Ulf Mattsson presented on cyber risk management challenges and recommendations in 2017. He discussed trends like the increasing involvement of boards in cybersecurity oversight. Mattsson also covered topics such as talking to boards about cyber risk, data security blind spots within organizations, and how the Payment Card Industry Data Security Standard is evolving to incorporate concepts like data discovery and integrating security into the development process. He emphasized the importance of generating security metrics and adopting a DevSecOps approach to strengthen an organization's security posture and compliance.

1. Cyber Risk Management
In 2017: Challenges &
Recommendations
Ulf Mattsson, CTO Security Solutions
Atlantic Business Technologies

2. Ulf Mattsson
Inventor of more than 40 US Patents
Industry Involvement:
• PCI DDS - PCI Security Standards Council
Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
• IFIP - International Federation for Information Processing
• CSA - Cloud Security Alliance
• ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group
• NIST - National Institute of Standards and Technology
NIST Big Data Working Group
• User Groups
Security: ISACA & ISSA
Databases: IBM & Oracle
2

3. My Work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Guidelines Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC Tokenization Products Task Force
3

4. 4

5. 5

6. Agenda
1. Talking to the board about cyber risk
2. Trends in cybersecurity
3. Data security blind spots
4. Data security metrics
5. PCI DSS is changing
6. How to integrate development and security
6

7. Talking to the Board About Cyber Risk

8. How Would You Characterize the Board’s Perception of
Cybersecurity Risks?
Source: PWC – The Global State of Information Security Survey 2016
8
High
Increased
Increased

9. Trends in Board Involvement in Cyber Security
Source: PWC – The Global State of Information Security Survey 2016
9

10. Questions the Board Will Ask
Source: PWC – The Global State of Information Security Survey 2016
• Do you believe that your information security gap (the difference
between what you are doing and what you should do) is getting larger
or smaller?
• How is the organisation doing relative to its peers?
• Have management decisions associated with gaps in the security
program been aligned to the company’s tolerance for risk?
• How do you know that your (limited) resources are focused on areas and
initiatives critical to information security success?
• Are you more confident or less confident than you were a year ago? How
about compared to two or three years ago?
10

11. CEOs, CFOs, business risk owners & CISOs questions
1. "How much cyber risk do we have in dollars and cents?"
2. "How much cyber insurance do we need?"
3. "Why am I investing in this cyber security tool?"
4. "How well are our crown jewel assets protected?"
5. "How do I know that we’ve actually lowered our risk exposure?"
6. "As my business changes through M&A, adding new business
applications and new cyber risks , how can I get the quickest view of the
impact on my overall business risk?"
11

12. Need for Security + Business Skills
The global shortage of technical skills in information security is by now well
documented, but an equally concerning shortage of soft skills
“I need people who understand that they are here to help the business make
money and enable business to succeed -- that’s the bottom line. But it’s very
hard to find information security professionals who have that mindset,” a
CISO at a leading technology company told us.
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-one-talks-
about/a/d-id/1315690
12

13. Problematic and Increasing Shortage of
Cybersecurity Skills
• 46 percent of organizations say they
have a “problematic shortage” of
cybersecurity skills in 2016
• 28 percent of organizations claimed to
have a “problematic shortage” of
cybersecurity skills in 2015
• 18 percent year-over-year increase
13

14. Cyber Risk Management

15. Risk Management
Are your security
controls covering
all sensitive data?
Are your deployed
security controls
failing?
Are you prioritizing
business asset risk?
15

16. Cyber Budgeting
Source: storm.innosec.com
Asset Regulatory Risk Residual Risk FTE Cost Tool Cost Total Cost
CRM High Medium $ 20,000 0 $ 20,000
HR High Medium $ 100,000 20,000 $ 120,000
Feed High Low $ 1,000 0 $ 1,000
Crossbow Medium Medium $ 5,000 50,00 $ 10,000
eTrader Low Low $ 1,000 0 $ 1,000
IT Alert Low Low $ 1,000 0 $ 1,000
SAP Low Low $ 1,000 0 $ 1,000
Total $ 129,000 $ 25,000 $ 154,000
16

17. Asset Sensitivity, Risk, and Quarterly
Findings
17

18. Audience Focused Dashboards
CISO CEO and Board of
Directors
Senior
Management
How compliant are we? How much risk do we
have?
What work do we need to
prioritize?
18

19. The External View
-
Third Party Vulnerabilities

20. Data Security Context
Operating System
Security Controls
OS File System
Database
Application Framework
Application Source Code
Security Context
High
Low
Application
Data
Network
External Network
Internal Network
Application Server
20

21. Visibility into Third-Party Risk
Discover and thwart third party vulnerabilities and
security gaps in real-time to better control the
impact of breaches.
Source: SecurityScoreCard
21

22. Verizon Data Breach Investigations and
PCI DSS Evolution
22

23. Law Enforcement will Discover Your Breach—Not You.
Source: Verizon
2016 Data
Breach
Investigations
Report
23

24. Incident Classification Patterns Across Confirmed
Data Breaches
Source: Verizon 2016 Data Breach Investigations Report
Web
Application
Attacks
24

25. Focus on Applications and Data

26. Verizon: Worry Only About the Major Breach Patterns
Source: Verizon 2016 Data Breach Investigations Report
26

27. The User, The Application, and The Data
Data
Application
User
Network
27

28. Where Can I View Data Access Context?
Full Data Context
Some Data Context
Minimum Data Context
No Data Context
28

29. Data Security Context
Operating System
Security Controls
OS File System
Database
Application Framework
Application Source Code
Security
Context
High
Low
Application
Data
Network
External Network
Internal Network
Application Server
29

30. Increasing Number of Breaches
Source: Verizon
2016 Data
Breach
Investigations
Report
30

31. Protect Against Ransomware
1. Implement an enterprise endpoint backup product to protect user data
2. Build a list of storage locations that users can connect to that are
inherently vulnerable, such as shares
3. Evaluate the potential business impact of data being encrypted due to a
ransomware attack, and adjust recovery point objectives (RPOs) to more
frequently back up these computer systems
Source: Gartner - Use These Five Backup and Recovery Best Practices to Protect
Against Ransomware, June 2016
31

32. Free Ransomware Decryption Tools have Rescued Data
Source: http://www.zdnet.com/article/these-free-ransomware-decryption-tools-have-rescued-data-from-2500-
locked-devices/
The tools -- part of the No More Ransom project -- were launched three
months ago by the Dutch National Police, Europol, Intel Security, and
Kaspersky Lab.
32

33. 33

34. Data Security Blind Spots

35. 90% of the data in the world has been
created in the past two years
Source: https://www.ibm.com/software/data/bigdata/what-is-big-data.html
IBM

36. Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
36

37. How Can I
Find My
Blind Spots?
37

38. PCI DSS 3.2

39. PCI DSS 3.2
Detect and report on failures of critical
security control systems, #10.8
Implement a data-discovery methodology to confirm PCI
DSS scope and to locate clear-text PAN at least quarterly,
#A3.2x
Security must be built into the
development process, #3, #4, and #6
Protect stored cardholder
data, #3 “Evolving”
Quarterly internal and external
network vulnerability scans, #11
39

40. New PCI DSS 3.2 Standard - Data
Discovery
PCI DSS v2
Mentioned data flow in “Scope of Assessment for Compliance with PCI
DSS Requirements.”
PCI DSS v3.1
Added data flow into a requirement.
PCI DSS v3.2
Added data discovery into a requirements.
40

41. New PCI DSS 3.2 Standard - Security
Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to detect and
report on failures of critical security control systems.
PCI Security Standards Council CTO Troy Leach explained
1. “without formal processes to detect and alert to critical security control failures as
soon as possible, the window of time grows that allows attackers to identify a way to
compromise the systems and steal sensitive data from the x data environment.”
2. “While this is a new requirement only for service providers, we encourage all
organizations to evaluate the merit of this control for their unique environment and
adopt as good security hygiene.”
41

42. Data Centric Security and PCI DSS
SecDevOps
PCI DSS 3.2
New
Emerging
• No context to
• application data usage
• Detection after a breach
• Complex before and after
Data Centric Audit
and Protection -
Centrally managed
security
Protect stored
Cardholder data
Old
Cardholder
Information Security
Program (CISP) by Visa
USA
Year
2000 2004 2016 ??2014 42

43. Data Security for
Cloud and Big Data

44. Protect Sensitive Cloud Data - Example
Internal Network
Administrator
Attacker
Remote
User
Internal
User
Public Cloud
Each
sensitive
field is
protected
Each
authorized
field is in
clear
Each
sensitive
field is
protected
Cloud Gateway
44

45. Securing Big Data - Examples of Security
Agents
Import de-
identified data
Export
identifiable
data
Export audit
for reporting
Data protection
at database,
application, file
Or in a staging
area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or masking of fields
or files (at transit and rest)
45

46. Data Security Built into the
Development Process

47. Data Centric Security Lifecycle & PCI DSS
DCAP
Data Centric Audit and
Protection -
Centrally managed
security
UEBA
User behavior
analytics helps
businesses detect
targeted attacks
PCI DSS
Protect stored
cardholder data
Year
2004 2014 2015
PCI DSS
3.2PCI DSS
Security in the
development
process
SecDevOps
2016
47

48. DevSecOps & SecDevOps
The terms are quite similar, they are fundamentally different but equally
important topics
Source: Capgemini
48

49. SecDevOps vs DevSecOps
SecDevOps (Securing DevOps)
1. Embed security into the DevOps style of operation
2. Ensuring "secure by design" discipline in the software delivery methodology using
techniques such as automated security review of code, automated application security
testing
DevSecOps (Applying DevOps to Security Operations)
1. Developing and deploying a series of minimum viable products on security programs
2. In implementing security log monitoring, rather than have very large high value
program with a waterfall delivery plan to design, implement, test
3. Operating a SIEM that monitors a large number of log sources
4. Onboard small sets of sources onto a cloud based platform and slowly evolve the
monitoring capability
Source: Capgemini
49

50. Automation and
Security Metrics

51. Security Tools for DevOps
Static
Application
Security
Testing
(SAST)
Dynamic Application Security Testing (DAST)
Fuzz testing is
essentially
throwing lots
of random
garbage
Vulnerability
Analysis
Runtime
Application Self
Protection (RASP)
Interactive
Application
Self-Testing
(IAST)
51

52. Security Metrics from DevOps
52
# Vulnerabilities
Time

53. Generating Key Security Metrics
53
# Vulnerabilities
Time

54. Cybercriminal
Sweet Spot
Source: calnet
Cybercrime Trends and Targets – The New Target
54

55. Examples of Services That Can Fill The Gap
Application Services
• Application Hosting & Cloud
Migration
• IT Consulting & Information Architecture
• Software Development & User Experience
Design
Security Services
• Audit & Assessment Services
• Application Security Consulting
• Managed Vulnerability Scanning
• Security Tools Implementation
• Virtual CISO
SecDevOps
55

56. Our Services
Application Services
• Cloud
Migration
• IT Consulting
• Information Architecture
• Software Development
• User Experience Design
• Application Hosting
• Digital Marketing
• Ecommerce
Security Services
• Audit & Assessment Services
• Managed Vulnerability Scanning
• Security Tools Implementation
• Application Security Consulting
• Virtual CISO
56

57. Thank you. Questions?
57
Ulf Mattsson, CTO Security Solutions
Atlantic Business Technologies
ulf.mattsson@atlanticbt.com