InfoSecChat

there are several methods, but first you have to define what is sensitive/critical to the org

A3: Finding sensitive data is an ongoing activity -- not once and done (because data is dynamic, distributed and in demand .. and moving all the time)

A3: Need a concerted effort by your team and some automation. Lots of great tools including @IBMSecurity Guardium.

Once categories are defined, then you could use organizational memory or automatic discovery tools

A3: Finding sensitive data manually is impractical - error prone, expensive and time consuming

If you're using an MSP, they should provide analytics or have monitoring/scanning services to help you locate sensitive data. Otherwise there are third-party tools to help. But it's important to maintain use. This is an ongoing battle.

a3 a Privacy Impact Assessment is a good place to start + lots of tools

A3: It's important to have automated discovery and classification - across all repositories where sensitive data lurks (DB, apps, big data, etc)

Also, check out our ebook on #InsiderThreat to learn more: ibm.co/1RDWloF

@LeslieW66749952 So key is using tools built for the job.

One has to identify all assets, which have value and then assess them.

right... it is not enough to discover once... since data moves and changes all the time.

It is so important not to have dozens of security products that don't talk to each other. When investing in security, businesses need to look for a comprehensive security program that increases visibility and integrates seamlessly.

a3 Don't forget data in flight that is never stored! big trend in #cognitive

You are right John, That's where automated discovery and classification comes into play.

besides is not enough just to find the data, but also who has access, how they access... the idea is to identify risk and do something to reduce it.

@CCBigData Privacy is a big consideration when taking on classifying sensitive data.

Employing role-based access is very helpful.

a strategy for classification is also important... you do not want to boil the ocean

Last question was just posted, as we are going to start wrapping up.

not only is once and done not the right approach, value is often created by combining distinct pieces of data in distinct repositories. We have to start looking at what value may come if different pieces of information are brought together.

Please respond to the question, and then join us for Part II in this discussion

On 1/28 at 2pm est!

A2: Basically anything you don't want anyone else to have access to (cust data, patient data, etc)

A2: Lots of answers to this one. If bad guys want it, then sensitive. Clearly regulations dictated things like PII. @IBMSecurity

any information that is critical to run the business, including protecting your customer/employee/partner data

a2 It depends on the org- how you classify.. should be decided by the business, legal, compliance, privacy office, etc..

A2: IP-oriented data counts too - like email comms, proprietary product info, Intellectual property, manufacturing info, etc

Two Types of #Data: 1) Data someone wants 2) Everything else... important to find #CriticalAssets, prioritize them and lock them down!

The key for your organization is knowing what data is sensitvie for your business. I talked to a lot of customers where this is fuzzy. @IBMSecurity

A2: Compromised sensitive data leads to brand erosion, legal action, negative attention in the news, etc.

@LeslieW66749952 Good point. Orgs really struggle with PII due to conflicting privacy regulations, esp. multinationals.

Ask yourself: Is all customer/client data you have critical? Don't hold onto extraneous information that could compromise a customer if you don't need to.

@CCBigData And now there's the European regulation that's going into effect - impacting more organizations

A2: Great blog on Data Privacy, specifically, go to securityintelligence... from 1/28

@CCBigData This is really tough for multi-nationals operating all over the world. Sensitive data is everywhere.

@LeslieW66749952 EU #GDPR will be a massive change to privacy as far as sensitive data, consent, & profiling

@CCBigData #hottopic for sure

a2 @AndylandTx Yes it's a governance issue & cloud makes it even more interesting!

Anything you deem is valuable to you and others including organisations you either work for or are associated with.

problem w/ solely relying on pre-classification of data as either worthy or necessitating protection is that sometimes dots can only be connected going backwards. Desire to limit what we secure often stems from experiences w/ poor security UX.

need a way to identify abnormal/suspicious behavior in real time

A4: Lots of exciting work in this area like outlier detection, user behavioral analytics, and tools to mitigate entitlements creep.@IBMSecurity

A4: i. Go through discovery and classification exercise

or to check abuse of privileges, which may be beyond the access controls of the platform

#machinelearning and #cognitive alerting on suspicious activities

A4: Support entitlement reporting and create security policies for who should be able to access what

1) #Prevent through understating behavior based capabilities of applications and users, 2) #Detect through #anomalies in behavior and 3) #Respond to those anomalies by quarantining systems and apps!

A4: We @IBMSecurity are really seeing a tight intersection of Data Security with Identity and Access Management. We have to look at and monitor users and know what data is sensitive.

also correlate with other security events such as network server identity etc

Also, check out this great piece of research by the IBM XForce team on inside threat: ibm.co/1N7FdiP

today, the only way is to leverage analytics, not only to identify misuse, but predict misuse

A4: Monitoring, with real-time analytics, can help you spot anomalies & suspicious behavior & kick it 4 review or block access 2 data in real-time

If only an alarm went off when someone was misusing credentials. Though that wouldn't be good for jumpy folks.

At the end of the day it comes down to what the user can access. What level of privileges does the access give them. And does your company know that they have that access.@IBMSecurity

predicting misuse requires knowledge beyond the data interface to contextual data.. great case for cognitive