development
 Inventor of 70+ issued US patents
 Provided products and services for
 Data Encryption and Tokenization,
 Data Discovery,
 Robotics, ERP, CRM in Manufacturing,
 Cloud Application Security Broker,
 Web Application Firewall,
 Managed Security Services,
 Security Operation Center,
 Benchmarking/Gap-analysis
ISSA International 3

Global Risk Perception
Source: ISSA

Cybersecurity in the 21st Century
Dr. Ross leads the Federal Information Security
Modernization Act (FISMA) Implementation Project,
which includes the development of security standards
and guidelines for the federal government, contractors,
and the United States critical infrastructure.
His publications include Federal Information Processing
Standards (FIPS) 199 (security categorization), FIPS 200
(security requirements), and NIST Special Publication
(SP) 800-39 (enterprise risk management), SP 800-53
(security and privacy controls), SP 800-53A (security
assessment), SP 800-37 (Risk Management Framework),
SP 800-30 (risk assessment), SP 800-160 Volumes 1 and 2
(systems security engineering and cyber resiliency), SP
800-171 (security requirements for nonfederal systems
and organizations), and SP 800-171A (security
assessments for nonfederal organizations).

Cybersecurity in the 21st Century

Moving a Bank to Cloud
The gotchas, surprises, lessons learned, and
resulting strategic changes are presented to
raise awareness and prevent future mistakes
by attendees.

Cloud transformations are accelerating

Securing Cloud Workloads – Greatest Increase
in Spending

Shared
responsibili
ties across
cloud
service
models
Source: Microsoft
Data Protection for Multi-cloud

Applications and Cloud
This session will explore how companies can achieve
continuous security and compliance for their applications
in the public cloud. We will cover how application security
is as easy as learning your ABCs. You will learn how to stay
ahead of the latest application architectures such as
serverless and containerization. By bringing application
security earlier into the DevOps SDLC we will explore how
companies can decrease their risk. And lastly, making
application security and security in general a part of the
company culture will allow companies to trust that their
employees are doing their best every day to make the
security of the company's applications and its data a top
priority. We will explore the tools and processes necessary
to implement this ABC approach to application security in
the cloud.

Macro trends in Cloud security
Source: ISSA

Micro trends in Cloud security
Source: ISSA

Source: Tagore (TokenEx partner)
A Framework for Hybrid Cloud
PublicCloud
PrivateCloud
On-premices

Source: 451 Research
Portable Applications for Hybrid Cloud

Security for Microservices
Source: Gartner

Products Delivering API Security
Source: GartnerISSA International 18

Machine Learning
Machine learning is the latest buzzword for stopping zero-
day attacks but what is it and how do it work in preventing
threats? This session will look at what machine learning is,
and is not, and how it is used to identifying and stop
threats. It will provide examples of how machine learning
is used in threat protection tools today and how it is
expected to evolve in the future. This session will also take
a look at the limitations of machine learning and how
hackers are using it to fine tune their attacks.

Machine Learning

Machine Learning
ISSA InternationalSource: 451 Research

Machine Learning

Machine Learning – Swarm AI

ML – Swarm AI - Avatar

Zero Trust
The Zero Trust approach ‘never trust, always verify' can be a
gamechanger that significantly streamlines and strengthens IT
security across the modern hybrid enterprise, but only if it's done
right. There are dozens of Zero Trust data, microsegmentation and
identity solutions being pushed to fight the bad guys once they get
past your firewall, but what about keeping the bad guys out in the
first place? That's where Zero Trust access comes in. This session
focuses on how organizations can use Zero Trust access to more
effectively protect their attack surface:
How to evaluate what is wrong with their current security
environment
Cutting through vendor hype to find a Zero Trust approach that works
Why identity alone is not enough to manage access, contrary to some
industry claims
How Zero Trust access takes the burden off the shoulders of end
users, providing a more secure way to access resources they need to
do their jobs from wherever they are working
The role least-privileged access plays in more securely managing
mobility by understanding a user's method and context of access

The Supply Chain
Vendors may support integral day-to-day operations of a
company or have access to critical and sensitive data.
However, the same vendors relied on by companies can
quickly become their greatest cyber threat. This
presentation will help participants understand the
importance of comprehensive vendor management
programs and how to successfully implement one. The
topics covered will include assessing contractual provisions
in vendor agreements, performing due diligence on
vendors, managing issues around data sharing and
confidentiality, risk identification and assessment,
information security standards, data breach response and
more.

Crypto Hygiene 101
What does ‘secure' even mean??? In cryptology, security is
a function of time relative to your acceptable threshold for
data loss or theft prevention. And cryptography itself is the
absolute foundation to WHAT you're protecting and HOW
it's being protected. The past, present and future of data
protection is dependent upon a proper understanding of
crypto-hygiene and practice. Join us in this entertaining
but educational session on Crypto-Hygiene 101 to learn
what buying a new toothbrush and picking the right
conditioner have to do with protecting your organizations'
most sensitive data. Through real-world examples from
historical incidents we will demonstrate some of the
common challenges associated with encryption-based
solutions. Our presentation will be rounded-out by
practical recommendations that can be put to use TODAY
to enact proper crypto hygiene and ultimately deliver
more confidentiality, availability and integrity for an
organization's most critical systems and information.

Insider Threats
Because we know that at least two-thirds – and perhaps as much as 80 percent – of all
data security incidents are the result of privileged user negligence or deliberate bad action,
information security professionals must focus more than ever before on monitoring and
limiting the access of insiders to the enterprise's data. Both human factors and automated
process must be used in concert to lower this increasing risk. This seminar will discuss both
types of controls that, when used together, provide a more effective solution to insider
threat. This allows detection of malicious outsiders and insiders who have gone rogue or
possibly benevolent users whose credentials may have been stolen. Role-based access,
combined with the increased use of human intelligence and technology capable of
creating a digital behavioral fingerprint for every authorized user, can more easily identify
anomalies in user activity and alert leadership when there are deviations from normal
behavior.

Metrics that Matter
Historically security metrics have not provided the value to
executives to understand the security return on
investment and the effectiveness in reducing risk. We will
cover previous challenges of metrics as well as identifying
methods to improve overall communication on the status
of your program.
Examples of metrics include:
Capability Metrics – Defining security capabilities, tracking
performance bands, reporting on exceptions
Operational Metrics: Time to Detect, Time to investigate,
Time to Respond, and Time to Mitigate
User Metrics: Touch points from security to employees,
phishing results, learn how to improve metrics through
playbook automation and machine learning.
Technology Value Metrics: How to determine if this tool is
operating up to expectation?

Black Box Blues
Increasingly, technology is becoming a black box to even
the most technically savvy among us. Machine learning
and big data analytics are beyond our comprehension by
design, while others like some blockchain implementations
elude the grasp of all but a select few. And still other
applications are protected as trade secrets and we are not
even given a chance to examine their inner workings. This
session will explore how to navigate the challenges of
evaluating and auditing such complex technologies for
important attributes such as effectiveness and bias both
for your own benefit and the benefit of less technical
business and management stakeholders.

Emerging Application and Data
Protection for Multi-Cloud
Personal data privacy will be the most prominent issue affecting how
businesses gather, store, process, and disclose data in public cloud.
Businesses have been inundated with information on what recent
privacy laws like GDPR and CCPA require, but many are still trying to
figure out how to comply with them on a practical level.
Many companies are focusing on data privacy from the legal and
security side, which are foundational, but are missing the focus on
data.
The good news is that these data privacy regulations compel
businesses to get a handle on personal data - how they get it, where
they get it from, which systems process it, where it goes internally and
externally, etc.
In other words, the new norms of data privacy require proactive data
management, which enables organizations to extract real business
value from their data, improve the customer experience, streamline
internal processes, and better understand their customers.
The new Verizon Data Breach Investigations Report (DBIR) provides
perspectives on how Criminals simply shift their focus and adapt their
tactics to locate and steal the data they find to be of most value.
This session will discuss Emerging Application and Data Protection for
Multi-cloud and review Differential privacy, Tokenization,
Homomorphic encryption, and Privacy-preserving computation (Multi
Party Computation).

 Verizon Data Breach Investigations Report
 Enterprises are losing ground in the fight against persistent cyber-attacks
 We simply cannot catch the bad guys until it is too late. This picture is not
improving
 Verizon reports concluded that less than 14% of breaches are detected by
internal monitoring tools
 JP Morgan Chase data breach
 Hackers were in the bank’s network for months undetected
 Network configuration errors are inevitable, even at the largest banks
 Capital One data breach
 A hacker gained access to 100 million credit card applications and accounts
 Amazon Web Services, the cloud hosting company that Capital One was
using
 Facebook privacy breaches
 And – according to the press – they now approved a settlement providing a
fine of roughly $ 5 billion for the privacy breaches committed by Facebook.
 The US Justice Department still needs to approve the settlement, but it rarely
rejects settlements reached by the agency.
 Imperva breach
 A security breach which led to the compromise of customer data at Imperva
was caused by a stolen API key for one of its Amazon Web Services (AWS)
Enterprises Losing Ground Against Cyber-attacks

The Day When 3rd Party Security Providers
Disappear into Cloud
• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• AV – Anti Virus
• Network Sec
Public Cloud / Multi-
cloud
Example pricing:
10 % of on-premises alternatives
On-premises

cloud
• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• Network Sec
Remaining User
Responsibilities:
1. User Identity Management
2. Application Security
3. Data Security
X

• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• Network Sec
Remaining User
Responsibilities
• User Identity Management
• Application Security
• Data Security
X
Emerging
Industry
Standards
cloud

• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• Network Sec
Remaining User
Responsibilities
1. User Identity Management
2. Application Security
3. Data Security
X
cloud
Security inside
the
application,
container
security, …

• WAF
• SIEM
• Firewall
• Encryption
• Tokenization
• Key Management
• Network Sec
Remaining User
Responsibilities
• User Identity Management
• Application Security
• Data Security
X
cloud
Data Tokenization / encryption
Secure
Cloud
Security Separation
Armor.co
m

Personally identifiable
information (PII)
Administrator
Remote
User
Internal
User
Cloud
Encryption
Gateway
(CASB)
Data Tokenization / encryption
Secure
Cloud
Security Separation
Armor.co
m

Payment
Application
Payment Systems
Remote
User
Internal
User
Payment
Application
Data Tokenization / encryptio
Secure
Cloud
Armor.co
m
Payment
Network
Data Tokens

Risk Adjusted Computation
Risk
Elasticity
Out-sourcedIn-house
On-premises
system
On-premises Private
Cloud
Hosted Private Cloud
Public Cloud
Low -
High -
Compute Cost
- High
- Low

Threat actors in breaches over time
Source: Verizon 2019 DBIR, data-breach-investigations-report

Source: Verizon 2019 DBIR, data-breach-investigations-report
Term clusters in criminal forum and
marketplace posts

Privacy Rights and Regulations
(Forrester Research)
Source: Forrester

New Privacy Regulations Emerge
Globally
• 1970, Germany passed the first national data protection law, first
data protection law in the world
• Sweden, The Data Act, a national data protection law went into
effect in 1974 and required licenses by the Swedish Data
Protection Authority for information systems handling personal
data
• The New York Privacy Act was introduced in 2019
• India is in the process of passing a comprehensive data protection
bill that would include GDPR-like requirements
• Japan is ready to implement changes to domestic legislation to
strengthen privacy protection in the country
• Brazil passing a comprehensive data protection regulation similar
to GDPR
• Finland's revamped Data Protection Act

Article 4 – Definitions
• (1) ‘personal data’ means any
information relating to an identified
or identifiable natural person
• (5) ‘pseudonymisation’ means the
processing personal data in such
a manner that the data can no
longer be attributed to a specific
data subject
EU General Data Protection
Regulation (GDPR)
 What is Personal Data according to GDPR?

Privacy Fines
• British Airways was fined £183 million by the UK ICO for a series of data
breaches in 2018, followed by a £99 million fine against the Marriott
International hotel chain.
• French data protection regulator CNIL fined Google €50 million in 2019.
• Some companies narrowly avoided a GDPR-scale fine, as their data
incident occurred prior to GDPR's implementation date.
• Both Equifax and Facebook received the maximum fine possible -
£500,000 - as per the previous Data Protection Act 1998.
• In 2019, Facebook settled with the Federal Trade Commission in the
United States over privacy violations, a settlement that required the
social network to pay $5 billion

CCPA Redefines Personal Data
• According to “PI Vs PII: How CCPA Redefines What Is Personal Data” at
[2] the CCPA definition “creates the potential for extremely broad legal
interpretation around what constitutes personal information, holding
that personal information is any data that could be linked with a
California individual or household.”
• CCPA states that ”Personal information” means information that
identifies, relates to, describes, is capable of being associated with, or
could reasonably be linked, directly or indirectly, with a particular
consumer or household.“
• This goes well beyond data that is obviously associated with an
identity, such as name, birth date, or social security number, which is
traditionally regarded as PII.
• It’s ultimately this “indirect” information–such as product preference or
geolocation data that is material since it is much more difficult to
identify it and connect it with a person than well-structured personally
identifiable information

EU General Data Protection
Regulation (GDPR)
Source: IBM
Encryption and
Tokenization
Security
by Design

GDPR and California Consumer
Privacy Act (CCPA)

A Cross Border Data-centric Security project
Data sources
Data
Warehouse
In Italy
Complete policy-enforced
de-identification of
sensitive data across all
bank entities

Type of
Data
Use
Case
I
Structured
How Should I Secure Different Types of Data?
I
Un-structured
Simple –
Complex –
PCI
PHI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Protected
Health
Information
Personally Identifiable Information

Minimization Devaluation/Pseudonymisation/
Tokenization
Data Hashing/Masking Encryption
DataUtility
Data Security
Max
Utility
Min
Utility
Min
Security
Max
Security
Business utility versus security level of different
data protection techniques

Business Value from Data
 User Productivity, Creativity and Data Access
Access
to
Data
High -
Low -
I I
User Productivity
Low High
High Risk Exposure
(Clear Data)

Business Value from Data
 User Productivity, Creativity and Data Access
Access to
Data
Low High
High -
Low -
I I
High Risk Exposure
(Clear Data)
Low Exposure (Tokens)
Level

On Premise tokenization
• Limited PCI DSS scope reduction - must still
maintain a CDE with PCI data
• Higher risk – sensitive data still resident in
environment
• Associated personnel and hardware costs
Cloud-Based tokenization
• Significant reduction in PCI DSS scope
• Reduced risk – sensitive data removed from
the environment
• Platform-focused security
• Lower associated costs – cyber insurance,
PCI audit, maintenance
Total Cost and Risk of Tokenization
Example: 50% Lower Total Cost

Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Mapping of data security and privacy techniques
to on-premises, public, and private cloud clouds

Encryption and Privacy Models
Source: INTERNATIONAL STANDARD
ISO/IEC 20889
Homomorphic Encryption (HE)
*: Multi Party Computation (MPC)
Oper
(Enc_D1,
Enc_D2)
HE
Dec
HE
Enc
HE
Enc
Clear
12
Protected Key
Clear
D2
Enc
D1
Enc
D2
“Untrusted
Party*”
 Format Preserving Encryption (FPE), Homomorphic Encryption (HE)
and Multi Party Computation (MPC)
Clear
123
Format Preserving Encryption
(FPE)
FPE
Enc
Clear
D1
FPE
Dec
Clear
123
Protected Keys
897

Encryption and Privacy Models
Source: INTERNATIONAL STANDARD ISO/IEC 20889
Differential Privacy
(DP)
k-Anonymity
Model
__
__
__
*: Example Apple and Google
Clear
Protected
Curator*
Filter
Clear
Cleanser
Filter
Cleanser
Filter
Clear
__
__
__
Protected
DB DB
 Differential Privacy (Google, Apple) and k-Anonymity Model

Best Data Security Software (G2 Crowd Grid)

62ISSA International
Thank you!
ulf@ulfmattsson.com
www.tokenex.com

What i learned at issa international summit 2019

More Related Content

What i learned at issa international summit 2019

Editor's Notes