Copyright © Tier-3 Pty Ltd, 2012. All rights reserved.

A world of information Security and privacy implications

of mobility

Piers Wilson Tier-3 Huntsman® - Head of Product Management

Introduc)ons  

2  01/05/2013  

Piers  Wilson  Head  of  Product  Management  

Director  of  IISP  Previously  senior  manager  in  Cyber  

Security  prac?ce  at  PricewaterhouseCoopers  

 

Tier-­‐3  Huntsman®  at  Infosec    

•  SIEM  /  Event  correla?on  /  “Big  data”  analy?cs  •  Behaviour  Anomaly  Detec?on  (BAD  2.0)  

•  Governance,  Risk,  Compliance  •  Cloud/mul?-­‐tenancy  support  

Stand  K31  

Agenda  and  scope  

•  What  this  talk  is  about…  –  Iden?fying  the  informa?on  on  users/

ac?vity  that  has  relevance  for  security  and  an?-­‐fraud  purposes  

–  Security  and  fraud  consequences  of  the  wider  business  adop?on  of  mobile  applica?ons  

–  Privacy  and  security  versus  business  interest  and  usefulness  

•  What  this  talk  is  not  about…  –  Mobile  device  management  –  Mobile  applica?on  security  

01/05/2013   3  

79%  of  the  UK  popula?on  use  the  internet  anywhere,  on  any  device  

Ofcom,  2012    11%  of  businesses  report  all  marke?ng  ac?vi?es  are  truly  integrated  across  online  and  offline  channels  

Affilinet,  2011    Four  out  of  five  US  smartphone  owners,  use  the  phone  to  help  with  shopping  

Google/Ipsos,  2011    Demand  for  security  informa?on  and  event  management  tools  will  grow  to  more  than  $1  billion  worldwide  by  2015  

Frost  &  Sullivan  2011    "There  is  no  subs?tute  for  knowledge.”  

W.  Edwards  Deming    

“Before  undertaking  monitoring,  iden?fy  clearly  the  purpose(s)  behind  the  monitoring  and  the  specific  benefits  it  is  likely  to  bring”    

ICO  BYOD  Guidance,  2013  

Background  

•  App  “ecosystems”,  consumerisa?on  and  "bring  your  own  device"  are  here  

•  Users  /  Customers  increasingly  expect  to  access  systems  via  apps  /  personal  devices  

•  Imminent  explosion  in  mobile  payments  •  Opportunity  to  collect,  process  and  

understand  considerably  more  data  –  Internal  logs,  external  sources,  user  

transac?ons,  staff  movements,  habits,  loca?ons,  ac?vi?es,  wider  contexts,  proximity  

01/05/2013   4  

However…  

Two  big  ques)ons  

1.  Can  organisa?ons  iden?fy,  collect  and  effec?vely  analyse  the  data  available  to  them  

2.  What  are  the  privacy  and  security  implica?ons  of  collec?ng  data  and  using  it  in  this  way  

01/05/2013   5  

Business  intelligence  origins  

•  Most  businesses  are  comfortable  with:  

–  Collec?ng  security  log  and  event  informa?on  from  systems  (tradi?onal  SIEM  technologies)  

– Monitoring  staff  use,  system  ac?vity  and  network  traffic  for  threat  iden?fica?on  

–  Gathering  payment  and  transac?on  informa?on  for  fraud  detec?on  and  risk  management  (FMS)  

–  Profiling  customer  ac?vity  through  on-­‐line  accounts  and  loyalty  schemes  

–  Credit  checking  and  the  concept  of  risk  scoring  

01/05/2013   6  

What  does  mobility  mean  for  security  and  fraud?  

Richer  Data    •  Loca?on  and  ac?vity  informa?on  for  

employees/contractors/customers  becomes  more  available  and  more  useful  

•  Monitoring  of  browsing  and  buying  habits  can  be  device  and  loca?on  aware  –  Richer  than  just  web-­‐site  analy?cs  for  tracking  

customers  –  Loca?on,  proximity  to  outlets  and  real-­‐world  

marke?ng  and  loca?ons  of  neighbours/compe?tor  

•  Loyalty  systems  expand  beyond  what  I  buy  (or  what  I  might  like)  or  where  I  shop  (special  offers)  to  being  more  focussed  

•  We’ll  see  interest  in  greater  security  and  fraud  insights;  coupled  with  customer  profiling  and  new  flavours  of  data  –  “big  data”  

Financial  Drivers    •  Interfaces  between  systems  to  detect  

security  incidents,  events  and  fraud  will  become  more  prevalent  in  the  mobile  space  

•  Some  intelligence  will  move  from  the  back-­‐end  to  nearer  the  client  end  –  What  you  can’t  do  in  a  web  page  you  may  be  

able  to  do  within  an  app  

•  Mobile  payments  will  mean  real  money  flowing  between  real  devices  and/or  terminals  

•  Real  world  financial  ac?vity,  coupled  with  on-­‐line  logging  and  monitoring  and  the  ability  to  track  loca?on  becomes  real  ?me  –  Who  gets  the  mobile  payment?  –  Where  are  the  logs?  

What  else  does  mobility  mean  for  security  and  fraud?  

New  Applica)ons    •  Sector-­‐specific  applica?ons  with  the  ability  

to  gather  and  analyse  logs  and  data  sets  which  “mean  something”  –  Searching  for  meaning  in  security  log  data  –  Some  uses  will  have  business/customer  benefits  –  Could  become  intrusive  

•  If  we  create  data  with  more  value  the  business  cri?cality  and  the  impact  of  loss/them/exposure  will  also  increase  –  Driving  security  requirements  

•  Some  obvious  examples:  –  Motor  insurance  applica?ons  to  derive  risk  

informa?on  or  to  make  post-­‐claim  decisions  –  to  log  accidents  and/or  track  movement/speed/loca?on/risk  factors  prior  to  crash  or  robbery  

–  Applica?ons  that  turn  on  the  hea?ng  when  you  are  close  to  home  

Personal  /  Lifestyle    •  Personal  and  social  aspects  of  mobility,  

security  and  data  analysis  

•  In  many  cases  there  is  (or  will  be)  a  social  and  a  business  interpreta?on  of  the  gathered  data  

•  Whose  data  is  this?  –  Work/life  balance  (hours  at  office)  –  Health  (exercise/food  consump?on)  –  Social  interac?ons  (associa?ons/photos/”near  

me”)  –  Security  systems  based  on  proximity  between  

users/devices/controls  –  Emergency  situa?ons/unrest  and  loca?on/

exposure  

01/05/2013   8  

Don’t  collect  more  than  you  need  and  then  struggle  to  protect  it  

•  Increasing  contextual  data  being  available  to  apps  installed  locally  or  to  back-­‐end  systems  

•  Collec?on  and  analysis  may  be  overt  or  could  become  part  of  the  rou?ne  handling  of  ac?vity  and  transac?ons  –  Hence  less  visible  –  What  is  a  security  log  and  what  is  a  customer  ac)vity  log?  

•  The  collec?on  and  use  “purposes”  could  get  blurred  …  with  implica?ons  for  privacy  and  security  –  Data  collected  for  fraud  purposes  could  become  useful  for  customer  

profiling  and  marke?ng  –  If  you  know  “where  I  am”,  you  also  know  “where  I  am  not”  (at  home,  at  

work,  at  the  gym);  and  maybe  “who  I’m  with”  or  “what  I’m  doing”  

01/05/2013   9  

Deciding  what  informa)on  to  collect  and  why…  

Security  teams  are  used  to  drawing  a  balance  between  benefit  and  risk  •  what  data  we  collect  and  its  value    Industry  (more  widely)  is  star?ng  to  invest  in,  and  discover,  the  value  of  data  analy?cs    In  security  the  wider  benefits  of  “big  data”  involves  different  parameters  …  more  data  means:  •  Improved  fraud  detec?on  capability  •  Beqer  customer  profiling  •  More  context  •  Richer  user  experience  AND  •  Greater  visibility  around  security  threats,  risks,  

aqacks    01/05/2013   10  

Smarter  data  analy?cs  

More useful data sources

More uses / Bigger audience

…  and  then  making  sure  we  can  protect  it  

Growth  of  security/customer/fraud/business  data  from  the  emerging  mobile  compu?ng  environment  can:  •  Challenge  privacy  obliga?ons  •  Exceed  expecta?ons  from  users/regulators  •  Give  security  teams  another  (and  higher  impact)  data  set  to  protect  

Organisa)ons  need  to  evolve  their  security  stance  -­‐  even  simple  “big  data”  examples  could  raise  the  risk  levels  much  higher    

Need  considera?on  of:  •  Balancing  security,  fraud,  privacy  and  func?onality  within  the  mobile  apps/facili?es  

used  by  customers  and  staff  •  Protect  data  that  we  collect  –  where  privacy  implica?ons  (to  customers)  or  raw  value  

(to  us)  is  heightened  

Organisa)ons  must  ensure  they  have  the  right  tools  and  approaches  to  gain  the  maximum  value  from  the  security,  fraud,  ac)vity,  loca)on  data     01/05/2013   11  

So  what?  

•  The  value  of  (all)  data  is  increasing,  partly  driven  by  a  more  mobile  and  app-­‐oriented  environment  …  security  logs,  behaviour  anomaly  detec?on,  cyber  threat  detec?on  …  businesses  increasingly  using  data  to  drive  efficiencies  and  customer  in?macy  through  mobile  channels  

•  We  have  to  acknowledge  these  trends  and  ensure  that  we  adequately  protect  business  informa?on  where  the  privacy  risk,  exposure  and  value  becomes  more  cri?cal  

•  Clever  security  technologies  can  really  help,  especially  where  past  controls  become  less  applicable  or  effec?ve  in  a  more  interconnected  space  

01/05/2013   12  

Copyright © Tier-3 Pty Ltd, 2012. All rights reserved.

Finally…

Time for questions

Or:

Find me at Tier-3’s stand K31

piers.wilson@tier-3.com +44 (0) 7800 508517 @only1weasel

www.tier-3.com @tier3huntsman