Professional Documents
Culture Documents
SIRAcon2018 - Jacobs - Data Is Everywhere
SIRAcon2018 - Jacobs - Data Is Everywhere
SIRAcon2018 - Jacobs - Data Is Everywhere
Jay Jacobs
jay@cyentia.com
Whatcha Been Doing?
• (Mostly) Full-time with Cyentia Institute
• Conducting sponsored research
• Building Cyentia Library
Cyber Balance Sheet 2017
Important to the CISO
System vulnerabilities What the Board gets
Important to the Board
Risk posture
Response metrics
Peer benchmarks
Incidents / Events
Governance info
Compliance / Maturity
RSAC: Topics and Trends
Security incident Endpoint Threat actor Malware Cloud Integrity Confidentiality Vulnerability Mobile device Senior management Privacy Operating system Boundary defense Data breach Social media Availability
36.9%
31.4%
27.2%
37.6%
23.6%
18.2%
16.3%
30.4%
17.8%
13.8%
11.7%
14.4%
11.5%
14.9%
12.5%
35%
Emerging tech Security standard Virtualization Planning CISO APT Risk management Data protection Social engineering Credentials Malware defenses InfoSec market Application security Disruption Criminal group Mobile app
13.2%
10.3%
12.8%
8.6%
8.1%
8.7%
8.7%
7.8%
7.5%
8.3%
6.8%
7.8%
6.9%
6.6%
9.3%
11%
Personal data Network intrusion Fraud Metrics Internet of Things 3rd party services Risk analysis Database Insider Web application Threat intel Governance Control systems Phishing Big data Security training
13.9%
6.1%
6.5%
6.5%
6.1%
6.7%
5.7%
6.9%
5.4%
8.1%
5.5%
5.7%
5.3%
7.9%
4.9%
6%
Vuln management Botnet Staffing Pen testing DoS attack Intellectual property Supply chain Extortion BYOD Web browser Audit Security policy PCI−DSS Intel sharing Injection attack− Controlled access
12.2%
10.7%
4.6%
5.2%
4.9%
4.3%
5.4%
4.5%
4.8%
4.2%
4.5%
3.9%
6.7%
4.2%
3.7%
4%
Spam Incident response Financial gain Targeted attack DNS Spending ROI Business application HIPAA Zero−day Board of Directors C2 Man−in−the−middle Espionage Data recovery Cyberwar
4.6%
2.7%
3.6%
3.1%
3.8%
3.1%
4.9%
3.1%
4.3%
2.4%
2.3%
2.5%
2.9%
2.3%
7%
3%
Accountability Biometrics File sharing Fines & judgements Spoofing Cross−site scripting Privilege abuse Identity theft Reconnaissance Benchmark GRC Ransomware Network configuration Cyber−physical Payment data Prioritization
2.4%
2.1%
2.1%
2.9%
1.9%
2.6%
1.9%
2.5%
2.2%
5.3%
2.1%
2.6%
1.7%
1.6%
2%
2%
Competitor State actor Human error Cybercrime market Removable media Outage Hacktivism Software inventory SOX Reverse engineering Cyber insurance Startup CVE ISO/IEC Hw&Sw configuration Worm
1.7%
1.7%
1.8%
2.1%
1.8%
2.7%
1.7%
1.3%
2.5%
1.8%
1.9%
1.6%
1.9%
2.1%
2%
3%
Medical data Productivity software Small business Larceny and loss Directory server SQL injection Smart card Spyware FISMA Backdoor GDPR Impact Brute force Networked storage Trojan Terrorist
1.8%
1.2%
1.5%
1.9%
1.4%
1.5%
1.3%
2.3%
1.5%
5.3%
1.3%
1.3%
1.4%
1.3%
2%
1%
Stolen creds Misconfiguration Embedded system Kill Chain Reporting Venture capital Audit logs Wireless access CSRF Peripherals Event frequency Terrorism Productivity loss Loss magnitude NIST Mobile payment
1.3%
1.1%
1.6%
1.2%
1.2%
1.1%
1.4%
1.5%
1.1%
0.9%
0.8%
0.9%
0.9%
1.5%
1%
1%
Machine learning ATM Attack campaign Point−of−sale Email and web Deep/Dark web Fuzz testing Mainframe Admin privileges Buffer overflow Policy violation Payment service 3rd party Hardware inventory Disciplinary action Weak authentication
2.2%
0.9%
1.1%
0.9%
1.4%
0.6%
0.6%
0.5%
1.1%
0.6%
0.7%
0.7%
0.5%
0.7%
0.5%
1%
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
Source: Cyentia Institute with data from RSA Conference
RSAC: Topics and Trends
Security incident Endpoint Threat actor Malware Cloud Integrity Confidentiality Vulnerability Mobile device Senior management Privacy Operating system Boundary defense Data breach Social media Availability
36.9%
31.4%
27.2%
37.6%
23.6%
18.2%
16.3%
30.4%
17.8%
13.8%
11.7%
14.4%
11.5%
14.9%
12.5%
35%
Emerging tech Security standard Virtualization Planning CISO APT Risk management Data protection Social engineering Credentials Malware defenses InfoSec market Application security Disruption Criminal group Mobile app
13.2%
10.3%
12.8%
8.6%
8.1%
8.7%
8.7%
7.8%
7.5%
8.3%
6.8%
7.8%
6.9%
6.6%
9.3%
11%
Personal data Network intrusion Fraud Metrics Internet of Things 3rd party services Risk analysis Database Insider Web application Threat intel Governance Control systems Phishing Big data Security training
13.9%
6.1%
6.5%
6.5%
6.1%
6.7%
5.7%
6.9%
5.4%
8.1%
5.5%
5.7%
5.3%
7.9%
4.9%
6%
Vuln management Botnet Staffing Pen testing DoS attack Intellectual property Supply chain Extortion BYOD Web browser Audit Security policy PCI−DSS Intel sharing Injection attack− Controlled access
12.2%
10.7%
4.6%
5.2%
4.9%
4.3%
5.4%
4.5%
4.8%
4.2%
4.5%
3.9%
6.7%
4.2%
3.7%
4%
Spam Incident response Financial gain Targeted attack DNS Spending ROI Business application HIPAA Zero−day Board of Directors C2 Man−in−the−middle Espionage Data recovery Cyberwar
4.6%
2.7%
3.6%
3.1%
3.8%
3.1%
4.9%
3.1%
4.3%
2.4%
2.3%
2.5%
2.9%
2.3%
7%
3%
Accountability Biometrics File sharing Fines & judgements Spoofing Cross−site scripting Privilege abuse Identity theft Reconnaissance Benchmark GRC Ransomware Network configuration Cyber−physical Payment data Prioritization
2.4%
2.1%
2.1%
2.9%
1.9%
2.6%
1.9%
2.5%
2.2%
5.3%
2.1%
2.6%
1.7%
1.6%
2%
2%
Competitor State actor Human error Cybercrime market Removable media Outage Hacktivism Software inventory SOX Reverse engineering Cyber insurance Startup CVE ISO/IEC Hw&Sw configuration Worm
1.7%
1.7%
1.8%
2.1%
1.8%
2.7%
1.7%
1.3%
2.5%
1.8%
1.9%
1.6%
1.9%
2.1%
2%
3%
Medical data Productivity software Small business Larceny and loss Directory server SQL injection Smart card Spyware FISMA Backdoor GDPR Impact Brute force Networked storage Trojan Terrorist
1.8%
1.2%
1.5%
1.9%
1.4%
1.5%
1.3%
2.3%
1.5%
5.3%
1.3%
1.3%
1.4%
1.3%
2%
1%
Stolen creds Misconfiguration Embedded system Kill Chain Reporting Venture capital Audit logs Wireless access CSRF Peripherals Event frequency Terrorism Productivity loss Loss magnitude NIST Mobile payment
1.3%
1.1%
1.6%
1.2%
1.2%
1.1%
1.4%
1.5%
1.1%
0.9%
0.8%
0.9%
0.9%
1.5%
1%
1%
Machine learning ATM Attack campaign Point−of−sale Email and web Deep/Dark web Fuzz testing Mainframe Admin privileges Buffer overflow Policy violation Payment service 3rd party Hardware inventory Disciplinary action Weak authentication
2.2%
0.9%
1.1%
0.9%
1.4%
0.6%
0.6%
0.5%
1.1%
0.6%
0.7%
0.7%
0.5%
0.7%
0.5%
1%
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
Source: Cyentia Institute with data from RSA Conference
RSAC: Landscape of Topics
Forced browsing
Path traversal
Cross−site scripting
CSRF
SQL injection
Input handling
Injection attack−
Buffer overflow
Financial gain
Password dumper
Identity theft Extortion
Ransomware
Copyrighted data
20%
Traditional Industry Labels
15%
10%
Cybersecurity
5%
JUNE 201
4 V O L . 3 9,
NO. 3 47
Cochrane Library
http://www.cochranelibrary.com/
Cochrane Library
http://www.cochranelibrary.com/
Systemic Reviews
“How Secure is this web app?” “What is the probability this web app will have a
vulnerability exploited in the next 12 months?”
…Assuming the studies are drawing from the same “urn” or are representative of
the same urn
Can visualize and talk about confidence in proportions with the beta distribution
Beta Distribution
• “[The beta distribution] represents all the possible values of a probability when
we don't know what that probability is.” - David Robinson, stats.stackexchange.com
beta(𝜶=50, β=200)
Visualizing the Beta
Beta
0.5 1 4 8 16
0.5
Alpha 4
16
Applying the beta
• Osterman does a ransomware study and surveys 540 people
• How many orgs are paying the ransom Ponemon Institute / Carbonite, The Rise of Ransomware (2017)
Symantec report (2012)
amount (payment rate)? Dell Secureworks blog post (2013)
University of Kent study (2015)
• How much does ransomware cost BitDefender report (2016)
Overall
Fortinet
Kaspersky
BSI
Ponemon/Carbonite
IBM
Osterman/Malwarebytes
15% 20% 25% 30% 35% 40% 45% 50% 55%
Prevalence
Source:CyentiaInstitute
How many orgs are paying?
Methodology
• Across 24 countries (individual surveys
• This survey was conducted by Ipsos on behalf of the Centre for International Governance Innovation
(“CIGI”) between December 23, 2016, and March 21, 2017.
conducted)
• The survey was conducted in 24 economies—Australia, Brazil, Canada, China, Egypt, France,
Germany, Great Britain, Hong Kong (China), India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria,
Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States—and
involved 24,225 Internet users.
• Twenty of the countries utilized the Ipsos Internet panel system while Tunisia was conducted via CATI,
35%
Proportion of Respondants
30%
25%
20%
Best overall estimate
15%
95% confidence
10%
Germany
Canada
5%
U.K.
U.S.
0%
0-500 501-1k 1k-5k 5k-10k 10k-50k 50k-150k 150+
Ransom Amounts in USD
Source: Cyentia Institute, data from
MalwareBytes/Osterman Research, "Understanding the Depth of the Global Ransomware Proble"
Exceeding Ransom Amount
Probabily of Ransom Exceeding a Specific Amount
100%
90%
Exceedance Probability
80%
70%
60%
50%
40% Malwarebytes
30%
20% Datto
10%
• While Library helped, identifying and narrowing down sources was a challenge **
Pass−the−hash
Stolen creds
Session
ClickJacking replay
Packet
Backdoor sniffer
Password
Downloader dumper
Adware
C2
Injection
Software attack−
piracy
Worm
Spyware
Ram scraper
Ransomware
Rootkit
Trojan
Rogue
Rogue software
hardware
Policy violation
Wiretapping
Natural
Extortion hazard
Spoofing
Antiforensics
Identity
Pharming theft
Business
Web application
application
Internet
Control of Things
systems
Embedded
Point−of−sale system
Virtualization
Endpoint
Mobile
Mainframe device
Backup
Database media
Directory
Cyber−physical server Infrastructure
Card
Remote reader
access
DNS
DHCP
Printed
ATM media
Networked
Smart card storage
Peripherals
Removable media
Big data
Credentials
Biometrics
BYOD
Supply
3rd party chain
services
Cloud External services
Mobile
Payment payment
service Information Assets
Web
PDF browser
Reader
Mobile
Social app
media Desktop software
Productivity
File sharing software
Operating
Payment system
data
Intellectual
Personal property
data
Medical
Classified data
data Data
Copyrighted
Bank data data
Zero−day
CVE
CWE
CVSS
Misconfiguration Vulnerability
Input
Weak handling
authentication
Poor
Privacypatching Confidentiality
Nonrepudiation
Availability Integrity Security attributes
Dataloss
Loss event amount Impact
Loss magnitude
Productivity loss Impact and Loss
Response
Replacement costcost
Competitive loss Loss forms
Fines & judgements
Reputation loss
Control
Hardware strength
inventory
Software
Hw&Sw inventory
configuration
Vuln
Admin management
privileges
Audit
Email logs web
Malware
Network
anddefenses
control
Data
Network recovery
configuration CIS "Top20" Controls Controls
Boundary
Data defense
protection
Controlled
Wireless access
access
Account
Security monitoring
training
Application
Incident security
response
Pen
Intel testing
sharing
Threat intel Intelligence
Bug
Small bounty
business
Machine
Deep/Dark learning Miscellaneous
Kill Chain web
Cybercrime
InfoSec marketmarket
Venture
Emerging capital
tech Market trends
Consumer
Startup tech
GRC
Security policy
Board
Senior of Directors
management
CISO
Planning
Prioritization
Reporting
Metrics Governance
Benchmark
Spending
Staffing
Disciplinary action
Accountability
ROI GRC Management
Risk
Risk management
analysis Risk
Cyber
Security insurance
standard
Audit
NIST
ISO/IEC
HIPAA
SOX
FISMA
NERC
HITRUST CIP Compliance
GLB
PCI−DSS
FERPA
FFIEC
COBIT
COSO
GDPR
NISD
Threat
Hacktivism actor
Criminal
State actorgroup
Competitor
Terrorist
Insider
Former employee Actors and motives
3rd
APT party
Cyberwar
Espionage
Terrorism
Financial gain
Threat
Event capability
frequency
Attack
Security campaign
incident
Opportunistic
Targeted attackattack
Network
Data breachintrusion
DoS attack
Privilege abuse
Malware
Web defacement
Social
Human engineering
error Threats
Fraud
Larceny and loss
Phishing
Skimmers
Disruption
Outage
Spam
Botnet
Watering
Cross−site hole
scripting
Buffer overflow
Man−in−the−middle
Path traversal
Reconnaissance
Cryptanalysis
SQL injection
Forced
Reverse browsing
engineering
Brute force Events and TTPs
Fuzz
CSRF testing
Cyentia Library Tagging
Pass−the−hash
Stolen creds
Session
ClickJacking replay
Packet
Backdoor sniffer
Password
Downloader dumper
Adware
C2
Injection
Software attack−
piracy
Worm
Spyware
Ram scraper
Ransomware
Rootkit
Trojan
Rogue
Rogue software
hardware
Policy violation
Wiretapping
Natural
Extortion hazard
Spoofing
Antiforensics
Identity
Pharming theft
Business
Web application
application
Internet
Control of Things
systems
Embedded
Point−of−sale system
Virtualization
Endpoint
Mobile
Mainframe device
Backup
Database media
Directory
Cyber−physical server Infrastructure
Card
Remote reader
access
DNS
DHCP
Printed
ATM media
Networked
Smart card storage
Peripherals
Removable media
Big data
Credentials
Biometrics
BYOD
Supply
3rd party chain
services
Cloud External services
Mobile
Payment payment
service Information Assets
Web
PDF browser
Reader
Mobile
Social app
media Desktop software
Productivity
File sharing software
Operating
Payment system
data
Intellectual
Personal property
data
Medical
Classified data
data Data
Copyrighted
Bank data data
Zero−day
CVE
CWE
CVSS
Misconfiguration Vulnerability
Input
Weak handling
authentication
Poor
Privacypatching Confidentiality
Nonrepudiation
Availability Integrity Security attributes
Dataloss
Loss event amount Impact
Loss magnitude
Productivity loss Impact and Loss
Response
Replacement costcost
Competitive loss Loss forms
Fines & judgements
Reputation loss
Control
Hardware strength
inventory
Software
Hw&Sw inventory
configuration
Vuln
Admin management
privileges
Audit
Email logs web
Malware
Network
anddefenses
control
Data
Network recovery
configuration CIS "Top20" Controls Controls
Boundary
Data defense
protection
Controlled
Wireless access
access
Account
Security monitoring
training
Application
Incident security
response
Pen
Intel testing
sharing
Threat intel Intelligence
Bug
Small bounty
business
Machine
Deep/Dark learning Miscellaneous
Kill Chain web
Report: Hacker One
Web browser
Vulnerability
Vuln management
Threat actor
Staffing
SQL injection
Social media
Senior management
Security incident
Personal data
Pen testing
Outage
Operating system
Mobile app
Malware
Intellectual property
Impact
Identity theft
Financial gain
Extortion
Data breach
Cyber−physical
CSRF
Cross−site scripting
Bug bounty
Availability
1 5 10 15 20 25
PDF Page
Report: Cisco Mid-year Report 2017
Zero−day
Web browser
Vulnerability
Vuln management
Threat intel
Threat actor
Targeted attack
Supply chain
Staffing
Spyware Cisco 2017 Midyear Cybersecurity Report
Spam
Social media
Senior management
Security standard
Security policy
Security incident
Risk management
Ransomware
Productivity loss
Planning
Phishing
Personal data
Outage
Operating system
Network intrusion
Mobile device
Malware defenses
Malware
Integrity
InfoSec market
Fraud
Extortion
Event frequency
Endpoint
Emerging tech
Downloader
DoS attack
Disruption
Database
Data breach
Criminal group
Credentials
Control systems
Competitor
Cloud
CISO
C2 1 Executive Summary
Boundary defense
Botnet
Board of Directors
Audit logs
Audit
APT
3rd party services
1 10 20 30 40 50 60 70 80
PDF Page
Aite: Cyber Insurance
Vulnerability
Vuln management
Threat intel
Threat actor
Startup
Staffing
Small business
Senior management
Security standard
Security incident
Risk management
Risk analysis
Response cost
Productivity loss
Privacy
Phishing Cyber Insurance and Cybersecurity: The
Personal data Convergence
Pen testing
Payment data
Network intrusion
Malware
Intellectual property
InfoSec market
Incident response
GDPR
June 2016
Fraud
Fines & judgements
Extortion Gwenn Bézard
Event frequency
Endpoint
Emerging tech
Deep/Dark web
Database
Data breach
Cybercrime market
Cyber insurance © 2016 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. Photocopying or electronic distribution of
this document or any of its contents without prior written consent of the publisher violates U.S. copyright law, and is punishable by statutory damages
of up to US$150,000 per infringement, plus attorneys’ fees (17 USC 504 et seq.). Without advance permission, illegal copying includes regular
Competitor photocopying, faxing, excerpting, forwarding electronically, and sharing of online access.
Cloud
CISO
Botnet
Benchmark
APT
3rd party services
1 10 20 30 40 50 60 70
PDF Page
Verzion DBIR 2017
Web browser
Web application
Weak authentication
Vulnerability
Vuln management
Threat actor
Stolen creds
SQL injection
Spyware
Social media
Social engineering
Small business
Skimmers
Security training
Security incident
Ransomware 2017 Data Breach
Privilege abuse
Printed media Investigations
Phishing
Personal data Report
Opportunistic attack
Network intrusion 10th Edition
Mobile device
Misconfiguration
Medical data
Malware defenses
Malware
Larceny and loss
Intellectual property
Integrity
Insider
InfoSec market
Incident response
Identity theft
Human error
B
XP
OF
Hacktivism
Fraud
Financial gain
Extortion
Event frequency
Espionage
Endpoint
Emerging tech
Disruption
Database U2FsdGVkX19xySK0fJn+xJH2VKLfWI8u+gK2bIHpVeoudbc5Slk0HosGiUNH7oiq
Data breach
Criminal group
Credentials
Confidentiality
C2
Brute force
Boundary defense
Botnet
Backdoor
Application security
1 10 20 30 40 50 60 70
PDF Page
Topic/Tagging
Cisco Midyear 2017 Aite: Cyber Insurance
Threats > Events and TTPs GRC Management > Risk
Threats > Actors and motives Threats > Events and TTPs
Information Assets > Infrastructure Information Assets > Infrastructure
Controls > CIS "Top20" Controls Threats > Actors and motives
Information Assets > Vulnerability GRC Management > Governance
GRC Management > Governance Miscellaneous > NA
Information Assets > External services
Controls > CIS "Top20" Controls
Information Assets > Desktop software
Impact and Loss > Loss forms
Market trends > Emerging tech
Information Assets > Data Information Assets > Data
GRC Management > Compliance Information Assets > External services
Another discussion that should take place revolves Another discussion that should take place revolves
around the perception of risk that mobile devices and around the perception of risk that mobile devices and
user mobility bring to the table. By comparison only 20% user mobility bring to the table. By comparison only 20%
of sensitive company data is held on mobile devices of sensitive company data is held on mobile devices
and, of that 20%, a large proportion is being held on and, of that 20%, a large proportion is being held on
company-owned laptops and other company-protected company-owned laptops and other company-protected
Corporate servers and databases pose the mobile devices. In our opinion the discussion isn’t really Corporate servers and databases pose the mobile devices. In our opinion the discussionisnâ rt eally
highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still
focused on endpoint and mobile significant enough to cause anxiety. But the real concern focused on endpoint and mobile significant enough to cause anxiety. But the real concern
for the 70% of IT Decision Makers who were worried about The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about
The top three locations by volume where company- mobile device protection is firmly about the lack of control
sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control sensitive data is stored and must be protected are:
over the mobile devices that are in use. It is also about not databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not
databases (49%), file servers (39%), and the rapid having enough information to know what data has been
growth area for cloud service environments (36%). having enough information to know what data has been growth area for cloud service environments (36%).
copied to those devices and not having the controls in The position is fairly consistent across most major copied to those devices and not having the controls in
The position is fairly consistent across most major place to stop copies of company-sensitive
geographies and mainstream verticals including place to stop copies of company-sensitive geographies and mainstream verticals including
data being made. financial services, healthcare, and the retail sector. data being made.
financial services, healthcare, and the retail sector.
Good quality monitoring and access control technology Along with the ubiquitous use of databases and Good quality monitoring and access control technology
Along with the ubiquitous use of databases and provide part of the answer. Irrespective of where the data
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data servers, cloud and more recently big data take-up
is being held, it is important to know and be able to control levels now force a stronger protection case to be is being held, it is important to know and be able to control
levels now force a stronger protection case to be who gets access and what they can do with that access.
made. Growing data volumes, when put alongside who gets access and what they can do with that access. made. Growing data volumes, when put alongside
This provides the ability to highlight and report on misuse
worries about a lack of control over third-party This provides the ability to highlight and report on misuse worries about a lack of control over third-party
that could otherwise put company-sensitive data at risk.
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk. access; the use of third-party admins; and data
40
30
30 35
35
% Spend Figures
Percentages
25 Figures30
25 30
25
20 25
20
15 20
15 20
Data Spend
15
15 10
10
10
% 10
5
5 5
5
0 0
0
0 es rs oud ta up aS S bile py er er e er r
py
Ba a
up
PC S
M S
Ha bile
ck Sa
Db Ser Mo rd
Fi ase
er
Cl g Ba
ou
Hi er
Sa r
M L e
h er
r
a
&W
Co
Da
we
Sa
m
ck
PC L
rv
Hi Hi
gh
gh
uc ow
o
Cl
Bi
Db
le
Lo
Se
Ha h
rd
g
h
Hi
Bi
Fi uc uc
le
M M
uc
M
Figure 3: Data risks based on actualvolumes of sensitivedata Figure 4: Global spending on security
Figure 3: Data risks based on actual volumes of sensitive data Figure 4: Global spending on security
stored in each location compared to the perception of risk solutions during the next 12 months
stored in each location compared to the perception of risk solutions during the next 12 months
8
8
Parsing PDFs: early attempt
TOP 3 LOCATIONS WHERE locational issues when foreign intervention and legal locational issues when foreign intervention and legal
TOP 3 LOCATIONS WHERE
DATA IS AT RISK IN VOLUME: sovereignty come into play, make the case for improving sovereignty come into play, make the case for improving
DATA IS AT RISK IN VOLUME:
cloud-services data protection. Also, as more data needs cloud-services data protection. Also, as more data needs
Ǒ Databases (49%) to transition between on-premise systems and cloud and ⢠Databases (49%) to transition between on-premise systems and cloud and
Ǒ File Servers (39%) big data environments, organizations need to make use big data environments, organizations need to make use
â ¢File Servers (39%)
of more inclusive data protection facilities to control and of more inclusive data protection facilities to control and
Ǒ Cloud (36%) â ¢ Cloud (36%)
protect their data as it moves between corporate systems. protect their data as it moves between corporate systems.
Another discussion that should take place revolves Another discussion that should take place revolves
around the perception of risk that mobile devices and around the perception of risk that mobile devices and
user mobility bring to the table. By comparison only 20% user mobility bring to the table. By comparison only 20%
of sensitive company data is held on mobile devices of sensitive company data is held on mobile devices
and, of that 20%, a large proportion is being held on and, of that 20%, a large proportion is being held on
company-owned laptops and other company-protected company-owned laptops and other company-protected
Corporate servers and databases pose the mobile devices. In our opinion the discussion isn’t really Corporate servers and databases pose the mobile devices. In our opinion the discussionisnâ treally
highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still
focused on endpoint and mobile significant enough to cause anxiety. But the real concern focused on endpoint and mobile significant enough to cause anxiety. But the real concern
The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about
sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control
databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not
growth area for cloud service environments (36%). having enough information to know what data has been growth area for cloud service environments (36%). having enough information to know what data has been
The position is fairly consistent across most major copied to those devices and not having the controls in The position is fairly consistent across most major copied to those devices and not having the controls in
geographies and mainstream verticals including place to stop copies of company-sensitive geographies and mainstream verticals including place to stop copies of company-sensitive
financial services, healthcare, and the retail sector. data being made. financial services, healthcare, and the retail sector. data being made.
Along with the ubiquitous use of databases and Good quality monitoring and access control technology Along with the ubiquitous use of databases and Good quality monitoring and access control technology
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data
levels now force a stronger protection case to be is being held, it is important to know and be able to control levels now force a stronger protection case to be is being held, it is important to know and be able to control
made. Growing data volumes, when put alongside who gets access and what they can do with that access. made. Growing data volumes, when put alongside who gets access and what they can do with that access.
worries about a lack of control over third-party This provides the ability to highlight and report on misuse worries about a lack of control over third-party This provides the ability to highlight and report on misuse
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk. access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk.
40
30 30 35
35
% Spend Figures
Percentages
25 Figures30
25 30
20 25 20 25
20 15 20
15 Data Spend
15
15
10
10
10 % 10
5
5
5
5
0
0 0
0 es s d ta S S py
ver ou Da ckup Saa &W obile Co er er e er r
py
s
Ba a
up
PC S
M S
Ha bile
as gh gh Sam ow Lowe
Fi ase
er
r
ou
Hi er
Sa r
M L e
h er
r
a
&W
Cl
Co
Da
we
Sa
PC M rd
ck
Db Se Big Ba
rv
gh
gh
uc ow
Hi Hi L
o
Cl
Db
Lo
Se
rd
le
g
Ha h
Hi
h
Bi
Fi uc
le
uc
h
M M
uc
M
Figure 3: Data risks based on actual volumes of sensitive data Figure 4: Global spending on security
Figure 3: Data risks based on actual volumes of sensitive data Figure 4: Global spending on security
stored in each location compared to the perception of risk solutions during the next 12 months
stored in each location compared to the perception of risk solutions during the next 12 months
8
8
Parsing PDFs Spatially
TOP 3 LOCATIONS WHERE locational issues when foreign intervention and legal
DATA IS AT RISK IN VOLUME: sovereignty come into play, make the case for improving
cloud-services data protection. Also, as more data needs
Ǒ Databases (49%) to transition between on-premise systems and cloud and
Ǒ File Servers (39%) big data environments, organizations need to make use
of more inclusive data protection facilities to control and
Ǒ Cloud (36%)
protect their data as it moves between corporate systems.
Along with the ubiquitous use of databases and Good quality monitoring and access control technology
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data
levels now force a stronger protection case to be is being held, it is important to know and be able to control
made. Growing data volumes, when put alongside who gets access and what they can do with that access.
worries about a lack of control over third-party This provides the ability to highlight and report on misuse
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk.
45
40
45
35
Data Percentages
40
30 35
% Spend Figures
25 30
20 25
15 20
15
10
10
5
5
0
0
py
s
Ba a
up
PC S
M S
Ha bile
Fi ase
er
t
ou
Hi er
Sa r
M L e
h er
r
a
&W
Co
Da
we
Sa
m
ck
rv
gh
gh
uc ow
o
Cl
Db
Lo
Se
rd
g
Hi
Bi
le
h
uc
M
Figure 3: Data risks based on actual volumes of sensitive data Figure 4: Global spending on security
stored in each location compared to the perception of risk solutions during the next 12 months
8
Parsing PDFs
TOP 3 LOCATIONS WHERE locational issues when foreign intervention and legal
DATA IS AT RISK IN VOLUME: sovereignty come into play, make the case for improving
cloud-services data protection. Also, as more data needs
Ǒ Databases (49%) to transition between on-premise systems and cloud and
Ǒ File Servers (39%) big data environments, organizations need to make use
of more inclusive data protection facilities to control and
Ǒ Cloud (36%)
protect their data as it moves between corporate systems.
Along with the ubiquitous use of databases and Good quality monitoring and access control technology
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data
levels now force a stronger protection case to be is being held, it is important to know and be able to control
made. Growing data volumes, when put alongside who gets access and what they can do with that access.
worries about a lack of control over third-party This provides the ability to highlight and report on misuse
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk.
45
40
45
35
Data Percentages
40
30 35
% Spend Figures
25 30
20 25
15 20
15
10
10
5
5
0
0
py
s
Ba a
up
PC S
M S
Ha bile
Fi ase
er
t
ou
Hi er
Sa r
M L e
h er
r
a
&W
Co
Da
we
Sa
m
ck
rv
gh
gh
uc ow
o
Cl
Db
Lo
Se
rd
g
Hi
Bi
le
h
uc
M
Figure 3: Data risks based on actual volumes of sensitive data Figure 4: Global spending on security
stored in each location compared to the perception of risk solutions during the next 12 months
8
Parsing PDFs
The most effective data protection technologies and the
ones most frequently deployed by enterprise organizations
were database and file encryption products, data
access monitoring solutions, and data loss prevention
technologies. As shown below, these topped a long list of
protection solutions and were considered by enterprise
respondents to offer the most effective protection
against insider threats. Surprisingly tokenization, which
has compliance-related uses, came bottom of the list. This
may be due to restricted knowledge about the specific
benefits the technology has. For example, if organizations
need to protect data for specific purposes such as fulfilling
payment card industry data security standard (PCI DSS)
compliance, tokenization has scoping advantages over
other forms of encryption that ensure the scope of audit
requirements is reduced, as well as enabling the data to be
used by other systems without compromising security.
Database/File Encryption
11
Parsing PDFs
ANALYST PROFILE‘ANDREW
KELLETT, PRINCIPAL
ANALYST SOFTWARE‘IT SOLUTIONS, OVUM
ANALYST PROFILE—ANDREW KELLETT, PRINCIPAL
ANALYST SOFTWARE—IT SOLUTIONS, OVUM Andrew enjoys the challenge of working with state−of−the−art technology.
As lead analyst in the Ovum IT security team, he has the opportunity to
Andrew enjoys the challenge of working with state-of-the-art technology. evaluate, provide opinion, and drive the Ovum security agenda, including its
As lead analyst in the Ovum IT security team, he has the opportunity to focus on the latest security trends. He is responsible for research on the key
evaluate, provide opinion, and drive the Ovum security agenda, including its technologies used to protect public and private sector organizations, their
focus on the latest security trends. He is responsible for research on the key operational systems, and their users. The role provides a balanced opportunity
technologies used to protect public and private sector organizations, their to promote the need for good business protection and, at the same time, to
operational systems, and their users. The role provides a balanced opportunity research the latest threat approaches.
to promote the need for good business protection and, at the same time, to
research the latest threat approaches.
HARRIS POLL‘SOURCE/METHODOLOGY
HARRIS POLL—SOURCE/METHODOLOGY Vormetric†s2015 Insider Threat Report was conducted online by Harris Andrew Kellett
Poll on behalf of Vormetric from September 22−October 16, 2014, among Principal Analyst Software
Vormetric’s 2015 Insider Threat Report was conducted online by Harris Andrew Kellett 818 adults ages 18 and older, who work full−time as an IT professional in
IT Solutions,Ovum
Poll on behalf of Vormetric from September 22-October 16, 2014, among Principal Analyst Software a company and have at least a major influence in decision making for IT. In
818 adults ages 18 and older, who work full-time as an IT professional in IT Solutions, Ovum the U.S., 408 ITDMs were surveyed among companies with at least $200
a company and have at least a major influence in decision making for IT. In million in revenue with 102 from the health care industries, 102 from financial
the U.S., 408 ITDMs were surveyed among companies with at least $200 industries, 102 from retail industries and 102 from other industries. Roughly
million in revenue with 102 from the health care industries, 102 from financial 100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102),
industries, 102 from retail industries and 102 from other industries. Roughly and ASEAN (103) from companies that have at least $100 million in revenue.
100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102), ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand,
and ASEAN (103) from companies that have at least $100 million in revenue. and the Philippines. This online survey is not based on a probability sample
ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand, and therefore no estimate of theoretical sampling error can be calculated.
and the Philippines. This online survey is not based on a probability sample
and therefore no estimate of theoretical sampling error can be calculated.
ABOUT VORMETRIC
23
23
Data is Everywhere
• Security Industry has hundreds if not thousands of research reports released each year.