Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/30/2019
10:00 AM
Michael Coates
Michael Coates
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

CISOs Must Evolve to a Data-First Security Program

Such a program will require effort and reprioritization, but it will let your company fight modern-day threats and protect your most important assets.

Data is the new currency. Businesses will thrive or wither based on their ability to properly handle, protect, and utilize data. And although the importance and potential of data is not in question, the priority of data protection within security programs still has a way to go. 

For far too long, the fundamental thinking around enterprise cybersecurity has circled around external threats. If we build a strong perimeter of firewalls and scrutinize traffic crossing the boundary, then we'll keep the "good" in and the "bad" out. More modern security programs still have doubled down on external threat actors with endpoint security software, antivirus sandboxes for email attachments, and mobile device management. 

In the past, these investments made sense in order to pursue a defense against general threats and malware from "the outside." But technology has evolved, and what matters now is different. In today's world, fueled by rich web applications, corporate interconnectivity, cloud systems, contract workers, and remote access, the notion of "outside" and "inside," "us" and "them," is dead. In the world of a CISO who can't focus on every problem, risk prioritization is king. So, instead of attempting to thinly spread the security focus across a wide array of externally facing infrastructure, we must ask ourselves this question: "What do we fundamentally need to protect most?" The answer is data.

While serving as CISO of Twitter, I instituted a "data-first" security program. The goal of this was simple. From our risk analysis, the item most important to our company was the protection of sensitive data against any form of inappropriate or unauthorized access or manipulation. Since data was the priority, we applied the focus of our security efforts as close to the data as possible and then moved outward. This meant asking questions like: "How is the data protected at rest?" "What services/people can access the data?" and "How do we authenticate the services and detect malice or deviations?"

We asked these questions even though the data was deep inside the internal network. By inverting the traditional security model, we focused on the controls that actually protect the data first. Afterward, we moved outward in "concentric circles" to provide layers of defenses across the entire stack used to access the data (that is, the servers, workstations, humans, etc.).

The reason the data-first security thinking is so important is that the traditional "outside-in" perimeter security approach makes too many assumptions that no longer hold true. If the strength of your security relies on a strong perimeter, then what happens if an internal employee is compromised or goes rogue? Do the attackers have full lateral movement and access to data? If so, then the perimeter security approach is only one security failure away from a massive company data breach.

Because of data protection regulations such as GDPR and the California Data Protection Act, a shift to a data-first security program makes a lot of sense. But this isn't just a movement driven by compliance. Available data supports the need to shift to a data-first security approach:

  • The "2019 Verizon Data Breach Report" shows for one of its measured sectors that "Privilege Misuse and Error by insider account for 30 percent of breaches."
  • A 2019 data privacy survey conducted by Opinion Matters found that "83 percent of security professionals believe that employees have put customer [personally identifiable information] and business sensitive information at risk of exposure through error." 
  • The "Insider Threat 2018 Report" from Cybersecurity Insiders found that "53 percent [of surveyed organizations] confirmed insider attacks against their organization in the previous 12 months."

The takeaway here is clear. There is a real threat from within the organization by individuals who are granted some level of trust and access. With this reality in mind, there's no choice other than to move security as close to the data as possible. 

How to Move to a Data-First Approach
First, a sound security program must have risk modeling and strategic risk prioritization processes in place. Without such components, the security organization will be unable to focus on the most important issues to make meaningful changes. Second, conduct an updated risk prioritization and assessment exercise. Be sure that the value of your data assets and the likelihood of an internal threat are appropriately weighted by statistics discussed above and other information specific to your organization. In this exercise, be sure to explore different potential paths of compromise that lead to data access and consider if existing security controls provide any mitigating protection. 

The likely output of this activity will include new prioritized risks focused on data access controls and visibility of data use. With this new data in hand, reach out to other business leaders to build support for the new focus. As security leaders know, it's imperative to have allies across the business; security is not a single org activity and requires company support. Finally, as you embark on identifying new security controls, processes, and technology, be sure to maintain your laser focus in the face of other security "fires." Question whether your and your team's time is being spent on the highest-priority risks and most valuable activities for your company.

Implementing a data-first security program will require effort and reprioritization, but it will also enable your company to combat modern-day threats and protect your most important assets. In addition, it will also enable flexibility so the business can more easily adopt new technologies knowing that the control structure put in place is based on protecting core assets first, independent of the surrounding technology.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Michael Coates is the CEO and Co-Founder of Altitude Networks. Previously, Michael was the Chief Information Security Officer at Twitter. Michael has also served for six years on the OWASP global board of directors, three of those years as the chairman.Prior to Twitter, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ajfreeland
50%
50%
Ajfreeland,
User Rank: Apprentice
8/8/2019 | 2:01:30 PM
Old securitiy techniques aren't enough
I strongly agree that traditional "outside-in" is no longer enough. The data itself needs to be secure. TLS 1.3 is a great move for data encryption in the cloud. Nubeva has a new method for out of band decrypted visibility for TLS 1.3. It's called Symmetric Key Intercept. Check it out at Nubeva's website!
ArshadNoor
50%
50%
ArshadNoor,
User Rank: Apprentice
7/31/2019 | 12:56:47 PM
Couldn't agree more with this article
The is the only logical and sustainable security strategy for the long-term; couldn't agree more with the recommendations.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...