Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

8/11/2015
03:30 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Protection: The 98 Percent Versus The 2 Percent

Four steps for defending your most sensitive corporate information from the inside out.

Successful criminals always have a target. The malicious groups that attack major organizations are trained, well-funded, and have diligently prepared for a successful data heist.

But they’re not after all your data. Logically, they only want what they can leverage for other crimes or can easily re-sell to other nefarious groups. Capable threat actors are only targeting about two percent of the data on a given network — basically, where email, customer information, intellectual property, and regulated data are stored. Unfortunately, they are savvy enough to use the other 98 percent of your network (e.g., employee workstations, websites) to gain illegal access to that two percent.

It makes sense. Why are banks armored and heavily guarded? Because it houses the most valuable resources in a given area or community — but criminals also know it’s there. Think of your data in the same way.

This begs the question: “Why don’t I start by protecting that two percent and make sure any connections coming over from the other 98 percent of my network are authenticated as legitimate traffic?”

By now, you are rolling your eyes and saying, “It’s not that easy.” Yes, it is. But only if you have a strategy of defending the most sensitive data from the inside out. Here are four initial steps to defining which data you want to contest.

Step 1. Classify data, then protect
First step: identify that 2 percent. Start with the obvious (e.g., regulated data such as PCI) then progress through a maturity model that identifies which data is most sensitive. Categorize this data based on risk, sensitivity, compliance requirements, etc. These categories will be unique to your company and its business objectives.

Ensure this two percent of data is running on hardened operating systems and is regularly backed up. And always make this data set the priority for patching, which remains the best method of keeping even the most sophisticated actors off your hosts.

The result of this exercise ideally will be what most security professionals believe to be unachievable: a true data loss protection program.

Step 2. Build a host-level detection strategy
Next, select a host-level detection strategy that provides the best opportunity to catch the threat actor early in the kill chain: at the moment of exploitation.

You’ll hear many security professionals scoff at antivirus solutions as old technology and a losing strategy. What they don’t realize, however, is that antivirus controls now do much more than just matching bad binaries. Capable AV technology will provide host-level intrusion prevention systems (HIPS), as well as URL- and IP-blacklisting. Many AV products also monitor memory for symptoms of a compromised host. And that’s the one place a threat actor has to reveal his/her actions.

Step 3. Encrypt data at different levels
Next, be sure you’re encrypting data — the right way. Most security professionals think only of disk encryption. This is a sound approach for laptops that could get stolen. But when was the last time a criminal organization broke into a well-guarded co-location facility and ran out with a disk array under their arm? Maybe in the movies, but not in reality.

A different approach must be used for data encryption. Apply file- and application-level encryption with the keys stored in a secure location. When executed correctly, this tactic will stop threat actors from accessing data in a readable format. Truthfully, I am very surprised at the few options available for strong encryption tools that can protect data at multiple levels.

Step 4. Establish a protected enclave
From here, segregate the targeted two percent of data from the other 98 percent. This can be achieved via a number of secure architectures such as virtual private clouds or dedicated private clouds. The innovative CIOs and CISOs I engage with treat that 98 percent of data as contested space and assume it is compromised.

What does this mean? Simply, they don’t trust any hosts or systems in that contested space. From there, they require strong authentication (in most case two-factor authentication) for a host in the 98 percent to connect to that critical two percent of data.

Smart organizations don’t stop there. Data also is forbidden to flow from the 2 percent to the 98 percent. Conversely, the 98 percent is only authorized to view or interact with the other two percent.

If an unauthorized user attempts to move data against its established path, the connection is dropped and actions halted. (As a note, this also is the secure architecture we should build for the “Internet of Things” (IoT).

While this initial framework provides solid guidance, organizations should incorporate this strategy into a more complete cybersecurity plan. The key takeaway: understanding which data is most sensitive — whether because of business sensitivity or customer privacy — and defend it diligently. After all, this is the information threat actors systematically target. And it’s the information that will cause the most damage if stolen, leaked, sold, or leveraged for untold malicious gain.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.