This 20 minute talk was delivered by Forcepoint Principal Security Analyst Carl Leonard at Infosecurity Europe 2018. Delivered to the Strategy track this talk provides a review of the macro trends affecting businesses today, reviews root cause of standout data breaches, highlights the security risk presented by employees, and offers guidance on how to protect your business from specific root causes.
Presentation on how to chat with PDF using ChatGPT code interpreter
One Year After WannaCry - Has Anything Changed? A Root Cause Analysis of Data Breaches
1. Carl Leonard, Principal Security Analyst
Forcepoint
One Year After
WannaCry - Has
Anything Changed?
A Root Cause
Analysis of Data
Breaches
2. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
We have to ask why…
• Are attackers improving?
• Are businesses getting worse (at
protecting data)?
It seems the likelihood of a breach is
increasing….
HaveIBeenPwned.com now holds >5bn
accounts.
Review your spend to minimise risk.
Cyber Security Is Failing
3. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Define: breach
4. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
• A breach begins as an incident
• Not all incidents become breaches
GDPR:
…‘personal data breach’ means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed;…
Breach vs Incident
5. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Cast your mind back 2500 years to the
battle between the “300 Spartans” and
the Persian Empire.
An insider leaked details of an
alternative route around the mountain
pass, used by the 300, which
ultimately led to their downfall.
We need a way to adapt to risk as and
when that risk increases – from
whatever source.
History Repeats Itself
6. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Are We Focusing On The Wrong Priorities?
Do we have our blinkers on when it
comes to the threat posed by stolen
credentials and malicious insiders?
If we are aware do we lack the
visibility and control that we must
have?
Forcepoint survey 2017 “What CISOs
Need To Know”:
• 11% of respondents admitted to
sending data to a third-party.
• 27% did not consider the security of
cloud apps before uploading data.
7. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Macro Trends
Move to Cloud
Poor Heath of
Security Programs
Remote
Workers
8. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Threat Landscape
Mandatory
Breach
Notification
Cloud
Applications
Cryptocurrency
Miners Seeking
CPU Power
Accidental,
Compromised &
Malicious Employees
9. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Data Breach RCA
Industry Date Records Affected Information Lost Root Cause
Credit Reference
Agency
2017 147 million plus
records.
Email address, login credentials
(username, password, secret questions),
driving license number, phone number.
Patching Failure.
Mobile Telecoms
Provider
2015 3 million customers,
1000 employees.
Names, addresses, phone numbers,
dates of birth, marital status, historical
payment data.
Multiple inc.
Compromised
Credentials.
Startup 2017 Unknown. Intellectual Property. Malicious Insider
Social Media 2018 Unknown. Plain text passwords. Process Error.
Accounting 2017 Unknown. Data contained within emails. Lack of 2FA.
Healthcare
Insurance
2017 108,000 records. Names, DoB, contact info. Malicious Insider.
10. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Data Breach RCA
Industry Date Records Affected Information Lost Root Cause Protection
Credit Reference
Agency
2017 147 million plus
records.
Email address, login credentials
(username, password, secret questions),
driving license number, phone number.
Patching Failure. Patch Management.
Mobile Telecoms
Provider
2015 3 million customers,
1000 employees.
Names, addresses, phone numbers,
dates of birth, marital status, historical
payment data.
Multiple inc.
Compromised
Credentials.
NGFW, DLP, UEBA, Risk-
Adaptive.
Startup 2017 Unknown. Intellectual Property. Malicious Insider DLP, UEBA, Risk-Adaptive.
Social Media 2018 Unknown. Plain text passwords. Process Error. Third-party tool.
Accounting 2017 Unknown. Data contained within emails. Lack of 2FA. UEBA, 2FA.
Healthcare
Insurance
2017 108,000 records. Names, DoB, contact info. Malicious Insider. DLP, UEBA, Risk-Adaptive.
11. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
Cyber Continuum Of Intent
Inadvertent
Behaviors
Poorly communicated
policies and user
awareness
Broken Business
Process
Data where it shouldn’t
be, not where it should
be
Rogue
Employee
Leaving the
company, poor
performance
review
Criminal Actor
Employees
Corporate espionage,
national espionage,
organized crime
Malware
Infections
Phishing targets,
breaches, BYOD
contamination
Stolen
Credentials
Credential exfiltration,
social engineering,
device control hygiene
MALICIOUS INSIDER COMPROMISED INSIDERACCIDENTAL INSIDER
12. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
5 KEY TAKE AWAYS
13. ONE YEAR AFTER WANNACRY – HAS ANYTHING CHANGED?
A ROOT CAUSE ANALYSIS OF DATA BREACHES
• 2018 is the “Year of Privacy Protection”
• You must test your GDPR-readiness. Conduct a table-top War
Game.
• Do you have an insider threat blindspot?
• Evaluate strengths at Identify-Protect-Detect-Respond-Recover.
• Consider a free “Cloud Threat Assessment”, see
https://forcepoint.com/cloud-threat-assessment
5 KEY TAKE AWAYS