The Hidden

enemy within

DAN HOUSER CISSP-ISSAP CISA CISM

SECURITY STRATEGY & ARCHITECTURE LEAD
INFOSEC INNOVATIONS
IANAL
InfoSec
Innovations © 2018 - InfoSec Innovations LLC, Trogdor Heavy Industries LLC
 About me

 Information Security Practitioner in Ohio since 2000

 Focus on Identity, Privacy, Crypto, Architecture & Supply Chain
 Practice Lead, Security Strategy & Architecture, InfoSec Innovations
 Fortune 500 Banking, Finance, Insurance, Retail, Healthcare, Logistics
+ Higher Ed, NGO
 Board of Directors, (ISC)² for 6 years

InfoSec
Innovations
 Obligatory iceberg slide

Visible
________________

Hidden

InfoSec
Innovations
 With your forgiveness…

To frame our discussion,

several slides of things you likely
already know.

Mea culpa
InfoSec
Innovations
 Gaps In Knowledge
 Endpoints & Network
CIS Top 20 1 & 2 – Hardware & Software Inventory
 Insular IT
CIO mission in conflict with CISO’s
Hidden


 Unsupported / unpatched software

dangers  IoT, Shadow IT & Cloud

 Digital Certificates
 Distance – Field offices, stores, pharmacies
 Hidden Vulnerabilities
 Insider Threat
 Information Explosion Eclipsing Data Management
InfoSec  Unstructured Data Risks Exceed ROI
Innovations
 Knowledge of self:
Not a new concept

“If you know the enemy and know

yourself, you need not fear the result of a
hundred battles…
If you know neither the enemy nor
yourself, you will succumb in every
battle.”
― Sun Tzu, The Art of War

InfoSec
Innovations
 Knowledge of self

You can’t manage what you can’t measure.

- Peter Drucker

You cannot manage what you do not know.

- Anon
InfoSec
Innovations
 Corporate Data Doubles Every 18 Months -IDC

Data Growth is the Largest Datacenter Challenge – Gartner

Data Explosion The Buildout of the Internet of Things will cause a doubling
of human information every 12 hours. - IBM

Entering the era of the digital industrial economy – Peter

Sondergaard

InfoSec
Innovations
 Unstructured Data

eMail
Memos & Documents
Spreadsheets
Images, Videos & Sounds
Presentations

Generated by every employee

Contains Intellectual Property
Business Records [IANAL]
Source: The Human Element– Creative Commons

InfoSec
Innovations Images courtesy Microsoft by Unknown Author, licensed under CC BY-SA
 Unstructured
Data
 Difficult to Classify &
Manage
 Difficult to Govern
 No set structure

 What is in your unstructured

data repository?

 Trash or Treasure?

InfoSec
Innovations Source: BigRedCloud – Creative Commons
 Information explosion

 Data without ability to analyze is

data without forseeable value
 All the risk & cost
 Likely zero benefit

 AI / Big Data/ Machine

Learning… Will it close the gap?

InfoSec
Innovations
 Unstructured data risk & data value

High Risk
Time Bomb Intellectual Property

Risk

Corporate
Low Risk Waste Execution

InfoSec ¢ Value $$$$

Innovations
 DATA DUPLICATION
A Parable

Widget-tech enters market to

manage healthcare data
Determines ROI, Determines Risk RISK

Launches business REWARD

Gathers & Manages Data

InfoSec
Innovations
 DATA DUPLICATION

A Structured data
Parable

PHI REVENUE

InfoSec
Innovations
 DATA DUPLICATION

A STRUCTURED DATA PARABLE

REVENUE

PHI
Janet sees a new market opportunity

By enriching the data, more reward!

PHI REVENUE

InfoSec
Innovations
 DATA DUPLICATION
PHI
A STRUCTURED REVENUE

DATA PARABLE REVENUE

PHI

Gary sees even more opportunity!

By enriching the data, more reward!

PHI REVENUE

InfoSec
Innovations
 DATA DUPLICATION
Sure more revenue, but at what risk?

InfoSec
Innovations
 DATA DUPLICATION

AN UNSTRUCTURED DATA RESULT

PHI

InfoSec
Innovations
 DATA DUPLICATION

AN UNSTRUCTURED DATA RESULT

PHI

PHI

InfoSec
Innovations
 DATA DUPLICATION

AN UNSTRUCTURED DATA RESULT

PHI

PHI

PHI

InfoSec
Innovations
 DATA DUPLICATION ASSESSMENT

Database extracts reused many times, giving excess PII downstream

Database ➔ spreadsheet ➔ database ➔ spreadsheet ➔ report
Single source ➔ 53 extracts ➔ hundreds of further extracts
Local & snapshot databases used instead of authoritative references
Data sync & freshness errors
Results:
 Risk
 Upset customers
 Bad Decisions
InfoSec  $$$$
Innovations
 Data Knowledge
 Where is the Data?
 Who has access to it?
 How is the business using it?
 What is Important? Private?
Sensitive? Public?
 What makes it important / private /
sensitive?
 What has integrity? What is stale?
 Who is accessing it the most? Least?
 What is the value of the data?
 What is the governing data retention
policy?
 Is the data storage in compliance with
data retention policy?
 Is it authoritatively sourced?
 Is it a system of reference? System of
record?
 How are conflicts resolved?
 How is it governed?
 Is the cost and risk of the data worth more
than the value of the data?

Do we know where all our Intellectual Property is, and

are we protecting it?
InfoSec
Innovations
 GDPR Bringing Focus

 Six Principles of GDPR

 Lawfulness, fairness and transparency
 Purpose limitations
 Data minimization
 Accuracy
 Storage limitations
 Integrity and confidentiality

InfoSec
Innovations
 Chasing the same data dragon
 2002: Where are all the places we’re displaying SSN?
 2003: Where is all our financial reporting data for SOX?
 2004: Do we have EU privacy data? Where is it? Is it protected?
 2008: Where is all our payment card information?
 2009: How are we protecting our payment card information? (Repeat annually)
 2010: Do we have HIPAA data? Where? Is it protected?
 2011: What do you mean a breach grabbed account data? Where? What?
 2012: Wait, we have to protect Employee ID just like SSN? OMG that’s everywhere!
 2013: Is all our payment card data encrypted?
 2014: Shoot, what do you mean we have mag stripe data? Tokenize it!
 2015: Wait, we found more healthcare data?
 2016: Our 3rd party was breached? What data are we sending to third parties?!?
 2017: GDPR is coming, what!? 4% of revenue!?!? Find the EU data!
How many times are we going to go through the same process,

looking for specific types of data, before we start creating a
InfoSec generalized practice for data mapping and governance?
Innovations
 Knowledge of self
& Data Breach

You cannot manage

what you do not know

You cannot lose

what you do not have
InfoSec
Innovations
 Gaining control of the hidden data

• Scan for privacy data and intellectual property

Insights
• Map & classify the data
• Normalize metadata
• Gain insights to data storage, use, data flows & provenance
• Legal & Privacy evaluation

• Evaluate storage compliance & access controls

Protect
• Live the retention & privacy policy
• Enact information classification
• Tokenize, redact, delete, encrypt
• Migrate data from unsafe zones and into safe harbor

InfoSec
Innovations
 Gaining control of the hidden data

• Engage data owners and data guardians with data

insights & classification

Operate • Establish processes for data governance

• Attestation & validation by data owners
• Establish KPIs

• Reporting

Govern • Periodic Re-scan

• Event Monitoring
• Feedback loop to drive process improvements

InfoSec
Innovations
 Getting started
 There is no magic bullet, it’s hard work.
 Knowledge of self always pays, ask the hard questions to find the
hidden risks in your network, apps, data flows, processes, facilities
 Create a plan & roadmap
 Where are we? Knowledge of Self
 Where are we going? Vision
 How are we going to get there? Roadmap & series of projects
 How do we define success so we will know we’ve arrived? KPIs
 Find and map data flows, determine how data moves
 Scan for private data in unstructured sources and rogue databases
 Create tactical data protection methods & capabilities

InfoSec
Innovations
 Questions?

Contact info:
[email protected]
@SecWonk

InfoSec
Innovations © 2017 InfoSec Innovations LLC