SIRAcon2018 - Jacobs - Data Is Everywhere

Data is Everywhere
Jay Jacobs
jay@cyentia.com
Whatcha Been Doing?
• (Mostly) Full-time with Cyentia Institute
• Conducting sponsored research
• Building Cyentia Library
Cyber Balance Sheet 2017
Important to the CISO
System vulnerabilities What the Board gets
Important to the Board
Risk posture
Response metrics
Peer benchmarks
Incidents / Events
Governance info
Compliance / Maturity
RSAC: Topics and Trends
Security incident Endpoint Threat actor Malware Cloud Integrity Confidentiality Vulnerability Mobile device Senior management Privacy Operating system Boundary defense Data breach Social media Availability
36.9%
31.4%
27.2%
37.6%
23.6%
18.2%
16.3%
30.4%
17.8%
13.8%
11.7%
14.4%
11.5%
14.9%
12.5%
35%
Emerging tech Security standard Virtualization Planning CISO APT Risk management Data protection Social engineering Credentials Malware defenses InfoSec market Application security Disruption Criminal group Mobile app
13.2%
10.3%
12.8%
8.6%
8.1%
8.7%
8.7%
7.8%
7.5%
8.3%
6.8%
7.8%
6.9%
6.6%
9.3%
11%
Personal data Network intrusion Fraud Metrics Internet of Things 3rd party services Risk analysis Database Insider Web application Threat intel Governance Control systems Phishing Big data Security training
13.9%
6.1%
6.5%
6.5%
6.1%
6.7%
5.7%
6.9%
5.4%
8.1%
5.5%
5.7%
5.3%
7.9%
4.9%
6%
Vuln management Botnet Staffing Pen testing DoS attack Intellectual property Supply chain Extortion BYOD Web browser Audit Security policy PCI−DSS Intel sharing Injection attack− Controlled access
12.2%
10.7%
4.6%
5.2%
4.9%
4.3%
5.4%
4.5%
4.8%
4.2%
4.5%
3.9%
6.7%
4.2%
3.7%
4%
Spam Incident response Financial gain Targeted attack DNS Spending ROI Business application HIPAA Zero−day Board of Directors C2 Man−in−the−middle Espionage Data recovery Cyberwar
4.6%
2.7%
3.6%
3.1%
3.8%
3.1%
4.9%
3.1%
4.3%
2.4%
2.3%
2.5%
2.9%
2.3%
7%
3%
Accountability Biometrics File sharing Fines & judgements Spoofing Cross−site scripting Privilege abuse Identity theft Reconnaissance Benchmark GRC Ransomware Network configuration Cyber−physical Payment data Prioritization
2.4%
2.1%
2.1%
2.9%
1.9%
2.6%
1.9%
2.5%
2.2%
5.3%
2.1%
2.6%
1.7%
1.6%
2%
2%
Competitor State actor Human error Cybercrime market Removable media Outage Hacktivism Software inventory SOX Reverse engineering Cyber insurance Startup CVE ISO/IEC Hw&Sw configuration Worm
1.7%
1.7%
1.8%
2.1%
1.8%
2.7%
1.7%
1.3%
2.5%
1.8%
1.9%
1.6%
1.9%
2.1%
2%
3%
Medical data Productivity software Small business Larceny and loss Directory server SQL injection Smart card Spyware FISMA Backdoor GDPR Impact Brute force Networked storage Trojan Terrorist
1.8%
1.2%
1.5%
1.9%
1.4%
1.5%
1.3%
2.3%
1.5%
5.3%
1.3%
1.3%
1.4%
1.3%
2%
1%
Stolen creds Misconfiguration Embedded system Kill Chain Reporting Venture capital Audit logs Wireless access CSRF Peripherals Event frequency Terrorism Productivity loss Loss magnitude NIST Mobile payment
1.3%
1.1%
1.6%
1.2%
1.2%
1.1%
1.4%
1.5%
1.1%
0.9%
0.8%
0.9%
0.9%
1.5%
1%
1%
Machine learning ATM Attack campaign Point−of−sale Email and web Deep/Dark web Fuzz testing Mainframe Admin privileges Buffer overflow Policy violation Payment service 3rd party Hardware inventory Disciplinary action Weak authentication
2.2%
0.9%
1.1%
0.9%
1.4%
0.6%
0.6%
0.5%
1.1%
0.6%
0.7%
0.7%
0.5%
0.7%
0.5%
1%
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
Source: Cyentia Institute with data from RSA Conference
RSAC: Topics and Trends
Security incident Endpoint Threat actor Malware Cloud Integrity Confidentiality Vulnerability Mobile device Senior management Privacy Operating system Boundary defense Data breach Social media Availability
36.9%
31.4%
27.2%
37.6%
23.6%
18.2%
16.3%
30.4%
17.8%
13.8%
11.7%
14.4%
11.5%
14.9%
12.5%
35%
Emerging tech Security standard Virtualization Planning CISO APT Risk management Data protection Social engineering Credentials Malware defenses InfoSec market Application security Disruption Criminal group Mobile app
13.2%
10.3%
12.8%
8.6%
8.1%
8.7%
8.7%
7.8%
7.5%
8.3%
6.8%
7.8%
6.9%
6.6%
9.3%
11%
Personal data Network intrusion Fraud Metrics Internet of Things 3rd party services Risk analysis Database Insider Web application Threat intel Governance Control systems Phishing Big data Security training
13.9%
6.1%
6.5%
6.5%
6.1%
6.7%
5.7%
6.9%
5.4%
8.1%
5.5%
5.7%
5.3%
7.9%
4.9%
6%
Vuln management Botnet Staffing Pen testing DoS attack Intellectual property Supply chain Extortion BYOD Web browser Audit Security policy PCI−DSS Intel sharing Injection attack− Controlled access
12.2%
10.7%
4.6%
5.2%
4.9%
4.3%
5.4%
4.5%
4.8%
4.2%
4.5%
3.9%
6.7%
4.2%
3.7%
4%
Spam Incident response Financial gain Targeted attack DNS Spending ROI Business application HIPAA Zero−day Board of Directors C2 Man−in−the−middle Espionage Data recovery Cyberwar
4.6%
2.7%
3.6%
3.1%
3.8%
3.1%
4.9%
3.1%
4.3%
2.4%
2.3%
2.5%
2.9%
2.3%
7%
3%
Accountability Biometrics File sharing Fines & judgements Spoofing Cross−site scripting Privilege abuse Identity theft Reconnaissance Benchmark GRC Ransomware Network configuration Cyber−physical Payment data Prioritization
2.4%
2.1%
2.1%
2.9%
1.9%
2.6%
1.9%
2.5%
2.2%
5.3%
2.1%
2.6%
1.7%
1.6%
2%
2%
Competitor State actor Human error Cybercrime market Removable media Outage Hacktivism Software inventory SOX Reverse engineering Cyber insurance Startup CVE ISO/IEC Hw&Sw configuration Worm
1.7%
1.7%
1.8%
2.1%
1.8%
2.7%
1.7%
1.3%
2.5%
1.8%
1.9%
1.6%
1.9%
2.1%
2%
3%
Medical data Productivity software Small business Larceny and loss Directory server SQL injection Smart card Spyware FISMA Backdoor GDPR Impact Brute force Networked storage Trojan Terrorist
1.8%
1.2%
1.5%
1.9%
1.4%
1.5%
1.3%
2.3%
1.5%
5.3%
1.3%
1.3%
1.4%
1.3%
2%
1%
Stolen creds Misconfiguration Embedded system Kill Chain Reporting Venture capital Audit logs Wireless access CSRF Peripherals Event frequency Terrorism Productivity loss Loss magnitude NIST Mobile payment
1.3%
1.1%
1.6%
1.2%
1.2%
1.1%
1.4%
1.5%
1.1%
0.9%
0.8%
0.9%
0.9%
1.5%
1%
1%
Machine learning ATM Attack campaign Point−of−sale Email and web Deep/Dark web Fuzz testing Mainframe Admin privileges Buffer overflow Policy violation Payment service 3rd party Hardware inventory Disciplinary action Weak authentication
2.2%
0.9%
1.1%
0.9%
1.4%
0.6%
0.6%
0.5%
1.1%
0.6%
0.7%
0.7%
0.5%
0.7%
0.5%
1%
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
RSAC: Landscape of Topics
Forced browsing
Path traversal
Cross−site scripting
CSRF
SQL injection
Input handling
Injection attack−
Buffer overflow
Application security ClickJacking

CVSS
CWE Web application
Bug bounty Fuzz testing
NISD
Network configuration Vuln management
Vulnerability
CVE
Vulnerability
Prioritization
Metrics Account monitoring Security policy ControlsBusiness application
Hw&Sw configuration Cyber−physical
Directory
Pen testing
server
Embedded system
Pass−the−hash
Hardware inventory Session replay
Benchmark Control strength Database Poor patching
COSO
NIST
CISO
FISMA Reporting Spending Governance
Mainframe Audit
Networked storage Audit logs
Cryptanalysis
Controlled access Virtualization
Infrastructure
Packet sniffer
Admin privileges
DHCP
Security
Control systems
InfoSec market
training Threat
Brute force
capability
PDF Reader
COBIT Risk management Impact Planning ROI Internet of Things 3rd party services Web browser
Operating system
Governance Board of Directors Staffing Risk analysis Response cost Startup Supply chain Peripherals Cyberwar Weak authentication
ISO/IEC
Security standard Risk
Senior management
Former employee Venture capital
Intelligence
Emerging tech
Cloud Intel sharing
Big data Wireless access
Event frequency
Threat intel
Productivity
Desktop software
Reverse engineering Zero−day
software Threat actor Man−in−the−middle Pharming Web defacement
3rd party DNS
Accountability NERC CIP Removable media File sharing Terrorist Boundary defense Software inventory Disruption Worm
Compliance SOX
PCI−DSS
GDPR
Other
Disciplinary action
Policy violation
Consumer
Classified data
tech Data recovery
Terrorism
Small business Mobile app Network
Hacktivism
control Machine learning Reconnaissance
Opportunistic attackEvents and TTPs
C2
DoS attack
External services Market trends

HITRUST Card reader Competitor Credentials Watering hole
BYOD Rogue hardware Smart card Email and web Misconfiguration
Backup media Printed media Incident response Endpoint Social media Kill Chain Malware defenses Botnet
APT State actor
Cyber insurance Insider Human error
GLB HIPAA
Medical data Actors and motives
Data protection
Fines & judgements

Personal data
FFIEC
Biometrics
Natural hazard
Rogue software
Privilege abuse
Mobile device Payment service Mobile payment ATM
Replacement cost
Remote access
Targeted attack Spoofing Rootkit Backdoor
Point−of−sale Espionage
Cybercrime market Spam
Stolen creds Adware
Downloader
Impact and Loss Wiretapping

Intellectual property Productivity loss Network intrusion
Deep/Dark web Outage Criminal group
Trojan
Data
Loss magnitude
Loss event Payment data
Reputation loss
Software piracy
Ram scraper
Skimmers
Antiforensics
Attack campaign
Social engineering
Dataloss amount Spyware
Larceny and loss Fraud
FERPA Phishing
Data breach
Bank data
Financial gain
Password dumper
Identity theft Extortion
Ransomware
Copyrighted data

RSA Conference
To Cyber or Not to Cyber?
Percent of Submitted Abstracts
20%
Traditional Industry Labels
15%
10%
Cybersecurity
5%
2010 2012 2014 2016 2018

Where we are headed
“What we (the security metrics people) must now do is
learn how to do meta-analysis in our domain…”
Exploring COLUMNS
- Geer, Jacobs, 2014
with a Pur
DAN GEE
pose
R AND J
AY J A C O
BS
1. Meta-Analysis and standing on the shoulders

Dan Geer is
the CISO fo
Tel and a se r In-Q -
curit y resear Think of [kno
with a quan cher wledge] as a
titative bent You begin in house that m
. He has a room w ith ag ical ly ex pa
a long histor
visited yet.… four doors, ea nds w ith ea
y with the US
ENIX But once yo ch leading to ch door you
Association, u open one of a new room open.
positions, pr including of new doors ap th os th at you haven’
ogram com ficer pear, each le e doors and t
mittees, etc. from your or ading to a br stroll into th
dan@geer.o ig inal star ti and-new ro at room, thre
of giants: Cochrane Library

rg
built a pa lace ng point. Kee om that you e
. p opening do couldn’t have
ors and even reached
tual ly you’ll
Jay Jacobs is Steven John have
the co -autho
Lea rning pa son, “T he G
Data-Driven r of
ys compoun en iu s of th e Tinkerer”
Security and d interest; as [1]
analyst at Ve a data become at le a person stud
rizon where arning even ie s
he lenges of ca lc m or e about the su a subject, th
contributes ulus w ithout bject. Just as e more capa
to their Data
Breach discover an studying th a student ca ble they
Investigatio
ns d bu ild the prerequi e pr er eq ui sites, we mus nnot tack le
a cofounder Re port. Jacobs
is site knowle t have di ligen the chal-
of the Socie dge w ithin cy
ty of Inform Before we di ce in how w
Analysts. jay
@beechplan
ation Risk scuss where bersecurit y. e
e.com metricians, we are head
including th ing, let’s esta
for heaven’s e pr esent author bl is h w he re we are. U
sa kes!” It ’s sa s) could ex ho ntil now, we
have the bett fe to say that rt people to (securit y
er, if ha rder such mea su “Just mea su
observations , pr ob lem of the m re m en t ha s la rgely be re something
, always rem eta-analysis gun. Therefo
embering th (“research ab re, we
at the purpos out research
Lea rning fr e of se cu rity metrics ”) of many
om A ll of U is decision su
To understa
nd how we ar
s ppor t.
reports. It ’s e at processing
ou
2. Case study: Ransomware

clea r that th r observatio
equa l; pa rtie ere are a lot ns, we turn
s have va riou more of them to published
what repres s motivations than even tw industry
ents research to publish, w o years ago.
wor th comm hich creates di Not al l repo
unicating. vergent inte rts are
We suspect rpretations
that most da of
sa mples—da ta in cluded in in
ta gathered dustry repo
is representa because it is rts are derive
tive enough avai lable to d from conv
genera lizab to be genera the research enience
ility you need lizable. Not er, not nece
to make this a ssarily data
to ra ndomiz to understa statistics tu that
e your colle nd (a nd acco torial, but fo
data ha s bias ction proces unt for) your r
; the question s. It is not that th sa m pl in g fraction, or
supply w il l is whether yo is or that in you need
be draw n fr u ca n correc dustry repo
om that vend t for that bias rt ha s a bias
On the othe or ’s custom . A single ve —al l
r ha nd, if yo er ba se, and ndor ’s data
sort , combini u ca n find th th at ’s
ng them in or ree or more something to
least insofa der to compa vendors prod correct for.
r as decision re them ca n ucing data of
suppor t is co wash out th the sa me ge
ncerned. e vendor-to-cu nera l
Do not mista stomer bias
ke our comm at
a convenienc en ts for a reas
e sa mple is on to dismis
and head lin certainly be s convenienc
tter than “lea e sa mples; re
3. The Cyentia Library: present and future

es. This chal rning” from search w ith
research on lenge in data some mix of
automobile collection is social media
ing the ef fect fata lities do no t unique to cy
s of a diseas es not lend it bersecurit y;
e requires a self to select performing
w w w.usenix convenienc ing ra ndom
e st udy of patien volunteers.
.org ts w ith the di Study-
sease. It ’s to
o
JUNE 201
4 V O L . 3 9,
NO. 3 47
Cochrane Library
http://www.cochranelibrary.com/
Cochrane Library
http://www.cochranelibrary.com/
Systemic Reviews
Given a Research Question:
• Identify sources of evidence and information
• Appraise the quality of the evidence
• Synthesize and aggregate the evidence together (meta-analysis)
Research Question Identify Sources Appraise Quality Synthesize Evidence

Developing Research Questions
A great research question:
• …is interesting
• …can be supported by observation/evidence
• …frames the object of measurement
Poor Research Questions Better Research Questions
“How Secure is this web app?” “What is the probability this web app will have a
vulnerability exploited in the next 12 months?”
“What risks do we face? “What is the probability of these events

occurring this year?”
Breakdown broad topics into a series of research questions

Identify sources
https://www.cyentia.com/library/

Identify sources

Appraise the Quality
“Quality” is study-specific (survey vs collected data), but always contains:
1. Source of data, collection process (selection bias)
2. Sample size, sub-sample slices (sampling error)
3. Data Interpretation (e.g. statistics)
Appraising quality is subtle, complex and often subjective

Synthesize Evidence
A meta-analysis uses a statistical approach to combine the results from multiple

studies in an effort to increase power (over individual studies), improve estimates
of the size of the effect and/or to resolve uncertainty when reports disagree.
https://en.wikipedia.org/wiki/Meta-analysis
• Offset convenience samples
• Research in security is relatively simple: counts, proportions, means, etc.

Meta-Analysis: Combining Proportions
Think about picking marbles from an urn:
• First person picked 19 out of 50 red
• Second person picked 32 out of 75 red
• total: 51 out of 125 were red
…Assuming the studies are drawing from the same “urn” or are representative of
the same urn
Can visualize and talk about confidence in proportions with the beta distribution
Beta Distribution
• “[The beta distribution] represents all the possible values of a probability when
we don't know what that probability is.” - David Robinson, stats.stackexchange.com
• Basis for betaPERT, conjugate prior for bayesian inference
• Has two parameters: alpha (𝜶) and beta (β)
• 𝜶 are counts of class 1 (success/heads/red/breached/infected)
• β are counts of class 2
• 50 out of 250 machines infected with malware:
beta(𝜶=50, β=200)
Visualizing the Beta
Beta
0.5 1 4 8 16
0.5
Alpha 4
16
Applying the beta
• Osterman does a ransomware study and surveys 540 people
• Claims the “average ransomware penetration rate” is 39 percent
• How confident should we be about that 39%?
540 * 0.39 = 211 (but could be 208 to 213)

beta(211,329)
20% 25% 30% 35% 40% 45% 50% 55% 60%

Measuring Ransomware
Measuring Ransomware: The Setup
BSI, Ergebnisse der Umfrage zur Betroffenheit durch
Ransomware (2016)
Three broad research questions Fortinet, Q4 2016 Threat Landscape Report (2017)
IBM, Ransomware: How Consumers and Businesses Value Their
• How many orgs are affected by Data (2016)
Kaspersky, Cost of Cryptomalware : SMBs at the Gunpoint (2016)
ransomware (prevalence)? Osterman Research / Malwarebytes, Understanding the Depth of
the Global Ransomware Problem (2016)
• How many orgs are paying the ransom Ponemon Institute / Carbonite, The Rise of Ransomware (2017)
Symantec report (2012)
amount (payment rate)? Dell Secureworks blog post (2013)
University of Kent study (2015)
• How much does ransomware cost BitDefender report (2016)
(ransom amount)? Datto report (2016)

Kaspersky - Consumer Security Risks (2016)
TrustLook blog post (2017)
Cisco Annual Security Report (2016)
Cyber Extortion Risk Report, NYA International (2015)
Ransomware Prevalence
who pct x n
IBM 46% 276 600
Overall Estimate
Osterman/Malwarebytes 39% 211 540
30.6% +/- 0.7%
Ponemon/Carbonite 36% 222 618
BSI 32% 189 592
ForFnet-Q4-2016 32% 1,280 4,000
Kaspersky 20% 600 3,000
Overall
Fortinet
Kaspersky
BSI
Ponemon/Carbonite
IBM
Osterman/Malwarebytes
15% 20% 25% 30% 35% 40% 45% 50% 55%
Prevalence
Source:CyentiaInstitute
How many orgs are paying?
Ransomware Payment Rate

Surveys seperated from empirical data 40.4%
38% - 42.8%
BitDefender 53/115
Datto 420/1000
TrustLook 8/21
MalwareBytes 72/195
Kasperksy 46/127
Univ of Kent 49/145
Symantec 44/1500
Dell Secureworks 8/2100
<2.3%
0% 10% 20% 30% 40% 50% 60%
Percentage of Victims Paying Ransom
Source: Cyentia Institute
CIGI Study
• Early 2017 study
• 24,225 Internet users
Methodology
• Across 24 countries (individual surveys
• This survey was conducted by Ipsos on behalf of the Centre for International Governance Innovation
(“CIGI”) between December 23, 2016, and March 21, 2017.
conducted)
• The survey was conducted in 24 economies—Australia, Brazil, Canada, China, Egypt, France,
Germany, Great Britain, Hong Kong (China), India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria,
Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States—and
involved 24,225 Internet users.
• Twenty of the countries utilized the Ipsos Internet panel system while Tunisia was conducted via CATI,
• Weighted to match populated of country

and Kenya, Nigeria and Pakistan utilized face-to-face interviewing, given online constraints in these
countries and the length
• In the US and Canada respondents were aged 18-64, and 16-64 in all other countries.
• Approximately 1000+ individuals were surveyed in each country and are weighted to match the
population in each country surveyed. The precision of Ipsos online polls is calculated using a credibility
interval. In this case, a poll of 1,000 is accurate to +/- 3.5 percentage points. For those surveys
conducted by CATI and face-to-face, the margin of error is +/-3.1, 19 times out of 20.
BIC = Brazil, India, China

APAC = Asia Pacific
LATAM = Latin America
© 2017 Ipsos.
How many orgs are paying?
“Among those who have been a victim,
Ransomware Payment Rate
41% say they paid the ransom…” 41%
-CIGI/IPSOS Global Survey on Internet Security and Trust 40.4%
Surveys seperated from empirical data
38% - 42.8%
BitDefender 53/115
Datto 420/1000
TrustLook 8/21
MalwareBytes 72/195
Kasperksy 46/127
Univ of Kent 49/145
Symantec 44/1500
Dell Secureworks 8/2100
<2.3%
0% 10% 20% 30% 40% 50% 60%
Percentage of Victims Paying Ransom
Source: Cyentia Institute
Ransom Amounts
Average Ransomware Amounts
Proportion of Respondants As reported by MSPs
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
100-500 501-2k 2k-5k 5k-10k 10k-15k 15k-20k 20k+
Ransom Amounts (in USD)
Source: Cyentia Instutue, data from:
Datto's State of the Channel Ransomware Report, 2016
Ransomware Amounts by Country
35%
Proportion of Respondants
30%
25%
20%
Best overall estimate
15%
95% confidence
10%
Germany
Canada
5%
U.K.
U.S.
0%
0-500 501-1k 1k-5k 5k-10k 10k-50k 50k-150k 150+
Ransom Amounts in USD
Source: Cyentia Institute, data from
MalwareBytes/Osterman Research, "Understanding the Depth of the Global Ransomware Proble"
Exceeding Ransom Amount
Probabily of Ransom Exceeding a Specific Amount
100%
90%
Exceedance Probability
80%
70%
60%
50%
40% Malwarebytes
30%
20% Datto
10%
1,000 10,000 100,000

Ransom Amounts (in USD)
Source: Cyentia Instutue, data from:
MalwareBytes/Osterman Research, "Understanding the Depth of the Global Ransomware Problem",
Datto's "State of the Channel Ransomware Report 2016"
Challenges: Lessons Learned
• Experiment successful!
• While Library helped, identifying and narrowing down sources was a challenge **
• Quality of vendor reports was terrible, rejected 2 out 3 on average

“Not all reports are equal; parties have various motivations to publish, which creates
divergent interpretations of what represents research worth communicating.” - Geer, Jacobs 2014
• Very poor, circular or missing citations

• Terminology is loose and/or confusing
• Object of measurement and framing is muddled or misaligned
• …is Ponemon: 51% (perception), 36% (included), 1.2% (excluded on wording)
• Getting a simple sample size shouldn’t be this hard
• Synthesizing the evidence was relatively straight-forward.

** …that we can improve
Cyentia Library:
Present and Future
Cybercrime
InfoSec marketmarket
Venture
Emerging capital
tech Market trends
Consumer
Startup tech
GRC
Security policy
Board
Senior of Directors
management
CISO
Planning
Prioritization
Reporting
Metrics Governance
Benchmark
Spending
Staffing
Disciplinary action
Accountability
ROI GRC Management
Risk
Risk management
analysis Risk
Cyber
Security insurance
standard
Audit
NIST
ISO/IEC
HIPAA
SOX
FISMA
NERC
HITRUST CIP Compliance
GLB
PCI−DSS
FERPA
FFIEC
COBIT
COSO
GDPR
NISD
Threat
Hacktivism actor
Criminal
State actorgroup
Competitor
Terrorist
Insider
Former employee Actors and motives
3rd
APT party
Cyberwar
Espionage
Terrorism
Financial gain
Threat
Event capability
frequency
Attack
Security campaign
incident
Opportunistic
Targeted attackattack
Network
Data breachintrusion
DoS attack
Privilege abuse
Malware
Web defacement
Social
Human engineering
error Threats
Fraud
Larceny and loss
Phishing
Skimmers
Disruption
Outage
Spam
Botnet
Watering
Cross−site hole
scripting
Buffer overflow
Man−in−the−middle
Path traversal
Reconnaissance
Cryptanalysis
SQL injection
Forced
Reverse browsing
engineering
Brute force Events and TTPs
Fuzz
CSRF testing
Cyentia Library Tagging
Pass−the−hash
Stolen creds
Session
ClickJacking replay
Packet
Backdoor sniffer
Password
Downloader dumper
Adware
C2
Injection
Software attack−
piracy
Worm
Spyware
Ram scraper
Ransomware
Rootkit
Trojan
Rogue
Rogue software
hardware
Policy violation
Wiretapping
Natural
Extortion hazard
Spoofing
Antiforensics
Identity
Pharming theft
Business
Web application
application
Internet
Control of Things
systems
Embedded
Point−of−sale system
Virtualization
Endpoint
Mobile
Mainframe device
Backup
Database media
Directory
Cyber−physical server Infrastructure
Card
Remote reader
access
DNS
DHCP
Printed
ATM media
Networked
Smart card storage
Peripherals
Removable media
Big data
Credentials
Biometrics
BYOD
Supply
3rd party chain
services
Cloud External services
Mobile
Payment payment
service Information Assets
Web
PDF browser
Reader
Mobile
Social app
media Desktop software
Productivity
File sharing software
Operating
Payment system
data
Intellectual
Personal property
data
Medical
Classified data
data Data
Copyrighted
Bank data data
Zero−day
CVE
CWE
CVSS
Misconfiguration Vulnerability
Input
Weak handling
authentication
Poor
Privacypatching Confidentiality
Nonrepudiation
Availability Integrity Security attributes
Dataloss
Loss event amount Impact
Loss magnitude
Productivity loss Impact and Loss
Response
Replacement costcost
Competitive loss Loss forms
Fines & judgements
Reputation loss
Control
Hardware strength
inventory
Software
Hw&Sw inventory
configuration
Vuln
Admin management
privileges
Audit
Email logs web
Malware
Network
anddefenses
control
Data
Network recovery
configuration CIS "Top20" Controls Controls
Boundary
Data defense
protection
Controlled
Wireless access
access
Account
Security monitoring
training
Application
Incident security
response
Pen
Intel testing
sharing
Threat intel Intelligence
Bug
Small bounty
business
Machine
Deep/Dark learning Miscellaneous
Kill Chain web
Cybercrime
InfoSec marketmarket
Venture
Emerging capital
tech Market trends
Consumer
Startup tech
GRC
Security policy
Board
Senior of Directors
management
CISO
Planning
Prioritization
Reporting
Metrics Governance
Benchmark
Spending
Staffing
Disciplinary action
Accountability
ROI GRC Management
Risk
Risk management
analysis Risk
Cyber
Security insurance
standard
Audit
NIST
ISO/IEC
HIPAA
SOX
FISMA
NERC
HITRUST CIP Compliance
GLB
PCI−DSS
FERPA
FFIEC
COBIT
COSO
GDPR
NISD
Threat
Hacktivism actor
Criminal
State actorgroup
Competitor
Terrorist
Insider
Former employee Actors and motives
3rd
APT party
Cyberwar
Espionage
Terrorism
Financial gain
Threat
Event capability
frequency
Attack
Security campaign
incident
Opportunistic
Targeted attackattack
Network
Data breachintrusion
DoS attack
Privilege abuse
Malware
Web defacement
Social
Human engineering
error Threats
Fraud
Larceny and loss
Phishing
Skimmers
Disruption
Outage
Spam
Botnet
Watering
Cross−site hole
scripting
Buffer overflow
Man−in−the−middle
Path traversal
Reconnaissance
Cryptanalysis
SQL injection
Forced
Reverse browsing
engineering
Brute force Events and TTPs
Fuzz
CSRF testing
Cyentia Library Tagging
Pass−the−hash
Stolen creds
Session
ClickJacking replay
Packet
Backdoor sniffer
Password
Downloader dumper
Adware
C2
Injection
Software attack−
piracy
Worm
Spyware
Ram scraper
Ransomware
Rootkit
Trojan
Rogue
Rogue software
hardware
Policy violation
Wiretapping
Natural
Extortion hazard
Spoofing
Antiforensics
Identity
Pharming theft
Business
Web application
application
Internet
Control of Things
systems
Embedded
Point−of−sale system
Virtualization
Endpoint
Mobile
Mainframe device
Backup
Database media
Directory
Cyber−physical server Infrastructure
Card
Remote reader
access
DNS
DHCP
Printed
ATM media
Networked
Smart card storage
Peripherals
Removable media
Big data
Credentials
Biometrics
BYOD
Supply
3rd party chain
services
Cloud External services
Mobile
Payment payment
service Information Assets
Web
PDF browser
Reader
Mobile
Social app
media Desktop software
Productivity
File sharing software
Operating
Payment system
data
Intellectual
Personal property
data
Medical
Classified data
data Data
Copyrighted
Bank data data
Zero−day
CVE
CWE
CVSS
Misconfiguration Vulnerability
Input
Weak handling
authentication
Poor
Privacypatching Confidentiality
Nonrepudiation
Availability Integrity Security attributes
Dataloss
Loss event amount Impact
Loss magnitude
Productivity loss Impact and Loss
Response
Replacement costcost
Competitive loss Loss forms
Fines & judgements
Reputation loss
Control
Hardware strength
inventory
Software
Hw&Sw inventory
configuration
Vuln
Admin management
privileges
Audit
Email logs web
Malware
Network
anddefenses
control
Data
Network recovery
configuration CIS "Top20" Controls Controls
Boundary
Data defense
protection
Controlled
Wireless access
access
Account
Security monitoring
training
Application
Incident security
response
Pen
Intel testing
sharing
Threat intel Intelligence
Bug
Small bounty
business
Machine
Deep/Dark learning Miscellaneous
Kill Chain web
Report: Hacker One
Web browser
Vulnerability
Vuln management
Threat actor
Staffing
SQL injection
Social media
Senior management
Security incident
Personal data
Pen testing
Outage
Operating system
Mobile app
Malware
Intellectual property
Impact
Identity theft
Financial gain
Extortion
Data breach
Cyber−physical
CSRF
Cross−site scripting
Bug bounty
Availability
1 5 10 15 20 25
PDF Page
Report: Cisco Mid-year Report 2017
Zero−day
Web browser
Vulnerability
Vuln management
Threat intel
Threat actor
Targeted attack
Supply chain
Staffing
Spyware Cisco 2017 Midyear Cybersecurity Report
Spam
Social media
Senior management
Security standard
Security policy
Security incident
Risk management
Ransomware
Productivity loss
Planning
Phishing
Personal data
Outage
Operating system
Network intrusion
Mobile device
Malware defenses
Malware
Integrity
InfoSec market
Fraud
Extortion
Event frequency
Endpoint
Emerging tech
Downloader
DoS attack
Disruption
Database
Data breach
Criminal group
Credentials
Control systems
Competitor
Cloud
CISO
C2 1 Executive Summary
Boundary defense
Botnet
Board of Directors
Audit logs
Audit
APT
3rd party services
1 10 20 30 40 50 60 70 80
PDF Page
Aite: Cyber Insurance
Vulnerability
Vuln management
Threat intel
Threat actor
Startup
Staffing
Small business
Senior management
Security standard
Security incident
Risk management
Risk analysis
Response cost
Productivity loss
Privacy
Phishing Cyber Insurance and Cybersecurity: The
Personal data Convergence
Pen testing
Payment data
Network intrusion
Malware
InfoSec market
Incident response
GDPR
June 2016
Fraud
Fines & judgements
Extortion Gwenn Bézard
Event frequency
Endpoint
Emerging tech
Deep/Dark web
Database
Data breach
Cybercrime market
Cyber insurance © 2016 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. Photocopying or electronic distribution of
this document or any of its contents without prior written consent of the publisher violates U.S. copyright law, and is punishable by statutory damages
of up to US$150,000 per infringement, plus attorneys’ fees (17 USC 504 et seq.). Without advance permission, illegal copying includes regular
Competitor photocopying, faxing, excerpting, forwarding electronically, and sharing of online access.
Cloud
CISO
Botnet
Benchmark
APT
3rd party services
1 10 20 30 40 50 60 70
PDF Page
Verzion DBIR 2017
Web browser
Web application
Weak authentication
Vulnerability
Vuln management
Threat actor
Stolen creds
SQL injection
Spyware
Social media
Social engineering
Small business
Skimmers
Security training
Security incident
Ransomware 2017 Data Breach
Privilege abuse
Printed media Investigations
Phishing
Personal data Report
Opportunistic attack
Network intrusion 10th Edition
Mobile device
Misconfiguration
Medical data
Malware defenses
Malware
Larceny and loss
Integrity
Insider
InfoSec market
Incident response
Identity theft
Human error
B
XP
OF
Hacktivism
Fraud
Financial gain
Extortion
Event frequency
Espionage
Endpoint
Emerging tech
Disruption
Database U2FsdGVkX19xySK0fJn+xJH2VKLfWI8u+gK2bIHpVeoudbc5Slk0HosGiUNH7oiq
Data protection CNjiSkfygVslq77WCIM0rqxOZoW/qGMN+eqKMBnhfkhWgtAtcnGc2xm9vxpx5quA
Data breach
Criminal group
Credentials
Confidentiality
C2
Brute force
Boundary defense
Botnet
Backdoor
Application security
1 10 20 30 40 50 60 70
PDF Page
Topic/Tagging
Cisco Midyear 2017 Aite: Cyber Insurance
Threats > Events and TTPs GRC Management > Risk
Threats > Actors and motives Threats > Events and TTPs
Information Assets > Infrastructure Information Assets > Infrastructure
Controls > CIS "Top20" Controls Threats > Actors and motives
Information Assets > Vulnerability GRC Management > Governance
GRC Management > Governance Miscellaneous > NA
Information Assets > External services
Controls > CIS "Top20" Controls
Information Assets > Desktop software
Impact and Loss > Loss forms
Market trends > Emerging tech
Information Assets > Data Information Assets > Data
GRC Management > Compliance Information Assets > External services
Verizon DBIR 2017 HackerOne: Bug Bounty

Threats > Events and TTPs Threats > Actors and motives
Threats > Actors and motives Information Assets > Vulnerability
Information Assets > Infrastructure Miscellaneous > Misc
Controls > CIS "Top20" Controls Threats > Events and TTPs
Information Assets > Desktop software
Information Assets > Data
GRC Management > Governance
Information Assets > Vulnerability
Information Assets > Data
Information Assets > Desktop software Controls > CIS "Top20" Controls
GRC Management > Governance Security attributes > Availability
Security attributes > Integrity Information Assets > Infrastructure
Security attributes > Confidentiality Impact and Loss > Impact
Parsing PDFs: Text Extraction
locational issues when foreign intervention and legal locational issues when foreign intervention and legal
TOP 3 LOCATIONS WHERE TOP 3 LOCATIONS WHERE
sovereignty come into play, make the case for improving sovereignty come into play, make the case for improving
DATA IS AT RISK IN VOLUME: DATA IS AT RISK IN VOLUME:
cloud-services data protection. Also, as more data needs
Ǒ Databases (49%) to transition between on-premise systems and cloud and â¢ Databases (49%) to transition between on-premise systems and cloud and
big data environments, organizations need to make use â ¢File Servers (39%) big data environments, organizations need to make use
Ǒ File Servers (39%)
of more inclusive data protection facilities to control and of more inclusive data protection facilities to control and
Ǒ Cloud (36%) â ¢Cloud (36%)
protect their data as it moves between corporate systems. protect their data as it moves between corporate systems.
Another discussion that should take place revolves Another discussion that should take place revolves
around the perception of risk that mobile devices and around the perception of risk that mobile devices and
user mobility bring to the table. By comparison only 20% user mobility bring to the table. By comparison only 20%
of sensitive company data is held on mobile devices of sensitive company data is held on mobile devices
and, of that 20%, a large proportion is being held on and, of that 20%, a large proportion is being held on
company-owned laptops and other company-protected company-owned laptops and other company-protected
Corporate servers and databases pose the mobile devices. In our opinion the discussion isn’t really Corporate servers and databases pose the mobile devices. In our opinion the discussionisnâ rt eally
highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still
focused on endpoint and mobile significant enough to cause anxiety. But the real concern focused on endpoint and mobile significant enough to cause anxiety. But the real concern
for the 70% of IT Decision Makers who were worried about The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about
The top three locations by volume where company- mobile device protection is firmly about the lack of control
sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control sensitive data is stored and must be protected are:
over the mobile devices that are in use. It is also about not databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not
databases (49%), file servers (39%), and the rapid having enough information to know what data has been
growth area for cloud service environments (36%). having enough information to know what data has been growth area for cloud service environments (36%).
copied to those devices and not having the controls in The position is fairly consistent across most major copied to those devices and not having the controls in
The position is fairly consistent across most major place to stop copies of company-sensitive
geographies and mainstream verticals including place to stop copies of company-sensitive geographies and mainstream verticals including
data being made. financial services, healthcare, and the retail sector. data being made.
financial services, healthcare, and the retail sector.
Good quality monitoring and access control technology Along with the ubiquitous use of databases and Good quality monitoring and access control technology
Along with the ubiquitous use of databases and provide part of the answer. Irrespective of where the data
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data servers, cloud and more recently big data take-up
is being held, it is important to know and be able to control levels now force a stronger protection case to be is being held, it is important to know and be able to control
levels now force a stronger protection case to be who gets access and what they can do with that access.
made. Growing data volumes, when put alongside who gets access and what they can do with that access. made. Growing data volumes, when put alongside
This provides the ability to highlight and report on misuse
worries about a lack of control over third-party This provides the ability to highlight and report on misuse worries about a lack of control over third-party
that could otherwise put company-sensitive data at risk.
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk. access; the use of third-party admins; and data
Actual risk Perception of risk

Actualrisk Perceptionofrisk
50
50
45
45
40
40
45
45
35
35 40
Data Percentages
40
30
30 35
35
% Spend Figures
Percentages
25 Figures30
25 30
25
20 25
20
15 20
15 20
Data Spend
15
15 10
10
10
% 10
5
5 5
5
0 0
0
0 es rs oud ta up aS S bile py er er e er r
py
as ve Da &W Co gh gh Sam ow Lowe

s
Ba a
up
PC S
M S
Ha bile
ck Sa
Db Ser Mo rd
Fi ase
er
Cl g Ba
ou
Hi er
Sa r
M L e
h er
r
a
&W
Co
Da
we
Sa
m
ck
PC L
rv
Hi Hi
gh
gh
uc ow
o
Cl
Bi
Db
le
Lo
Se
Ha h
rd
g
h
Hi
Bi
Fi uc uc
le
M M
uc
M
Figure 3: Data risks based on actualvolumes of sensitivedata Figure 4: Global spending on security
Figure 3: Data risks based on actual volumes of sensitive data Figure 4: Global spending on security
stored in each location compared to the perception of risk solutions during the next 12 months
8
8
Parsing PDFs: early attempt
TOP 3 LOCATIONS WHERE locational issues when foreign intervention and legal locational issues when foreign intervention and legal
TOP 3 LOCATIONS WHERE
DATA IS AT RISK IN VOLUME: sovereignty come into play, make the case for improving sovereignty come into play, make the case for improving
DATA IS AT RISK IN VOLUME:
cloud-services data protection. Also, as more data needs cloud-services data protection. Also, as more data needs
Ǒ Databases (49%) to transition between on-premise systems and cloud and â¢ Databases (49%) to transition between on-premise systems and cloud and
Ǒ File Servers (39%) big data environments, organizations need to make use big data environments, organizations need to make use
â ¢File Servers (39%)
of more inclusive data protection facilities to control and of more inclusive data protection facilities to control and
Ǒ Cloud (36%) â ¢ Cloud (36%)
protect their data as it moves between corporate systems. protect their data as it moves between corporate systems.
Another discussion that should take place revolves Another discussion that should take place revolves
around the perception of risk that mobile devices and around the perception of risk that mobile devices and
user mobility bring to the table. By comparison only 20% user mobility bring to the table. By comparison only 20%
of sensitive company data is held on mobile devices of sensitive company data is held on mobile devices
and, of that 20%, a large proportion is being held on and, of that 20%, a large proportion is being held on
company-owned laptops and other company-protected company-owned laptops and other company-protected
Corporate servers and databases pose the mobile devices. In our opinion the discussion isn’t really Corporate servers and databases pose the mobile devices. In our opinion the discussionisnâ treally
highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still
focused on endpoint and mobile significant enough to cause anxiety. But the real concern focused on endpoint and mobile significant enough to cause anxiety. But the real concern
The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about
sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control
databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not
growth area for cloud service environments (36%). having enough information to know what data has been growth area for cloud service environments (36%). having enough information to know what data has been
The position is fairly consistent across most major copied to those devices and not having the controls in The position is fairly consistent across most major copied to those devices and not having the controls in
geographies and mainstream verticals including place to stop copies of company-sensitive geographies and mainstream verticals including place to stop copies of company-sensitive
financial services, healthcare, and the retail sector. data being made. financial services, healthcare, and the retail sector. data being made.
Along with the ubiquitous use of databases and Good quality monitoring and access control technology Along with the ubiquitous use of databases and Good quality monitoring and access control technology
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data
levels now force a stronger protection case to be is being held, it is important to know and be able to control levels now force a stronger protection case to be is being held, it is important to know and be able to control
made. Growing data volumes, when put alongside who gets access and what they can do with that access. made. Growing data volumes, when put alongside who gets access and what they can do with that access.
worries about a lack of control over third-party This provides the ability to highlight and report on misuse worries about a lack of control over third-party This provides the ability to highlight and report on misuse
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk. access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk.
Actual risk Perception of risk Actualrisk Perceptionofrisk

50 50
45 45
40 40
45 45
35 35 40
Data Percentages
40
30 30 35
35
% Spend Figures
Percentages
25 Figures30
25 30
20 25 20 25
20 15 20
15 Data Spend
15
15
10
10
10 % 10
5
5
5
5
0
0 0
0 es s d ta S S py
ver ou Da ckup Saa &W obile Co er er e er r
py
s
Ba a
up
PC S
M S
Ha bile
as gh gh Sam ow Lowe
Fi ase
er
r
ou
Hi er
Sa r
M L e
h er
r
a
&W
Cl
Co
Da
we
Sa
PC M rd
ck
Db Se Big Ba
rv
gh
gh
uc ow
Hi Hi L
o
Cl
Db
Lo
Se
rd
le
g
Ha h
Hi
h
Bi
Fi uc
le
uc
h
M M
uc
M
8
8
Parsing PDFs Spatially
TOP 3 LOCATIONS WHERE locational issues when foreign intervention and legal
DATA IS AT RISK IN VOLUME: sovereignty come into play, make the case for improving
Ǒ Databases (49%) to transition between on-premise systems and cloud and
Ǒ File Servers (39%) big data environments, organizations need to make use
of more inclusive data protection facilities to control and
Ǒ Cloud (36%)
protect their data as it moves between corporate systems.
Another discussion that should take place revolves

around the perception of risk that mobile devices and
user mobility bring to the table. By comparison only 20%
of sensitive company data is held on mobile devices
and, of that 20%, a large proportion is being held on
company-owned laptops and other company-protected
Corporate servers and databases pose the mobile devices. In our opinion the discussion isn’t really
highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still
focused on endpoint and mobile significant enough to cause anxiety. But the real concern
The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about
sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control
databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not
growth area for cloud service environments (36%). having enough information to know what data has been
The position is fairly consistent across most major copied to those devices and not having the controls in
geographies and mainstream verticals including place to stop copies of company-sensitive
financial services, healthcare, and the retail sector. data being made.
Along with the ubiquitous use of databases and Good quality monitoring and access control technology
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data
levels now force a stronger protection case to be is being held, it is important to know and be able to control
made. Growing data volumes, when put alongside who gets access and what they can do with that access.
worries about a lack of control over third-party This provides the ability to highlight and report on misuse
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk.

50
45
40
45
35
Data Percentages
40
30 35
% Spend Figures
25 30
20 25
15 20
15
10
10
5
5
0
0
py
s
Ba a
up
PC S
M S
Ha bile
Fi ase
er
t
ou
Hi er
Sa r
M L e
h er
r
a
&W
Co
Da
we
Sa
m
ck
rv
gh
gh
uc ow
o
Cl
Db
Lo
Se
rd
g
Hi
Bi
le
h
uc
M
8
Parsing PDFs
TOP 3 LOCATIONS WHERE locational issues when foreign intervention and legal
DATA IS AT RISK IN VOLUME: sovereignty come into play, make the case for improving
Ǒ Databases (49%) to transition between on-premise systems and cloud and
Ǒ File Servers (39%) big data environments, organizations need to make use
of more inclusive data protection facilities to control and
Ǒ Cloud (36%)
protect their data as it moves between corporate systems.
Another discussion that should take place revolves

around the perception of risk that mobile devices and
user mobility bring to the table. By comparison only 20%
of sensitive company data is held on mobile devices
and, of that 20%, a large proportion is being held on
company-owned laptops and other company-protected
Corporate servers and databases pose the mobile devices. In our opinion the discussion isn’t really
highest risk, yet spending remains stubbornly about the data volumes involved, and if it were, 20% is still
focused on endpoint and mobile significant enough to cause anxiety. But the real concern
The top three locations by volume where company- for the 70% of IT Decision Makers who were worried about
sensitive data is stored and must be protected are: mobile device protection is firmly about the lack of control
databases (49%), file servers (39%), and the rapid over the mobile devices that are in use. It is also about not
growth area for cloud service environments (36%). having enough information to know what data has been
The position is fairly consistent across most major copied to those devices and not having the controls in
geographies and mainstream verticals including place to stop copies of company-sensitive
financial services, healthcare, and the retail sector. data being made.
Along with the ubiquitous use of databases and Good quality monitoring and access control technology
servers, cloud and more recently big data take-up provide part of the answer. Irrespective of where the data
levels now force a stronger protection case to be is being held, it is important to know and be able to control
made. Growing data volumes, when put alongside who gets access and what they can do with that access.
worries about a lack of control over third-party This provides the ability to highlight and report on misuse
access; the use of third-party admins; and data that could otherwise put company-sensitive data at risk.

50
45
40
45
35
Data Percentages
40
30 35
% Spend Figures
25 30
20 25
15 20
15
10
10
5
5
0
0
py
s
Ba a
up
PC S
M S
Ha bile
Fi ase
er
t
ou
Hi er
Sa r
M L e
h er
r
a
&W
Co
Da
we
Sa
m
ck
rv
gh
gh
uc ow
o
Cl
Db
Lo
Se
rd
g
Hi
Bi
le
h
uc
M
8
Parsing PDFs
The most effective data protection technologies and the
ones most frequently deployed by enterprise organizations
were database and file encryption products, data
access monitoring solutions, and data loss prevention
technologies. As shown below, these topped a long list of
protection solutions and were considered by enterprise
respondents to offer the most effective protection
against insider threats. Surprisingly tokenization, which
has compliance-related uses, came bottom of the list. This
may be due to restricted knowledge about the specific
benefits the technology has. For example, if organizations
need to protect data for specific purposes such as fulfilling
payment card industry data security standard (PCI DSS)
compliance, tokenization has scoping advantages over
other forms of encryption that ensure the scope of audit
requirements is reduced, as well as enabling the data to be
used by other systems without compromising security.
Security Protection Levels

Percentage Using
Database/File Encryption
Data Access Monitoring

Data Loss Prevention (DLP)
Privileged User Access Management
Cloud Security Gateway
Application Layer Encryption
Siem and Other Log Analysis and Analytical Tools
Multi-factor Authentication
Account Controls Provided By Directory Services Software
Data Masking
Single Sign On
Federated Identity Management
Tokenization
0% 10% 20% 30% 40% 50% 60%
Figure 7: Protection solutions used by enterprise organizations against insider threats
THE MOST EFFECTIVE DATA

PROTECTION TECHNOLOGIES:
Ǒ Database and file encryption
Ǒ Data Access Monitoring
11
Parsing PDFs
ANALYST PROFILEâ€ÃNDREW
KELLETT, PRINCIPAL
ANALYST SOFTWAREâ€˜IT SOLUTIONS, OVUM
ANALYST PROFILE—ANDREW KELLETT, PRINCIPAL
ANALYST SOFTWARE—IT SOLUTIONS, OVUM Andrew enjoys the challenge of working with state−of−the−art technology.
As lead analyst in the Ovum IT security team, he has the opportunity to
Andrew enjoys the challenge of working with state-of-the-art technology. evaluate, provide opinion, and drive the Ovum security agenda, including its
As lead analyst in the Ovum IT security team, he has the opportunity to focus on the latest security trends. He is responsible for research on the key
evaluate, provide opinion, and drive the Ovum security agenda, including its technologies used to protect public and private sector organizations, their
focus on the latest security trends. He is responsible for research on the key operational systems, and their users. The role provides a balanced opportunity
technologies used to protect public and private sector organizations, their to promote the need for good business protection and, at the same time, to
operational systems, and their users. The role provides a balanced opportunity research the latest threat approaches.
to promote the need for good business protection and, at the same time, to
research the latest threat approaches.
HARRIS POLLâ€˜SOURCE/METHODOLOGY
HARRIS POLL—SOURCE/METHODOLOGY Vormetricâ€ s2015 Insider Threat Report was conducted online by Harris Andrew Kellett
Poll on behalf of Vormetric from September 22−October 16, 2014, among Principal Analyst Software
Vormetric’s 2015 Insider Threat Report was conducted online by Harris Andrew Kellett 818 adults ages 18 and older, who work full−time as an IT professional in
IT Solutions,Ovum
Poll on behalf of Vormetric from September 22-October 16, 2014, among Principal Analyst Software a company and have at least a major influence in decision making for IT. In
818 adults ages 18 and older, who work full-time as an IT professional in IT Solutions, Ovum the U.S., 408 ITDMs were surveyed among companies with at least $200
a company and have at least a major influence in decision making for IT. In million in revenue with 102 from the health care industries, 102 from financial
the U.S., 408 ITDMs were surveyed among companies with at least $200 industries, 102 from retail industries and 102 from other industries. Roughly
million in revenue with 102 from the health care industries, 102 from financial 100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102),
industries, 102 from retail industries and 102 from other industries. Roughly and ASEAN (103) from companies that have at least $100 million in revenue.
100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102), ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand,
and ASEAN (103) from companies that have at least $100 million in revenue. and the Philippines. This online survey is not based on a probability sample
ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand, and therefore no estimate of theoretical sampling error can be calculated.
and the Philippines. This online survey is not based on a probability sample
and therefore no estimate of theoretical sampling error can be calculated.
ABOUT VORMETRIC
Vormetric (@Vormetric) is the industry leader in data security solutions

ABOUT VORMETRIC
that protect data−at−rest across physical, big data and cloud environments.
Vormetric helps over 1500 customers, including 17 of the Fortune 30, to
Vormetric (@Vormetric) is the industry leader in data security solutions
meet compliance requirements and protect what mattersâ€˜theirsensitive
that protect data-at-rest across physical, big data and cloud environments.
dataâ€˜from
both internal and external threats. The companyâ€ s scalable
Vormetric helps over 1500 customers, including 17 of the Fortune 30, to
Vormetric Data Security Platform protects any file, any database and
meet compliance requirements and protect what matters—their sensitive
any applicationâ€ s dataâ€ãnywhere
it residesâ€˜witha high performance,
data—from both internal and external threats. The company’s scalable
market−leading solution set.
Vormetric Data Security Platform protects any file, any database and
any application’s data—anywhere it resides—with a high performance,
market-leading solution set.
23
23
Data is Everywhere
• Security Industry has hundreds if not thousands of research reports released each year.
• Meta-Analysis is a promising approach (ransomware)

• Research question > Identify Sources > Assess Quality > Synthesize Results
• Lots of opportunities to improve quality of research
• Discovery of publications is a challenge

• Lower effort with better text extraction and NLP
Data is Everywhere
Jay Jacobs
jay@cyentia.com

SIRAcon2018 - Jacobs - Data Is Everywhere

Uploaded by

Copyright:

Available Formats

You might also like

SIRAcon2018 - Jacobs - Data Is Everywhere

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SIRAcon2018 - Jacobs - Data Is Everywhere

Uploaded by

Copyright:

Available Formats

Data is Everywhere

Application security ClickJacking

External services Market trends

Fines & judgements

Impact and Loss Wiretapping

Source: Cyentia Institute with data from RSA Conference

2010 2012 2014 2016 2018

1. Meta-Analysis and standing on the shoulders

of giants: Cochrane Library

2. Case study: Ransomware

3. The Cyentia Library: present and future

Given a Research Question:

• Identify sources of evidence and information

• Appraise the quality of the evidence

• Synthesize and aggregate the evidence together (meta-analysis)

Research Question Identify Sources Appraise Quality Synthesize Evidence

Poor Research Questions Better Research Questions

“What risks do we face? “What is the probability of these events

Breakdown broad topics into a series of research questions

Research Question Identify Sources Appraise Quality Synthesize Evidence

Research Question Identify Sources Appraise Quality Synthesize Evidence

“Quality” is study-specific (survey vs collected data), but always contains:

1. Source of data, collection process (selection bias)

2. Sample size, sub-sample slices (sampling error)

3. Data Interpretation (e.g. statistics)

Appraising quality is subtle, complex and often subjective

Research Question Identify Sources Appraise Quality Synthesize Evidence

A meta-analysis uses a statistical approach to combine the results from multiple

• Oﬀset convenience samples

• Research in security is relatively simple: counts, proportions, means, etc.

Research Question Identify Sources Appraise Quality Synthesize Evidence

• First person picked 19 out of 50 red

• Second person picked 32 out of 75 red

• total: 51 out of 125 were red

• Basis for betaPERT, conjugate prior for bayesian inference

• Has two parameters: alpha (𝜶) and beta (β)

• 𝜶 are counts of class 1 (success/heads/red/breached/infected)

• β are counts of class 2

• 50 out of 250 machines infected with malware:

• Claims the “average ransomware penetration rate” is 39 percent

• How confident should we be about that 39%?

540 * 0.39 = 211 (but could be 208 to 213)

20% 25% 30% 35% 40% 45% 50% 55% 60%

(ransom amount)? Datto report (2016)

Ransomware Payment Rate

• Early 2017 study

• 24,225 Internet users

• Weighted to match populated of country

BIC = Brazil, India, China

Ransomware Amounts by Country

1,000 10,000 100,000

• Quality of vendor reports was terrible, rejected 2 out 3 on average

• Very poor, circular or missing citations

• Synthesizing the evidence was relatively straight-forward.

Data protection CNjiSkfygVslq77WCIM0rqxOZoW/qGMN+eqKMBnhfkhWgtAtcnGc2xm9vxpx5quA

Verizon DBIR 2017 HackerOne: Bug Bounty

Actual risk Perception of risk

as ve Da &W Co gh gh Sam ow Lowe