Profile

Cover photo
Ulf Mattsson
Works at Compliance Engineering
Attended Chalmers University of Technology
Lives in Connecticut, USA
106 followers|11,269 views
AboutPostsPhotosVideos

Stream

Ulf Mattsson

Shared publicly  - 
 
The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
This webinar will cover PCI DSS, Cloud, Big Data, NIST, FPE, ANSI X9, Tokenization, Masking, SOC, MSS, and MTSS.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many compa…
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
The first step in any security initiative is to locate sensitive data in databases and file systems. I have seen effective approaches that quickly search all popular databases, file systems, and application environments. In many cases experienced data discovery engineers are also needed to help clients locate sensitive data within corporate environments. This type of solution can be most effective for many organizations if combined with security consulting services by industry experts. Look at www.complianceengineers.com .
With increasing attacks on PHI data, coupled with more stringent data security requirements and regular audits, organizations should act now!
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
Is PCI DSS v3.2 changing our data security process?

PCI DSS v3.2 provides several technical, process, documentation updates and new assessment guidance. One of the important and unique updates is specified data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers. While these requirements are not mandatory for some time, it’s important to know that you and your service providers now have an opportunity to leverage and adopt these controls. Implementing data discovery solutions can significantly and positively impact or reduce scope/cost, which will ultimately make it easier to validate PCI compliance.

Compliance Engineering is excited about being a part of the PCI QSA community and has many years of PCI experiences. Compliance Engineering has also developed specialized tools to support the Payment Card Industry. Compliance Engineering specializes in being a trusted advisor and solution provider for organizations with complex to simplistic PCI environments. It is becoming widely recognized that “unknown” data leakage of PCI data, and more broadly other Personally Identifiable Information, within enterprises is the highest value target for the “bad guys”. While current market Data Loss Prevention tools are valuable, they do not provide for expansive and prescriptive data discovery. Compliance Engineering has developed a next generation data discovery tool called PII Finder. This agentless SaaS solution combines a rigorously tested and client proven scanning software with or without the analysis expertise of our security engineering professionals. PII Finder can execute remote or on-premise, scheduled scans of your data stores for a nearly endless variety of Personally Identifiable Information. This process is an essential component for scoping the IT environment for Security & Privacy, PCI, HIPAA as well as other industry and regulatory compliance. Not to mention, just a strong security best practice.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
Should a CISO report to the CIO? How should check and balance be enforced? How can a Compliance team help and augment the IT team (before a formal audit)?
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I was speaking yesterday about Data-Centric Security, Cloud and Digital Business in New York City at http://nyoug.org/wp-content/uploads/2016/03/NYOUG_General_Meeting_2016_04_Agenda_1.pdf .
I discussed the rapid rise of cloud databases, storage and applications that has led to unease among adopters over the security of their data. Whether it is data stored in a public, private or hybrid cloud, or used in third party SaaS applications, companies have good reason to be concerned.
The biggest challenge in this interconnected world is merging data security with data value and productivity. If we are to realize the benefits promised by these new ways of doing business, we urgently need a data-centric strategy to protect the sensitive data flowing through these digital business systems.  We need solutions and services that increase operational efficiency and reduce liabilities and cost.  
I recommend organizations to follow a governing process for information data security coupled with an automated Data Discovery solution that is intelligent and provides a low false positive rate. Many organizations also need services for assessment and auditing. 
A comprehensive program should involve five key areas; Assessment – involves discovery scans to expose privacy data also in unknown locations; Policy – evaluating and updating policy to govern acceptable locations for data storage; Implementation (Remediation) – implementing controls to reduce data leakage and remediating exposures in areas forbidden by policy; Training – involves training and awareness for data security policies; Auditing – selecting high risk areas for discovery scans and examining evidence to show effectiveness of PII (Personal Identifiable Information) Protection program;
Please read more about data centric security aspects for digital business at https://www.helpnetsecurity.com/2016/03/22/data-centric-security/ and "Automated data-discovery reduces the risk to data" at https://www.linkedin.com/pulse/automated-data-discovery-reduces-risk-data-ulf-mattsson .

Ulf Mattsson, CTO Compliance Engineering
1
Add a comment...
Have him in circles
106 people
Igor Edelman's profile photo
Eddie Adams's profile photo
sreenivas s's profile photo
ahmed maged's profile photo
roopbasant kumar's profile photo
Владислав Воронцов's profile photo
SafeUM - secure multimedia messenger's profile photo
Tom Molin's profile photo
Adrian Rogers's profile photo

Communities

24 communities

Ulf Mattsson

Shared publicly  - 
 
How the Latest Trends in Data Security Can Help Your Data Protection Strategy
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
How the Latest Trends in Data Security Can Help Your Data Protection Strategy Data breaches are on the rise. The constant threat of cyber attacks combined with…
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
What should I cover this month in "How the Latest Trends in Data Security Can Help Your Data Protection Strategy"?
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
I will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
PCI DSS 3.2 is out and new requirements include 10.8 and 10.8.1 that outline that service providers need to detect and report on failures of critical security control systems.

PCI Security Standards Council CTO Troy Leach explained that “without formal processes to detect and alert to critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data from the cardholder data environment. While this is a new requirement only for service providers, we encourage all organizations to evaluate the merit of this control for their unique environment and adopt as good security hygiene.”

I see that companies use a variety of tools to manage and monitor the security of their network and application infrastructure, picked according to their needs and requirements. They are generally expensive, and it's imperative that the output be actionable and properly directed. In order to assure proper operation, the tools themselves must be kept healthy, current, and properly configured. This is time consuming and requires a broad skillset to perform effectively, a skillset not often present or affordable for the companies. Organizations may have 10-25 security products to combat the persistent threats from the hostile world they operate in. The constant threat combined with the high cost and a shortage of skilled security engineers has put many companies at risk. Simply put, companies are unable to maintain and utilize the strategic investment in core security technologies to maximize their potential use.
Compliance Engineering offers a Managed Tool Security Service (MTSS) from a Security Operations Center to address these needs in a secure and cost effective fashion. This is a fully staffed 24.7.365 operations center that monitors and maintains tool availability, health, applies patches and performs version upgrades to keep your security tool environment in optimal shape.
1
Add a comment...

Ulf Mattsson

Shared publicly  - 
 
FS-ISAC Summit 2016 on “Know Your Data”

On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit about “Know Your Data” that “At the end of the day, your business critical data is the asset that needs to be protected. Consequently, an awareness of where it resides, who has access to it, and how it travels through your network is necessary. To protect data, encryption at rest has become the new norm. However, that’s not sufficient. Visibility into how and where it flows during the course of normal business is critical. Armed with this knowledge, deviations from the baseline can be detected and even stopped.”

Historically, organizations have taken a reactive approach to data security in response to government regulations and industry standards. Recent breaches demonstrate the urgent need to be more proactive and flexible to the ever-changing nature of big data technology and threat landscape.

I think that the first step is to locate sensitive data in databases, file systems, and application environments and then identify the data’s specific retention requirements and apply automated processes for secure deletion of data when it’s no longer needed. With cost-effective approaches possibly based on agentless technologies and cloud based solutions, these goals are attainable.
1
Ulf Mattsson's profile photo
 
Take a look at PII Finder Data Discovery at www.complianceengineers.com
Add a comment...
People
Have him in circles
106 people
Igor Edelman's profile photo
Eddie Adams's profile photo
sreenivas s's profile photo
ahmed maged's profile photo
roopbasant kumar's profile photo
Владислав Воронцов's profile photo
SafeUM - secure multimedia messenger's profile photo
Tom Molin's profile photo
Adrian Rogers's profile photo
Communities
24 communities
Work
Occupation
Chief Technology Officer
Employment
  • Compliance Engineering
    CTO, present
  • Protegrity
    Chief Technology Officer, 2016
  • IBM
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Connecticut, USA
Previously
Sweden - Stockholm, Gothenburg
Contact Information
Home
Email
Work
Email
Story
Introduction
I created vault-less data tokenization and the architecture of Protegrity's data centric security technology. Prior to joining Protegrity, I worked 20 years at IBM in software development and as a consulting resource to IBM's Research organization, specialized in the areas of IT Architecture and IT Security. I received my US Green Card of class 'EB 11 - Individual of Extraordinary Ability' after endorsement by IBM Research in 2004.
I am the inventor of more than 20 patents in the areas of Encryption Key Management, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of my research during the last 15 years is in the area of managing and enforcing policies (security, encryption, audit) for databases, including more than 10 joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.
I am a research member of the International Federation for Information Processing (IFIP) WG 11.3 Data and Application Security, ANSI X9 and IEEE. Leading journals and professions magazines, including IEEE Xplore and IBM Journals, have published more than 100 of my in-depth professional articles and papers.
I received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems., Ingres, Google and other leading companies. I have given a series of presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association (ISACA). I received a master's degree in physics in 1979 from Chalmers University of Technology in Sweden, and degrees in electrical engineering and finance.
Bragging rights
Invented vault-less data tokenization
Education
  • Chalmers University of Technology
  • IBM Management School
  • Stockholm University
  • Polhem Institute of Technology
  • Kungsladugardsskolan
  • Skytteskolan
Basic Information
Gender
Male