Embed Size (px)
Citation preview
Whatcha Been Doing?
• (Mostly) Full-time with Cyentia Institute
• Conducting sponsored research
• Building Cyentia Library
Cyber Balance Sheet 2017
Important to the CISO
Important to the BoardWhat the Board gets
Assets and users
Awareness activities
Business enablement
Compliance / Maturity
Governance info
Incidents / Events
Peer benchmarks
Response metrics
Risk posture
System vulnerabilities
10% 20% 30% 40% 50% 60% 70% 80%
RSAC: Topics and Trends35
%8.
6%
6.1%
4.6%
4.6%
2.4%
1.7%
1.8%
1.3%
2.2%
36.9
%11
%6.
5%5.
2%
2.7%
2%1.
7%
1.2%
1.1%
0.9%
31.4
%
13.2
%6.
5%
4.9%
7%
2.1%
1.8%
1.5%
1%
1%
27.2
%
8.1%
6.1%
4.3%
3.6%
2.1%
2%
1.9%
1.6%
1.1%
37.6
%
10.3
%13
.9%
5.4%
3.1%
2%2.
1%2%
1.2%
0.9%
23.6
%
12.8
%
6.7%
4.5%
3%2.
9%
1.8%
1.4%
1.2%
1.4%
18.2
%
8.7%
5.7%
4.8%
3.8%
1.9%
2.7%
1.5%
1.1%
0.6%
16.3
%
8.7%
6.9%
12.2
%
3.1%
2.6%
1.7%
1.3%
1.4%
0.6%
30.4
%
7.8%
5.4%
10.7
%
4.9%
1.9%
3%
2.3%
1.5%
0.5%
17.8
%
7.5%
6%
4.2%
3.1%
2.5%
1.3%
1.5%
1.1%
1.1%
13.8
%
8.3%
8.1%
4.5%
4.3%
2.2%
2.5%
5.3%
0.9%
0.6%
11.7
%
6.8%
5.5%
3.9%
2.4%
5.3%
1.8%
1.3%
0.8%
0.7%
14.4
%7.
8%
5.7%
6.7%
2.3%
2.1%
1.9%
1.3%
0.9%
0.7%
11.5
%
6.9%
5.3%
4%
2.5%
2.6%
1.6%
1.4%
0.9%
0.5%
14.9
%
6.6%
7.9%
4.2%
2.9%
1.7%
1.9%
1.3%
1.5%
0.7%
12.5
%
9.3%
4.9%
3.7%
2.3%
1.6%
2.1%
1%1%
0.5%
Machine learning ATM Attack campaign Point−of−sale Email and web Deep/Dark web Fuzz testing Mainframe Admin privileges Buffer overflow Policy violation Payment service 3rd party Hardware inventory Disciplinary action Weak authentication
Stolen creds Misconfiguration Embedded system Kill Chain Reporting Venture capital Audit logs Wireless access CSRF Peripherals Event frequency Terrorism Productivity loss Loss magnitude NIST Mobile payment
Medical data Productivity software Small business Larceny and loss Directory server SQL injection Smart card Spyware FISMA Backdoor GDPR Impact Brute force Networked storage Trojan Terrorist
Competitor State actor Human error Cybercrime market Removable media Outage Hacktivism Software inventory SOX Reverse engineering Cyber insurance Startup CVE ISO/IEC Hw&Sw configuration Worm
Accountability Biometrics File sharing Fines & judgements Spoofing Cross−site scripting Privilege abuse Identity theft Reconnaissance Benchmark GRC Ransomware Network configuration Cyber−physical Payment data Prioritization
Spam Incident response Financial gain Targeted attack DNS Spending ROI Business application HIPAA Zero−day Board of Directors C2 Man−in−the−middle Espionage Data recovery Cyberwar
Vuln management Botnet Staffing Pen testing DoS attack Intellectual property Supply chain Extortion BYOD Web browser Audit Security policy PCI−DSS Intel sharing Injection attack− Controlled access
Personal data Network intrusion Fraud Metrics Internet of Things 3rd party services Risk analysis Database Insider Web application Threat intel Governance Control systems Phishing Big data Security training
Emerging tech Security standard Virtualization Planning CISO APT Risk management Data protection Social engineering Credentials Malware defenses InfoSec market Application security Disruption Criminal group Mobile app
Security incident Endpoint Threat actor Malware Cloud Integrity Confidentiality Vulnerability Mobile device Senior management Privacy Operating system Boundary defense Data breach Social media Availability
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
Source: Cyentia Institute with data from RSA Conference
RSAC: Topics and Trends35
%8.
6%
6.1%
4.6%
4.6%
2.4%
1.7%
1.8%
1.3%
2.2%
36.9
%11
%6.
5%5.
2%
2.7%
2%1.
7%
1.2%
1.1%
0.9%
31.4
%
13.2
%6.
5%
4.9%
7%
2.1%
1.8%
1.5%
1%
1%
27.2
%
8.1%
6.1%
4.3%
3.6%
2.1%
2%
1.9%
1.6%
1.1%
37.6
%
10.3
%13
.9%
5.4%
3.1%
2%2.
1%2%
1.2%
0.9%
23.6
%
12.8
%
6.7%
4.5%
3%2.
9%
1.8%
1.4%
1.2%
1.4%
18.2
%
8.7%
5.7%
4.8%
3.8%
1.9%
2.7%
1.5%
1.1%
0.6%
16.3
%
8.7%
6.9%
12.2
%
3.1%
2.6%
1.7%
1.3%
1.4%
0.6%
30.4
%
7.8%
5.4%
10.7
%
4.9%
1.9%
3%
2.3%
1.5%
0.5%
17.8
%
7.5%
6%
4.2%
3.1%
2.5%
1.3%
1.5%
1.1%
1.1%
13.8
%
8.3%
8.1%
4.5%
4.3%
2.2%
2.5%
5.3%
0.9%
0.6%
11.7
%
6.8%
5.5%
3.9%
2.4%
5.3%
1.8%
1.3%
0.8%
0.7%
14.4
%7.
8%
5.7%
6.7%
2.3%
2.1%
1.9%
1.3%
0.9%
0.7%
11.5
%
6.9%
5.3%
4%
2.5%
2.6%
1.6%
1.4%
0.9%
0.5%
14.9
%
6.6%
7.9%
4.2%
2.9%
1.7%
1.9%
1.3%
1.5%
0.7%
12.5
%
9.3%
4.9%
3.7%
2.3%
1.6%
2.1%
1%1%
0.5%
Machine learning ATM Attack campaign Point−of−sale Email and web Deep/Dark web Fuzz testing Mainframe Admin privileges Buffer overflow Policy violation Payment service 3rd party Hardware inventory Disciplinary action Weak authentication
Stolen creds Misconfiguration Embedded system Kill Chain Reporting Venture capital Audit logs Wireless access CSRF Peripherals Event frequency Terrorism Productivity loss Loss magnitude NIST Mobile payment
Medical data Productivity software Small business Larceny and loss Directory server SQL injection Smart card Spyware FISMA Backdoor GDPR Impact Brute force Networked storage Trojan Terrorist
Competitor State actor Human error Cybercrime market Removable media Outage Hacktivism Software inventory SOX Reverse engineering Cyber insurance Startup CVE ISO/IEC Hw&Sw configuration Worm
Accountability Biometrics File sharing Fines & judgements Spoofing Cross−site scripting Privilege abuse Identity theft Reconnaissance Benchmark GRC Ransomware Network configuration Cyber−physical Payment data Prioritization
Spam Incident response Financial gain Targeted attack DNS Spending ROI Business application HIPAA Zero−day Board of Directors C2 Man−in−the−middle Espionage Data recovery Cyberwar
Vuln management Botnet Staffing Pen testing DoS attack Intellectual property Supply chain Extortion BYOD Web browser Audit Security policy PCI−DSS Intel sharing Injection attack− Controlled access
Personal data Network intrusion Fraud Metrics Internet of Things 3rd party services Risk analysis Database Insider Web application Threat intel Governance Control systems Phishing Big data Security training
Emerging tech Security standard Virtualization Planning CISO APT Risk management Data protection Social engineering Credentials Malware defenses InfoSec market Application security Disruption Criminal group Mobile app
Security incident Endpoint Threat actor Malware Cloud Integrity Confidentiality Vulnerability Mobile device Senior management Privacy Operating system Boundary defense Data breach Social media Availability
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
2009
2011
2013
2015
2017
Source: Cyentia Institute with data from RSA Conference
RSAC: Landscape of Topics
3rd party
3rd party services
Account monitoring
Accountability
Admin privileges
Adware
Antiforensics
Application security
APT
ATM
Attack campaign
AuditAudit logs
BackdoorBackup media
Bank data
Benchmark
Big data
Biometrics
Board of Directors
Botnet
Boundary defense
Brute force
Buffer overflow
Bug bounty
Business application
BYODC2
Card reader
CISO
Classified data
ClickJacking
Cloud
COBIT
CompetitorConsumer tech
Control strengthControl systemsControlled access
Copyrighted data
COSO
Credentials
Criminal group
Cross−site scripting
Cryptanalysis
CSRF
CVE
CVSS CWE
Cyber insurance
Cyber−physical
Cybercrime market
Cyberwar
Data breach
Data protection
Data recovery
Database
Dataloss amount
Deep/Dark web
DHCP
Directory server
Disciplinary action DisruptionDNS
DoS attack
Downloader
Email and web
Embedded system
Emerging tech
Endpoint
Espionage
Event frequency
Extortion
FERPA
FFIEC
File sharing
Financial gain
Fines & judgements
FISMA
Forced browsing
Former employee
Fraud
Fuzz testing
GDPR
GLB
Governance
Hacktivism
Hardware inventory
HIPAA
HITRUST
Human error
Hw&Sw configuration
Identity theft
Impact
Incident response
InfoSec market
Injection attack−Input handling
Insider
Intel sharing
Intellectual property
Internet of Things
ISO/IEC
Kill Chain
Larceny and loss
Loss eventLoss magnitude
Machine learning
Mainframe
Malware defenses
Man−in−the−middle
Medical data
Metrics
MisconfigurationMobile app
Mobile device Mobile paymentNatural hazard
NERC CIP
Network configuration
Network control
Network intrusion
Networked storage
NISD
NIST
Operating system
Opportunistic attack
Outage
Packet sniffer
Pass−the−hash
Password dumper
Path traversal
Payment data
Payment service
PCI−DSS
PDF Reader
Pen testing
Peripherals
Personal data
Pharming
Phishing
Planning
Point−of−sale
Policy violation
Poor patching
Printed media
Prioritization
Privilege abuse
Productivity loss
Productivity software
Ram scraper
Ransomware
Reconnaissance
Remote access
Removable media
Replacement cost
Reporting
Reputation loss
Response costReverse engineering
Risk analysisRisk management
Rogue hardware
Rogue software
ROI
Rootkit
Security policy
Security standard
Security training
Senior management
Session replay
Skimmers
Small business
Smart card
Social engineering
Social media
Software inventory
Software piracy
SOX
Spam
Spending
Spoofing
Spyware
SQL injection
Staffing Startup
State actor
Stolen creds
Supply chain
Targeted attack
Terrorism TerroristThreat actor
Threat capability
Threat intel
Trojan
Venture capital
Virtualization
Vuln management Vulnerability
Watering hole
Weak authentication
Web application
Web browser
Web defacementWireless access
Wiretapping
Worm
Zero−day
Actors and motivesCompliance
Controls
Data
Desktop softwareEvents and TTPs
External services
Governance
Impact and Loss
InfrastructureIntelligence
Market trendsOther
Risk
Vulnerability
Source: Cyentia Institute with data from RSA Conference
RSA Conference
Traditional Industry Labels
Cybersecurity
5%
10%
15%
20%
2010 2012 2014 2016 2018
Perc
ent o
f Sub
mitt
ed A
bstra
cts
Source: Cyentia Institute with data from RSA Conference
To Cyber or Not to Cyber?
Where we are headed
“What we (the security metrics people) must now do is learn how to do meta-analysis in our domain…”
- Geer, Jacobs, 2014
www.usenix.org
J U N E 20 14 VO L . 3 9, N O. 3 47
COLUMNS
Think of [knowledge] as a house that magically expands with each door you open.
You begin in a room with four doors, each leading to a new room that you haven’t
visited yet.… But once you open one of those doors and stroll into that room, three
new doors appear, each leading to a brand-new room that you couldn’t have reached
from your original starting point. Keep opening doors and eventually you’ll have
built a palace.Steven Johnson, “The Genius of the Tinkerer” [1]
Learning pays compound interest; as a person studies a subject, the more capable they
become at learning even more about the subject. Just as a student cannot tackle the chal-
lenges of calculus without studying the prerequisites, we must have diligence in how we
discover and build the prerequisite knowledge within cybersecurity. Before we discuss where we are heading, let’s establish where we are. Until now, we (security
metricians, including the present authors) could exhort people to “Just measure something
for heaven’s sakes!” It’s safe to say that such measurement has largely begun. Therefore, we
have the better, if harder, problem of the meta-analysis (“research about research”) of many
observations, always remembering that the purpose of security metrics is decision support.Learning from All of UsTo understand how we are at processing our observations, we turn to published industry
reports. It’s clear that there are a lot more of them than even two years ago. Not all reports are
equal; parties have various motivations to publish, which creates divergent interpretations of
what represents research worth communicating.We suspect that most data included in industry reports are derived from convenience
samples—data gathered because it is available to the researcher, not necessarily data that
is representative enough to be generalizable. Not to make this a statistics tutorial, but for
generalizability you need to understand (and account for) your sampling fraction, or you need
to randomize your collection process. It is not that this or that industry report has a bias—all
data has bias; the question is whether you can correct for that bias. A single vendor’s data
supply will be drawn from that vendor’s customer base, and that’s something to correct for.
On the other hand, if you can find three or more vendors producing data of the same general
sort, combining them in order to compare them can wash out the vendor-to-customer bias at
least insofar as decision support is concerned.Do not mistake our comments for a reason to dismiss convenience samples; research with
a convenience sample is certainly better than “learning” from some mix of social media
and headlines. This challenge in data collection is not unique to cybersecurity; performing
research on automobile fatalities does not lend itself to selecting random volunteers. Study-
ing the effects of a disease requires a convenience study of patients with the disease. It’s too
Exploring with a PurposeD A N G E E R A N D J A Y J A C O B S
Dan Geer is the CISO for In-Q-Tel and a security researcher with a quantitative bent. He has a long history with the USENIX Association, including officer positions, program committees, etc. [email protected]
Jay Jacobs is the co-author of Data-Driven Security and a data analyst at Verizon where he contributes to their Data Breach Investigations Report. Jacobs is a cofounder of the Society of Information Risk Analysts. [email protected]
1. Meta-Analysis and standing on the shoulders of giants: Cochrane Library
2. Case study: Ransomware
3. The Cyentia Library: present and future
Cochrane Library
http://www.cochranelibrary.com/
Cochrane Library
http://www.cochranelibrary.com/
Systemic Reviews
Given a Research Question:
• Identify sources of evidence and information
• Appraise the quality of the evidence
• Synthesize and aggregate the evidence together (meta-analysis)
Research Question Identify Sources Appraise Quality Synthesize Evidence
Developing Research QuestionsA great research question:
• …is interesting
• …can be supported by observation/evidence
• …frames the object of measurement
Breakdown broad topics into a series of research questions
Poor Research Questions Better Research Questions
“How Secure is this web app?”
“What risks do we face?
“What is the probability this web app will have a vulnerability exploited in the next 12 months?”
“What is the probability of these events occurring this year?”
Research Question Identify Sources Appraise Quality Synthesize Evidence
Identify sourceshttps://www.cyentia.com/library/
Research Question Identify Sources Appraise Quality Synthesize Evidence
Identify sources
Research Question Identify Sources Appraise Quality Synthesize Evidence
Appraise the Quality
“Quality” is study-specific (survey vs collected data), but always contains:
1. Source of data, collection process (selection bias)
2. Sample size, sub-sample slices (sampling error)
3. Data Interpretation (e.g. statistics)
Appraising quality is subtle, complex and often subjective
Research Question Identify Sources Appraise Quality Synthesize Evidence
Synthesize Evidence
A meta-analysis uses a statistical approach to combine the results from multiple studies in an effort to increase power (over individual studies), improve estimates of the size of the effect and/or to resolve uncertainty when reports disagree.
Research Question Identify Sources Appraise Quality Synthesize Evidence
https://en.wikipedia.org/wiki/Meta-analysis
• Offset convenience samples
• Research in security is relatively simple: counts, proportions, means, etc.
Meta-Analysis: Combining ProportionsThink about picking marbles from an urn:
• First person picked 19 out of 50 red
• Second person picked 32 out of 75 red
• total: 51 out of 125 were red
…Assuming the studies are drawing from the same “urn” or are representative of the same urn
Can visualize and talk about confidence in proportions with the beta distribution
Beta Distribution
• “[The beta distribution] represents all the possible values of a probability when we don't know what that probability is.” - David Robinson, stats.stackexchange.com
• Basis for betaPERT, conjugate prior for bayesian inference
• Has two parameters: alpha (𝜶) and beta (β)
• 𝜶 are counts of class 1 (success/heads/red/breached/infected)
• β are counts of class 2
• 50 out of 250 machines infected with malware:
beta(𝜶=50, β=200)
Visualizing the Beta0.5 1 4 8 16
0.5
1
4
8
16
Beta
Alpha
20% 25% 30% 35% 40% 45% 50% 55% 60%
Applying the beta
• Osterman does a ransomware study and surveys 540 people
• Claims the “average ransomware penetration rate” is 39 percent
• How confident should we be about that 39%?
540 * 0.39 = 211 (but could be 208 to 213) beta(211,329)
Measuring Ransomware
Measuring Ransomware: The Setup
Three broad research questions
• How many orgs are affected by ransomware (prevalence)?
• How many orgs are paying the ransom amount (payment rate)?
• How much does ransomware cost (ransom amount)?
BSI, Ergebnisse der Umfrage zur Betroffenheit durch Ransomware (2016) Fortinet, Q4 2016 Threat Landscape Report (2017) IBM, Ransomware: How Consumers and Businesses Value Their Data (2016) Kaspersky, Cost of Cryptomalware : SMBs at the Gunpoint (2016) Osterman Research / Malwarebytes, Understanding the Depth of the Global Ransomware Problem (2016) Ponemon Institute / Carbonite, The Rise of Ransomware (2017) Symantec report (2012) Dell Secureworks blog post (2013) University of Kent study (2015) BitDefender report (2016) Datto report (2016) Kaspersky - Consumer Security Risks (2016) TrustLook blog post (2017) Cisco Annual Security Report (2016) Cyber Extortion Risk Report, NYA International (2015)
Osterman/MalwarebytesIBM
Ponemon/CarboniteBSI
KasperskyFortinetOverall
15% 20% 25% 30% 35% 40% 45% 50% 55%Prevalence
Source: Cyentia Institute
Ransomware Prevalencewho pct x n
IBM 46% 276 600
Osterman/Malwarebytes 39% 211 540
Ponemon/Carbonite 36% 222 618
BSI 32% 189 592
ForFnet-Q4-2016 32% 1,280 4,000
Kaspersky 20% 600 3,000
Overall Estimate 30.6% +/- 0.7%
How many orgs are paying?
Dell SecureworksSymantec
Univ of KentKasperksy
MalwareBytesTrustLook
DattoBitDefender
0% 10% 20% 30% 40% 50% 60%Percentage of Victims Paying Ransom
Surveys seperated from empirical dataRansomware Payment Rate
Source: Cyentia Institute
53/115
420/1000
8/2172/19546/127
49/14544/1500
8/2100<2.3%
40.4% 38% - 42.8%
CIGI Study
©2017Ipsos.
Methodology• This survey was conducted by Ipsos on behalf of the Centre for International Governance Innovation
(“CIGI”) between December 23, 2016, and March 21, 2017. • The survey was conducted in 24 economies—Australia, Brazil, Canada, China, Egypt, France,
Germany, Great Britain, Hong Kong (China), India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States—and involved 24,225 Internet users.
• Twenty of the countries utilized the Ipsos Internet panel system while Tunisia was conducted via CATI, and Kenya, Nigeria and Pakistan utilized face-to-face interviewing, given online constraints in these countries and the length
• In the US and Canada respondents were aged 18-64, and 16-64 in all other countries. • Approximately 1000+ individuals were surveyed in each country and are weighted to match the
population in each country surveyed. The precision of Ipsos online polls is calculated using a credibility interval. In this case, a poll of 1,000 is accurate to +/- 3.5 percentage points. For those surveys conducted by CATI and face-to-face, the margin of error is +/-3.1, 19 times out of 20.
BIC = Brazil, India, ChinaAPAC = Asia Pacific
LATAM = Latin America
• Early 2017 study
• 24,225 Internet users
• Across 24 countries (individual surveys conducted)
• Weighted to match populated of country
Dell SecureworksSymantec
Univ of KentKasperksy
MalwareBytesTrustLook
DattoBitDefender
0% 10% 20% 30% 40% 50% 60%Percentage of Victims Paying Ransom
Surveys seperated from empirical dataRansomware Payment Rate
Source: Cyentia Institute
How many orgs are paying?
53/115
420/10008/21
72/19546/127
49/14544/1500
8/2100
40.4% 38% - 42.8%
<2.3%
“Among those who have been a victim, 41% say they paid the ransom…”
-CIGI/IPSOS Global Survey on Internet Security and Trust41%
Ransom Amounts
0%5%
10%15%20%25%30%35%40%45%
100-500 501-2k 2k-5k 5k-10k 10k-15k 15k-20k 20k+Ransom Amounts (in USD)Pr
opor
tion
of R
espo
ndan
tsAs reported by MSPsAverage Ransomware Amounts
Source: Cyentia Instutue, data from:Datto's State of the Channel Ransomware Report, 2016
U.S
.
U.K
.
Ger
man
y
Can
ada
Best overall estimate
95% confidence
0%
5%
10%
15%
20%
25%
30%
35%
0-500 501-1k 1k-5k 5k-10k 10k-50k 50k-150k 150+Ransom Amounts in USD
Prop
ortio
n of
Res
pond
ants
Ransomware Amounts by Country
Source: Cyentia Institute, data fromMalwareBytes/Osterman Research, "Understanding the Depth of the Global Ransomware Proble"
Exceeding Ransom Amount
Malwarebytes
Datto10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1,000 10,000 100,000Ransom Amounts (in USD)
Exce
edan
ce P
roba
bilit
yProbabily of Ransom Exceeding a Specific Amount
Source: Cyentia Instutue, data from:MalwareBytes/Osterman Research, "Understanding the Depth of the Global Ransomware Problem",
Datto's "State of the Channel Ransomware Report 2016"
Challenges: Lessons Learned• Experiment successful!
• While Library helped, identifying and narrowing down sources was a challenge **
• Quality of vendor reports was terrible, rejected 2 out 3 on average “Not all reports are equal; parties have various motivations to publish, which creates divergent interpretations of what represents research worth communicating.” - Geer, Jacobs 2014
• Very poor, circular or missing citations
• Terminology is loose and/or confusing
• Object of measurement and framing is muddled or misaligned
• …is Ponemon: 51% (perception), 36% (included), 1.2% (excluded on wording)
• Getting a simple sample size shouldn’t be this hard
• Synthesizing the evidence was relatively straight-forward.** …that we can improve
Cyentia Library: Present and Future
Cyentia Library TaggingM
arke
t tre
nds
GR
C M
anag
emen
t
Thre
ats
Info
rmat
ion
Asse
ts
Secu
rity
attri
bute
s
Impa
ct a
nd L
oss
Con
trols
Mis
cella
neou
s
Cyb
ercr
ime
mar
ket
Info
Sec
mar
ket
Vent
ure
capi
tal
Emer
ging
tech
Con
sum
er te
chSt
artu
pG
RC
Gov
erna
nce
Ris
k
Com
plia
nce
Acto
rs a
nd m
otive
s
Even
ts a
nd T
TPs
Infra
stru
ctur
e
Exte
rnal
ser
vice
s
Des
ktop
sof
twar
e
Dat
a
Vuln
erab
ility
Con
fiden
tialit
yIn
tegr
ityAv
aila
bilit
yIm
pact
Loss
eve
ntLo
ss m
agni
tude
Loss
form
sC
ontro
l stre
ngth
CIS
"Top
20" C
ontro
ls
Inte
lligen
ceBu
g bo
unty
Smal
l bus
ines
sM
achi
ne le
arni
ngD
eep/
Dar
k we
bKi
ll C
hain
Secu
rity
polic
yBo
ard
of D
irect
ors
Seni
or m
anag
emen
tC
ISO
Plan
ning
Prio
ritiz
atio
nR
epor
ting
Met
rics
Benc
hmar
kSp
endi
ngSt
affin
gD
isci
plin
ary
actio
nAc
coun
tabi
lity
ROI
Ris
k m
anag
emen
tR
isk
anal
ysis
Cyb
er in
sura
nce
Secu
rity
stan
dard
Audi
tN
IST
ISO
/IEC
HIP
AASO
XFI
SMA
NER
C C
IPH
ITRU
STG
LBPC
I−D
SSFE
RPA
FFIE
CC
OBI
TC
OSO
GD
PRN
ISD
Thre
at a
ctor
Hac
ktiv
ism
Crim
inal
gro
upSt
ate
acto
rC
ompe
titor
Terro
rist
Insi
der
Form
er e
mpl
oyee
3rd
party
APT
Cyb
erwa
rEs
pion
age
Terro
rism
Fina
ncia
l gai
nTh
reat
cap
abilit
yEv
ent f
requ
ency
Atta
ck c
ampa
ign
Secu
rity
inci
dent
Opp
ortu
nist
ic a
ttack
Targ
eted
atta
ckN
etwo
rk in
trusi
onD
ata
brea
chD
oS a
ttack
Priv
ilege
abu
seM
alwa
reW
eb d
efac
emen
tSo
cial
eng
inee
ring
Hum
an e
rror
Frau
dLa
rcen
y an
d lo
ssPh
ishi
ngSk
imm
ers
Dis
rupt
ion
Out
age
Spam
Botn
etW
ater
ing
hole
Cro
ss−s
ite s
crip
ting
Buffe
r ove
rflow
Man−i
n−th
e−m
iddl
ePa
th tr
aver
sal
Rec
onna
issa
nce
Cry
ptan
alys
isSQ
L in
ject
ion
Forc
ed b
row
sing
Rev
erse
eng
inee
ring
Brut
e fo
rce
Fuzz
test
ing
CSR
FPa
ss−t
he−h
ash
Stol
en c
reds
Sess
ion
repl
ayC
lickJ
acki
ngPa
cket
sni
ffer
Back
door
Pass
word
dum
per
Dow
nloa
der
Adwa
reC
2In
ject
ion
atta
ck−
Softw
are
pira
cyW
orm
Spyw
are
Ram
scr
aper
Ran
som
ware
Roo
tkit
Troj
anR
ogue
sof
twar
eR
ogue
har
dwar
ePo
licy
viol
atio
nW
ireta
ppin
gN
atur
al h
azar
dEx
torti
onSp
oofin
gAn
tifor
ensi
csId
entit
y th
eft
Phar
min
gBu
sine
ss a
pplic
atio
nW
eb a
pplic
atio
nIn
tern
et o
f Thi
ngs
Con
trol s
yste
ms
Embe
dded
sys
tem
Poin
t−of−s
ale
Virtu
aliz
atio
nEn
dpoi
ntM
obile
dev
ice
Mai
nfra
me
Back
up m
edia
Dat
abas
eD
irect
ory
serv
erC
yber−p
hysi
cal
Car
d re
ader
Rem
ote
acce
ssD
NS
DH
CP
Prin
ted
med
iaAT
MN
etwo
rked
sto
rage
Smar
t car
dPe
riphe
rals
Rem
ovab
le m
edia
Big
data
Cre
dent
ials
Biom
etric
sBY
OD
Supp
ly c
hain
3rd
party
ser
vice
sC
loud
Mob
ile p
aym
ent
Paym
ent s
ervi
ceW
eb b
row
ser
Rea
der
Mob
ile a
ppSo
cial
med
iaPr
oduc
tivity
sof
twar
eFi
le s
harin
gO
pera
ting
syst
emPa
ymen
t dat
aIn
telle
ctua
l pro
perty
Pers
onal
dat
aM
edic
al d
ata
Cla
ssifi
ed d
ata
Cop
yrig
hted
dat
aBa
nk d
ata
Zero−d
ayC
VEC
WE
CVS
SM
isco
nfig
urat
ion
Inpu
t han
dlin
gW
eak
auth
entic
atio
nPo
or p
atch
ing
Priva
cyN
onre
pudi
atio
nD
atal
oss
amou
ntPr
oduc
tivity
loss
Res
pons
e co
stR
epla
cem
ent c
ost
Com
petit
ive lo
ssFi
nes
& ju
dgem
ents
Rep
utat
ion
loss
Har
dwar
e in
vent
ory
Softw
are
inve
ntor
yH
w&S
w c
onfig
urat
ion
Vuln
man
agem
ent
Adm
in p
rivile
ges
Audi
t log
sEm
ail a
nd w
ebM
alwa
re d
efen
ses
Net
work
con
trol
Dat
a re
cove
ryN
etwo
rk c
onfig
urat
ion
Boun
dary
def
ense
Dat
a pr
otec
tion
Con
trolle
d ac
cess
Wire
less
acc
ess
Acco
unt m
onito
ring
Secu
rity
train
ing
Appl
icat
ion
secu
rity
Inci
dent
resp
onse
Pen
test
ing
Inte
l sha
ring
Thre
at in
tel
Cyentia Library TaggingM
arke
t tre
nds
GR
C M
anag
emen
t
Thre
ats
Info
rmat
ion
Asse
ts
Secu
rity
attri
bute
s
Impa
ct a
nd L
oss
Con
trols
Mis
cella
neou
s
Cyb
ercr
ime
mar
ket
Info
Sec
mar
ket
Vent
ure
capi
tal
Emer
ging
tech
Con
sum
er te
chSt
artu
pG
RC
Gov
erna
nce
Ris
k
Com
plia
nce
Acto
rs a
nd m
otive
s
Even
ts a
nd T
TPs
Infra
stru
ctur
e
Exte
rnal
ser
vice
s
Des
ktop
sof
twar
e
Dat
a
Vuln
erab
ility
Con
fiden
tialit
yIn
tegr
ityAv
aila
bilit
yIm
pact
Loss
eve
ntLo
ss m
agni
tude
Loss
form
sC
ontro
l stre
ngth
CIS
"Top
20" C
ontro
ls
Inte
lligen
ceBu
g bo
unty
Smal
l bus
ines
sM
achi
ne le
arni
ngD
eep/
Dar
k we
bKi
ll C
hain
Secu
rity
polic
yBo
ard
of D
irect
ors
Seni
or m
anag
emen
tC
ISO
Plan
ning
Prio
ritiz
atio
nR
epor
ting
Met
rics
Benc
hmar
kSp
endi
ngSt
affin
gD
isci
plin
ary
actio
nAc
coun
tabi
lity
ROI
Ris
k m
anag
emen
tR
isk
anal
ysis
Cyb
er in
sura
nce
Secu
rity
stan
dard
Audi
tN
IST
ISO
/IEC
HIP
AASO
XFI
SMA
NER
C C
IPH
ITRU
STG
LBPC
I−D
SSFE
RPA
FFIE
CC
OBI
TC
OSO
GD
PRN
ISD
Thre
at a
ctor
Hac
ktiv
ism
Crim
inal
gro
upSt
ate
acto
rC
ompe
titor
Terro
rist
Insi
der
Form
er e
mpl
oyee
3rd
party
APT
Cyb
erwa
rEs
pion
age
Terro
rism
Fina
ncia
l gai
nTh
reat
cap
abilit
yEv
ent f
requ
ency
Atta
ck c
ampa
ign
Secu
rity
inci
dent
Opp
ortu
nist
ic a
ttack
Targ
eted
atta
ckN
etwo
rk in
trusi
onD
ata
brea
chD
oS a
ttack
Priv
ilege
abu
seM
alwa
reW
eb d
efac
emen
tSo
cial
eng
inee
ring
Hum
an e
rror
Frau
dLa
rcen
y an
d lo
ssPh
ishi
ngSk
imm
ers
Dis
rupt
ion
Out
age
Spam
Botn
etW
ater
ing
hole
Cro
ss−s
ite s
crip
ting
Buffe
r ove
rflow
Man−i
n−th
e−m
iddl
ePa
th tr
aver
sal
Rec
onna
issa
nce
Cry
ptan
alys
isSQ
L in
ject
ion
Forc
ed b
row
sing
Rev
erse
eng
inee
ring
Brut
e fo
rce
Fuzz
test
ing
CSR
FPa
ss−t
he−h
ash
Stol
en c
reds
Sess
ion
repl
ayC
lickJ
acki
ngPa
cket
sni
ffer
Back
door
Pass
word
dum
per
Dow
nloa
der
Adwa
reC
2In
ject
ion
atta
ck−
Softw
are
pira
cyW
orm
Spyw
are
Ram
scr
aper
Ran
som
ware
Roo
tkit
Troj
anR
ogue
sof
twar
eR
ogue
har
dwar
ePo
licy
viol
atio
nW
ireta
ppin
gN
atur
al h
azar
dEx
torti
onSp
oofin
gAn
tifor
ensi
csId
entit
y th
eft
Phar
min
gBu
sine
ss a
pplic
atio
nW
eb a
pplic
atio
nIn
tern
et o
f Thi
ngs
Con
trol s
yste
ms
Embe
dded
sys
tem
Poin
t−of−s
ale
Virtu
aliz
atio
nEn
dpoi
ntM
obile
dev
ice
Mai
nfra
me
Back
up m
edia
Dat
abas
eD
irect
ory
serv
erC
yber−p
hysi
cal
Car
d re
ader
Rem
ote
acce
ssD
NS
DH
CP
Prin
ted
med
iaAT
MN
etwo
rked
sto
rage
Smar
t car
dPe
riphe
rals
Rem
ovab
le m
edia
Big
data
Cre
dent
ials
Biom
etric
sBY
OD
Supp
ly c
hain
3rd
party
ser
vice
sC
loud
Mob
ile p
aym
ent
Paym
ent s
ervi
ceW
eb b
row
ser
Rea
der
Mob
ile a
ppSo
cial
med
iaPr
oduc
tivity
sof
twar
eFi
le s
harin
gO
pera
ting
syst
emPa
ymen
t dat
aIn
telle
ctua
l pro
perty
Pers
onal
dat
aM
edic
al d
ata
Cla
ssifi
ed d
ata
Cop
yrig
hted
dat
aBa
nk d
ata
Zero−d
ayC
VEC
WE
CVS
SM
isco
nfig
urat
ion
Inpu
t han
dlin
gW
eak
auth
entic
atio
nPo
or p
atch
ing
Priva
cyN
onre
pudi
atio
nD
atal
oss
amou
ntPr
oduc
tivity
loss
Res
pons
e co
stR
epla
cem
ent c
ost
Com
petit
ive lo
ssFi
nes
& ju
dgem
ents
Rep
utat
ion
loss
Har
dwar
e in
vent
ory
Softw
are
inve
ntor
yH
w&S
w c
onfig
urat
ion
Vuln
man
agem
ent
Adm
in p
rivile
ges
Audi
t log
sEm
ail a
nd w
ebM
alwa
re d
efen
ses
Net
work
con
trol
Dat
a re
cove
ryN
etwo
rk c
onfig
urat
ion
Boun
dary
def
ense
Dat
a pr
otec
tion
Con
trolle
d ac
cess
Wire
less
acc
ess
Acco
unt m
onito
ring
Secu
rity
train
ing
Appl
icat
ion
secu
rity
Inci
dent
resp
onse
Pen
test
ing
Inte
l sha
ring
Thre
at in
tel
Report: Hacker One
AvailabilityBug bounty
Cross−site scriptingCSRF
Cyber−physicalData breach
ExtortionFinancial gain
Identity theftImpact
Intellectual propertyMalware
Mobile appOperating system
OutagePen testing
Personal dataSecurity incident
Senior managementSocial mediaSQL injection
StaffingThreat actor
Vuln managementVulnerability
Web browser
1 5 10 15 20 25PDF Page
Report: Cisco Mid-year Report 2017
1
Cisco 2017 Midyear Cybersecurity Report
Executive Summary
3rd party servicesAPT
AuditAudit logs
Board of DirectorsBotnet
Boundary defenseC2
CISOCloud
CompetitorControl systems
CredentialsCriminal group
Data breachDatabaseDisruption
DoS attackDownloader
Emerging techEndpoint
Event frequencyExtortion
FraudInfoSec market
IntegrityMalware
Malware defensesMobile device
Network intrusionOperating system
OutagePersonal data
PhishingPlanning
Productivity lossRansomware
Risk managementSecurity incident
Security policySecurity standard
Senior managementSocial media
SpamSpywareStaffing
Supply chainTargeted attack
Threat actorThreat intel
Vuln managementVulnerability
Web browserZero−day
1 10 20 30 40 50 60 70 80
PDF Page
Aite: Cyber Insurance
3rd party servicesAPT
BenchmarkBotnetCISOCloud
CompetitorCyber insurance
Cybercrime marketData breach
DatabaseDeep/Dark webEmerging tech
EndpointEvent frequency
ExtortionFines & judgements
FraudGDPR
Incident responseInfoSec market
Intellectual propertyMalware
Network intrusionPayment data
Pen testingPersonal data
PhishingPrivacy
Productivity lossResponse cost
Risk analysisRisk management
Security incidentSecurity standard
Senior managementSmall business
StaffingStartup
Threat actorThreat intel
Vuln managementVulnerability
1 10 20 30 40 50 60 70
PDF Page
© 2016 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. Photocopying or electronic distribution of this document or any of its contents without prior written consent of the publisher violates U.S. copyright law, and is punishable by statutory damages of up to US$150,000 per infringement, plus attorneys’ fees (17 USC 504 et seq.). Without advance permission, illegal copying includes regular photocopying, faxing, excerpting, forwarding electronically, and sharing of online access.
Cyber Insurance and Cybersecurity: The Convergence
June 2016
Gwenn Bézard
Verzion DBIR 2017
Application securityBackdoor
BotnetBoundary defense
Brute forceC2
ConfidentialityCredentials
Criminal groupData breach
Data protectionDatabaseDisruption
Emerging techEndpoint
EspionageEvent frequency
ExtortionFinancial gain
FraudHacktivism
Human errorIdentity theft
Incident responseInfoSec market
InsiderIntegrity
Intellectual propertyLarceny and loss
MalwareMalware defenses
Medical dataMisconfiguration
Mobile deviceNetwork intrusion
Opportunistic attackPersonal data
PhishingPrinted media
Privilege abuseRansomware
Security incidentSecurity training
SkimmersSmall business
Social engineeringSocial media
SpywareSQL injectionStolen credsThreat actor
Vuln managementVulnerability
Weak authenticationWeb application
Web browser
1 10 20 30 40 50 60 70
PDF Page
2017 Data BreachInvestigations Report10th Edition
OFX
PB
U2FsdGVkX19xySK0fJn+xJH2VKLfWI8u+gK2bIHpVeoudbc5Slk0HosGiUNH7oiq
CNjiSkfygVslq77WCIM0rqxOZoW/qGMN+eqKMBnhfkhWgtAtcnGc2xm9vxpx5quA
Topic/Tagging
Security attributes > ConfidentialitySecurity attributes > Integrity
GRC Management > GovernanceInformation Assets > Desktop software
Information Assets > VulnerabilityInformation Assets > Data
Controls > CIS "Top20" ControlsInformation Assets > Infrastructure
Threats > Actors and motivesThreats > Events and TTPs
Verizon DBIR 2017
Information Assets > External servicesInformation Assets > Data
Impact and Loss > Loss formsControls > CIS "Top20" Controls
Miscellaneous > NAGRC Management > Governance
Threats > Actors and motivesInformation Assets > Infrastructure
Threats > Events and TTPsGRC Management > Risk
Aite: Cyber Insurance
GRC Management > ComplianceInformation Assets > Data
Market trends > Emerging techInformation Assets > Desktop softwareInformation Assets > External services
GRC Management > GovernanceInformation Assets > VulnerabilityControls > CIS "Top20" Controls
Information Assets > InfrastructureThreats > Actors and motives
Threats > Events and TTPs
Cisco Midyear 2017
Impact and Loss > ImpactInformation Assets > Infrastructure
Security attributes > AvailabilityControls > CIS "Top20" Controls
Information Assets > DataGRC Management > Governance
Information Assets > Desktop softwareThreats > Events and TTPs
Miscellaneous > MiscInformation Assets > Vulnerability
Threats > Actors and motives
HackerOne: Bug Bounty
Parsing PDFs: Text Extraction
8
Figure 3: Data risks based on actual volumes of sensitive data stored in each location compared to the perception of risk
Corporate servers and databases pose the highest risk, yet spending remains stubbornly focused on endpoint and mobile
The top three locations by volume where company-sensitive data is stored and must be protected are: databases (49%), file servers (39%), and the rapid growth area for cloud service environments (36%). The position is fairly consistent across most major geographies and mainstream verticals including financial services, healthcare, and the retail sector.
Along with the ubiquitous use of databases and servers, cloud and more recently big data take-up levels now force a stronger protection case to be made. Growing data volumes, when put alongside worries about a lack of control over third-party access; the use of third-party admins; and data
locational issues when foreign intervention and legal sovereignty come into play, make the case for improving cloud-services data protection. Also, as more data needs to transition between on-premise systems and cloud and big data environments, organizations need to make use of more inclusive data protection facilities to control and protect their data as it moves between corporate systems.
Another discussion that should take place revolves around the perception of risk that mobile devices and user mobility bring to the table. By comparison only 20% of sensitive company data is held on mobile devices and, of that 20%, a large proportion is being held on company-owned laptops and other company-protected mobile devices. In our opinion the discussion isn’t really about the data volumes involved, and if it were, 20% is still significant enough to cause anxiety. But the real concern for the 70% of IT Decision Makers who were worried about mobile device protection is firmly about the lack of control over the mobile devices that are in use. It is also about not having enough information to know what data has been copied to those devices and not having the controls in place to stop copies of company-sensitive data being made.
Good quality monitoring and access control technology provide part of the answer. Irrespective of where the data is being held, it is important to know and be able to control who gets access and what they can do with that access. This provides the ability to highlight and report on misuse that could otherwise put company-sensitive data at risk.
TOP 3 LOCATIONS WHERE DATA IS AT RISK IN VOLUME:
Databases (49%)
File Servers (39%)
Cloud (36%)
Figure 4: Global spending on security solutions during the next 12 months
0
5
10
15
20
25
30
35
40
45
Much H
igher
Higher
SameLo
wer
Much L
ower
% S
pend
Fig
ures
0
5
10
15
20
25
30
35
40
45
50
Dbase
s
FileS
ervers
Cloud
Big Data
Backu
p Saa
S
PC&WS
Mobile
Hard C
opy
Dat
a Pe
rcen
tage
s
Actual risk Perception of risk
locational issues when foreign intervention and legalsovereignty come into play, make the case for improvingcloud-services data protection. Also, as more data needsto transition between on-premise systems and cloud andbig data environments, organizations need to make useof more inclusive data protection facilities to control andprotect their data as it moves between corporate systems.
TOP 3 LOCATIONS WHEREDATA IS AT RISK IN VOLUME:
� Databases (49%)⠢File Servers (39%)⠢Cloud (36%)
The top three locations by volume where company-sensitive data is stored and must be protected are:databases (49%), file servers (39%), and the rapidgrowth area for cloud service environments (36%).The position is fairly consistent across most majorgeographies and mainstream verticals includingfinancial services, healthcare, and the retail sector.
Another discussion that should take place revolvesaround the perception of risk that mobile devices anduser mobility bring to the table. By comparison only 20%of sensitive company data is held on mobile devicesand, of that 20%, a large proportion is being held oncompany-owned laptops and other company-protectedmobile devices. In our opinion the discussionisnâ treallyabout the data volumes involved, and if it were, 20% is stillsignificant enough to cause anxiety. But the real concernfor the 70% of IT Decision Makers who were worried aboutmobile device protection is firmly about the lack of controlover the mobile devices that are in use. It is also about nothaving enough information to know what data has beencopied to those devices and not having the controls inplace to stop copies of company-sensitivedata being made.
Along with the ubiquitous use of databases andservers, cloud and more recently big data take-uplevels now force a stronger protection case to bemade. Growing data volumes, when put alongsideworries about a lack of control over third-partyaccess; the use of third-party admins; and data
Good quality monitoring and access control technologyprovide part of the answer. Irrespective of where the datais being held, it is important to know and be able to controlwho gets access and what they can do with that access.This provides the ability to highlight and report on misusethat could otherwise put company-sensitive data at risk.
Corporate servers and databases pose thehighest risk, yet spending remains stubbornlyfocused on endpoint and mobile
Actualrisk Perceptionofrisk5045
4535 4030
%
Spend
Figures252015105
30252015105
tackup SaaPC
S &WMSoHa
bilerdCopyd
MuchHi
Bas 0
DaBig
ouClverSer
FileDbases
0
Figure 3:Datarisksbased on actualvolumesof sensitivedatastored in each locationcompared to the perception of risk
8
35
gh Hier gheSa
r m
MLe
ucowh
erLower
Data
Percentages
40
Figure 4:Global spending on securitysolutions during the next 12 months
Parsing PDFs: early attempt
8
Figure 3: Data risks based on actual volumes of sensitive data stored in each location compared to the perception of risk
Corporate servers and databases pose the highest risk, yet spending remains stubbornly focused on endpoint and mobile
The top three locations by volume where company-sensitive data is stored and must be protected are: databases (49%), file servers (39%), and the rapid growth area for cloud service environments (36%). The position is fairly consistent across most major geographies and mainstream verticals including financial services, healthcare, and the retail sector.
Along with the ubiquitous use of databases and servers, cloud and more recently big data take-up levels now force a stronger protection case to be made. Growing data volumes, when put alongside worries about a lack of control over third-party access; the use of third-party admins; and data
locational issues when foreign intervention and legal sovereignty come into play, make the case for improving cloud-services data protection. Also, as more data needs to transition between on-premise systems and cloud and big data environments, organizations need to make use of more inclusive data protection facilities to control and protect their data as it moves between corporate systems.
Another discussion that should take place revolves around the perception of risk that mobile devices and user mobility bring to the table. By comparison only 20% of sensitive company data is held on mobile devices and, of that 20%, a large proportion is being held on company-owned laptops and other company-protected mobile devices. In our opinion the discussion isn’t really about the data volumes involved, and if it were, 20% is still significant enough to cause anxiety. But the real concern for the 70% of IT Decision Makers who were worried about mobile device protection is firmly about the lack of control over the mobile devices that are in use. It is also about not having enough information to know what data has been copied to those devices and not having the controls in place to stop copies of company-sensitive data being made.
Good quality monitoring and access control technology provide part of the answer. Irrespective of where the data is being held, it is important to know and be able to control who gets access and what they can do with that access. This provides the ability to highlight and report on misuse that could otherwise put company-sensitive data at risk.
TOP 3 LOCATIONS WHERE DATA IS AT RISK IN VOLUME:
Databases (49%)
File Servers (39%)
Cloud (36%)
Figure 4: Global spending on security solutions during the next 12 months
0
5
10
15
20
25
30
35
40
45
Much H
igher
Higher
SameLo
wer
Much L
ower
% S
pend
Fig
ures
0
5
10
15
20
25
30
35
40
45
50
Dbase
s
FileS
ervers
Cloud
Big Data
Backu
p Saa
S
PC&WS
Mobile
Hard C
opy
Dat
a Pe
rcen
tage
s
Actual risk Perception of risk
locational issues when foreign intervention and legalsovereignty come into play, make the case for improvingcloud-services data protection. Also, as more data needsto transition between on-premise systems and cloud andbig data environments, organizations need to make useof more inclusive data protection facilities to control andprotect their data as it moves between corporate systems.
TOP 3 LOCATIONS WHEREDATA IS AT RISK IN VOLUME:
� Databases (49%)⠢File Servers (39%)⠢Cloud (36%)
The top three locations by volume where company-sensitive data is stored and must be protected are:databases (49%), file servers (39%), and the rapidgrowth area for cloud service environments (36%).The position is fairly consistent across most majorgeographies and mainstream verticals includingfinancial services, healthcare, and the retail sector.
Another discussion that should take place revolvesaround the perception of risk that mobile devices anduser mobility bring to the table. By comparison only 20%of sensitive company data is held on mobile devicesand, of that 20%, a large proportion is being held oncompany-owned laptops and other company-protectedmobile devices. In our opinion the discussionisnâ treallyabout the data volumes involved, and if it were, 20% is stillsignificant enough to cause anxiety. But the real concernfor the 70% of IT Decision Makers who were worried aboutmobile device protection is firmly about the lack of controlover the mobile devices that are in use. It is also about nothaving enough information to know what data has beencopied to those devices and not having the controls inplace to stop copies of company-sensitivedata being made.
Along with the ubiquitous use of databases andservers, cloud and more recently big data take-uplevels now force a stronger protection case to bemade. Growing data volumes, when put alongsideworries about a lack of control over third-partyaccess; the use of third-party admins; and data
Good quality monitoring and access control technologyprovide part of the answer. Irrespective of where the datais being held, it is important to know and be able to controlwho gets access and what they can do with that access.This provides the ability to highlight and report on misusethat could otherwise put company-sensitive data at risk.
Corporate servers and databases pose thehighest risk, yet spending remains stubbornlyfocused on endpoint and mobile
Actualrisk Perceptionofrisk5045
4535 4030
%
Spend
Figures252015105
30252015105
tackup SaaPC
S &WMSoHa
bilerdCopyd
MuchHi
Bas 0
DaBig
ouClverSer
FileDbases
0
Figure 3: Data risks based on actual volumes of sensitivedatastored in each location compared to the perception of risk
8
35
gh Hier gheSa
r m
MLe
ucowh
erLower
Data
Percentages
40
Figure 4: Global spending on securitysolutions during the next 12 months
Parsing PDFs Spatially
8
Figure 3: Data risks based on actual volumes of sensitive data stored in each location compared to the perception of risk
Corporate servers and databases pose the highest risk, yet spending remains stubbornly focused on endpoint and mobile
The top three locations by volume where company-sensitive data is stored and must be protected are: databases (49%), file servers (39%), and the rapid growth area for cloud service environments (36%). The position is fairly consistent across most major geographies and mainstream verticals including financial services, healthcare, and the retail sector.
Along with the ubiquitous use of databases and servers, cloud and more recently big data take-up levels now force a stronger protection case to be made. Growing data volumes, when put alongside worries about a lack of control over third-party access; the use of third-party admins; and data
locational issues when foreign intervention and legal sovereignty come into play, make the case for improving cloud-services data protection. Also, as more data needs to transition between on-premise systems and cloud and big data environments, organizations need to make use of more inclusive data protection facilities to control and protect their data as it moves between corporate systems.
Another discussion that should take place revolves around the perception of risk that mobile devices and user mobility bring to the table. By comparison only 20% of sensitive company data is held on mobile devices and, of that 20%, a large proportion is being held on company-owned laptops and other company-protected mobile devices. In our opinion the discussion isn’t really about the data volumes involved, and if it were, 20% is still significant enough to cause anxiety. But the real concern for the 70% of IT Decision Makers who were worried about mobile device protection is firmly about the lack of control over the mobile devices that are in use. It is also about not having enough information to know what data has been copied to those devices and not having the controls in place to stop copies of company-sensitive data being made.
Good quality monitoring and access control technology provide part of the answer. Irrespective of where the data is being held, it is important to know and be able to control who gets access and what they can do with that access. This provides the ability to highlight and report on misuse that could otherwise put company-sensitive data at risk.
TOP 3 LOCATIONS WHERE DATA IS AT RISK IN VOLUME:
Databases (49%)
File Servers (39%)
Cloud (36%)
Figure 4: Global spending on security solutions during the next 12 months
0
5
10
15
20
25
30
35
40
45
Much H
igher
Higher
SameLo
wer
Much L
ower
% S
pend
Fig
ures
0
5
10
15
20
25
30
35
40
45
50
Dbase
s
FileS
ervers
Cloud
Big Data
Backu
p Saa
S
PC&WS
Mobile
Hard C
opy
Dat
a Pe
rcen
tage
s
Actual risk Perception of risk
Parsing PDFs
8
Figure 3: Data risks based on actual volumes of sensitive data stored in each location compared to the perception of risk
Corporate servers and databases pose the highest risk, yet spending remains stubbornly focused on endpoint and mobile
The top three locations by volume where company-sensitive data is stored and must be protected are: databases (49%), file servers (39%), and the rapid growth area for cloud service environments (36%). The position is fairly consistent across most major geographies and mainstream verticals including financial services, healthcare, and the retail sector.
Along with the ubiquitous use of databases and servers, cloud and more recently big data take-up levels now force a stronger protection case to be made. Growing data volumes, when put alongside worries about a lack of control over third-party access; the use of third-party admins; and data
locational issues when foreign intervention and legal sovereignty come into play, make the case for improving cloud-services data protection. Also, as more data needs to transition between on-premise systems and cloud and big data environments, organizations need to make use of more inclusive data protection facilities to control and protect their data as it moves between corporate systems.
Another discussion that should take place revolves around the perception of risk that mobile devices and user mobility bring to the table. By comparison only 20% of sensitive company data is held on mobile devices and, of that 20%, a large proportion is being held on company-owned laptops and other company-protected mobile devices. In our opinion the discussion isn’t really about the data volumes involved, and if it were, 20% is still significant enough to cause anxiety. But the real concern for the 70% of IT Decision Makers who were worried about mobile device protection is firmly about the lack of control over the mobile devices that are in use. It is also about not having enough information to know what data has been copied to those devices and not having the controls in place to stop copies of company-sensitive data being made.
Good quality monitoring and access control technology provide part of the answer. Irrespective of where the data is being held, it is important to know and be able to control who gets access and what they can do with that access. This provides the ability to highlight and report on misuse that could otherwise put company-sensitive data at risk.
TOP 3 LOCATIONS WHERE DATA IS AT RISK IN VOLUME:
Databases (49%)
File Servers (39%)
Cloud (36%)
Figure 4: Global spending on security solutions during the next 12 months
0
5
10
15
20
25
30
35
40
45
Much H
igher
Higher
SameLo
wer
Much L
ower
% S
pend
Fig
ures
0
5
10
15
20
25
30
35
40
45
50
Dbase
s
FileS
ervers
Cloud
Big Data
Backu
p Saa
S
PC&WS
Mobile
Hard C
opy
Dat
a Pe
rcen
tage
s
Actual risk Perception of risk
Parsing PDFs
11
Figure 7: Protection solutions used by enterprise organizations against insider threats
The most effective data protection technologies and the ones most frequently deployed by enterprise organizations were database and file encryption products, data access monitoring solutions, and data loss prevention technologies. As shown below, these topped a long list of protection solutions and were considered by enterprise respondents to offer the most effective protection against insider threats. Surprisingly tokenization, which has compliance-related uses, came bottom of the list. This may be due to restricted knowledge about the specific benefits the technology has. For example, if organizations need to protect data for specific purposes such as fulfilling payment card industry data security standard (PCI DSS) compliance, tokenization has scoping advantages over other forms of encryption that ensure the scope of audit requirements is reduced, as well as enabling the data to be used by other systems without compromising security.
THE MOST EFFECTIVE DATA PROTECTION TECHNOLOGIES:
Database and file encryption
Data Access Monitoring
Percentage Using
0% 10% 20% 30% 40% 50% 60%
Tokenization
Federated Identity Management
Single Sign On
Data Masking
Account Controls Provided By Directory Services Software
Multi-factor Authentication
Siem and Other Log Analysis and Analytical Tools
Application Layer Encryption
Cloud Security Gateway Privileged User Access Management
Data Loss Prevention (DLP) Data Access Monitoring
Database/File Encryption
Security Protection Levels
Parsing PDFs
23
ANALYST PROFILE—ANDREW KELLETT, PRINCIPAL ANALYST SOFTWARE—IT SOLUTIONS, OVUM
Andrew enjoys the challenge of working with state-of-the-art technology. As lead analyst in the Ovum IT security team, he has the opportunity to evaluate, provide opinion, and drive the Ovum security agenda, including its focus on the latest security trends. He is responsible for research on the key technologies used to protect public and private sector organizations, their operational systems, and their users. The role provides a balanced opportunity to promote the need for good business protection and, at the same time, to research the latest threat approaches.
HARRIS POLL—SOURCE/METHODOLOGY
Vormetric’s 2015 Insider Threat Report was conducted online by Harris Poll on behalf of Vormetric from September 22-October 16, 2014, among 818 adults ages 18 and older, who work full-time as an IT professional in a company and have at least a major influence in decision making for IT. In the U.S., 408 ITDMs were surveyed among companies with at least $200 million in revenue with 102 from the health care industries, 102 from financial industries, 102 from retail industries and 102 from other industries. Roughly 100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102), and ASEAN (103) from companies that have at least $100 million in revenue. ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand, and the Philippines. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated.
ABOUT VORMETRIC
Vormetric (@Vormetric) is the industry leader in data security solutions that protect data-at-rest across physical, big data and cloud environments. Vormetric helps over 1500 customers, including 17 of the Fortune 30, to meet compliance requirements and protect what matters—their sensitive data—from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data—anywhere it resides—with a high performance, market-leading solution set.
Andrew Kellett Principal Analyst Software IT Solutions, Ovum
ANALYST PROFILEâ€̃ANDREWKELLETT, PRINCIPALANALYST SOFTWAREâ€̃ IT SOLUTIONS, OVUM
Andrew enjoys the challenge of working with state−of−the−art technology.As lead analyst in the Ovum IT security team, he has the opportunity toevaluate, provide opinion, and drive the Ovum security agenda, including itsfocus on the latest security trends. He is responsible for research on the keytechnologies used to protect public and private sector organizations, theiroperational systems, and their users. The role provides a balanced opportunityto promote the need for good business protection and, at the same time, toresearch the latest threat approaches.
HARRIS POLLâ€̃SOURCE/METHODOLOGY
Vormetric†s2015 Insider Threat Report was conducted online by HarrisPoll on behalf of Vormetric from September 22−October 16, 2014, among818 adults ages 18 and older, who work full−time as an IT professional ina company and have at least a major influence in decision making for IT. Inthe U.S., 408 ITDMs were surveyed among companies with at least $200million in revenue with 102 from the health care industries, 102 from financialindustries, 102 from retail industries and 102 from other industries. Roughly100 ITDMs were interviewed in the UK (103), Germany (102), Japan (102),and ASEAN (103) from companies that have at least $100 million in revenue.ASEAN countries were defined as Singapore, Malaysia, Indonesia, Thailand,and the Philippines. This online survey is not based on a probability sampleand therefore no estimate of theoretical sampling error can be calculated.
Andrew KellettPrincipalAnalystSoftwareITSolutions,Ovum
ABOUT VORMETRIC
Vormetric (@Vormetric) is the industry leader in data security solutionsthat protect data−at−rest across physical, big data and cloud environments.Vormetric helps over 1500 customers, including 17 of the Fortune 30, tomeet compliance requirements and protect what mattersâ€̃ theirsensitive
dataâ€̃ fromboth internal and external threats. Thecompany†sscalableVormetric Data Security Platform protects any file, any database andany application†s dataâ€̃anywhereit residesâ€̃witha high performance,market−leading solution set.
23
Data is Everywhere
• Security Industry has hundreds if not thousands of research reports released each year.
• Meta-Analysis is a promising approach (ransomware)
• Research question > Identify Sources > Assess Quality > Synthesize Results
• Lots of opportunities to improve quality of research
• Discovery of publications is a challenge
• Lower effort with better text extraction and NLP
