KSI and Data Breach Cycle

With Guardtime KSI’s capabilities, the reliability of an organization’s data can be verified in real time, independently and keeping pace with the scale of increasingly complex enterprises.

Prior to Breach: Reasonable and Appropriate Measures

It is imperative that businesses take a proactive approach towards tackling cyber security menaces rather than waiting for a breach to occur and then acting on it.

In the physical world it would be considered reasonable and appropriate to require an audit of items to be insured. KSI enables companies and their insurers to conduct an audit of what digital assets exist (eg client data, intellectual property) prior to a breach.

During a Breach: Active Integrity and Cyber Alarms

Most breaches today go unnoticed until long after the fact and the damage has been done. Active Integrity involves the continuous verification of intellectual property.

By instrumenting those assets using Active Integrity and a Security Operations Center it becomes possible to detect in real time that an attack is occurring and actions taken to mitigate the attack. In the physical world this is equivalent to not only having an alarm on your physical property but a motion detection alarm on every asset.

Auditable events that can be captured by KSI consistent with guidance outlined in the NIST SP 800-53 under the high control baseline annexes include:

  1. Access Control Policy and Procedures
  2. Account Management & metadata
  3. Access Enforcement and Escalation Activities
  4. Information Flow Enforcement
  5. Unsuccessful Login Attempts
  6. System Use Notifications
  7. Previous Logon (Access) Notifications
  8. Concurrent Session Controls
  9. Session Locks
  10. Permitted Actions (without Identification or Authentication)
  11. Security Attributes
  12. Remote Accesses
  13. Wireless Accesses
  14. Access Controls for Mobile Devices
  15. Use of and Authentication to External Information Systems
  16. User-Based Collaboration and Information Sharing resources/logs
  17. Publicly available content accesses

If all these events are instrumented using KSI capabilities, then alarms can be configured and forensic analysis can be conducted post-breach.

Post Breach: Short Term Forensic Analysis

The single most important thing to know post-breach is what happened when. You cannot provide insurance unless you can verify what happened in the event of a claim. In insurance terms this is known as “forensic proof of causation.” KSI enables an investigator or auditor to verify the extent of a breach independently from the insured party.

The KSI approach is to move the trust anchor from a trusted administrator or ‘hardened’ appliance to formal mathematical proofs and widely witnessed digital evidence via keyless signatures that preserve the time, identity, and authenticity of digital assets.

Post Breach: Long Term Subrogation and eDiscovery

Subrogation is the action taken by an insurance company to recover claims paid out from other sources that may have been liable for the claim. In the motor and shipping business this is the third party responsible for an accident or event with the recovery of salvage costs from the event. In cyber liability this will be the third party vendors involved in the cyber process. There is a distinct parallel here to the property and fire business where third party vendors supply alarms and detectors. If actions are malicious or non-malicious negligence leads to malicious action there will be subrogation if the event is external to the organization i.e. not an internal employee error. The targets for subrogation lawyers to recover are network maintenance and security companies, software and hardware companies, website and security vendors, data backup and outsourcers plus cloud computing providers. See Data Breach Management white paper for a detailed analysis of the possible triggers for subrogation claims.

Mapping Subrogation to KSI Technology

Introduction of KSI to subrogation follows a path of non-repudiation or the path of non-denial. There are multiple third parties in a claim and each has a different view of the claim. By utilizing KSI in these third parties it will make the claim easier to assess, shorten the claims expenses and lead to better loss ratios hopefully with less legal reserve. The list above opens up several blue oceans for carriers outside of the regulated insurance industry in terms of payment card vendors and other third parties.

eDiscovery and Indemnification

Whether via Subrogation or other legal processes there may be a requirement for electronic data to be presented in court.

KSI plays an important role in Identification  -  what digital assets are insured prior to a breach and Presentation  –  here is the evidence presented to the court or other legal party. KSI provides a complete digital chain of custody from the identification of an electronic asset to the presentation to the court. Without a reliable chain of custody an adversarial party can easily dismiss electronic evidence.

How to Get Data Breach Management Solution

Guardtime's products and solutions can be purchased for your environment following our Design, Build, Operate, and Transfer (DBOT) model.

We're always happy to discuss your concrete requirements, please register your interest.