Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Training

3/9/2018
08:05 AM
Susan Fourtané
Susan Fourtané
News Analysis-Security Now
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How 'Defense in Depth' Gets Data Protection Right

Meeting the challenges of data protection requirements in today's increasingly connected, complex business environment demands alertness at all times. Here's how one energy company, Engie Insight, is meeting those challenges.

When it comes to preventing cyber attacks, no one technology can prevent a determined attacker from breaking into an enterprise network. However, a combination of preventative tools, best practices and employee training has helped one energy company bolster its security defenses over the past several years.

Engie Insight, which is based in Spokane, Wash., helps large businesses and Fortune 500 companies manage their energy use. The company recently rebranded its name from Ecova to better aligned with its French parent company.

However, beyond energy use and name changes, Engie has worked to meet the challenges that come with modern security practices, namely data protection and improved alertness. The company recently achieved Service Organization Control (SOC)2 Type 1 for data security and availability trust principles in its utility business efficiency platform, which shows a significant commitment to data security.

To learn about how enterprises can improve their own data protection and make better use of employee security training, Security Now spoke with Paul Carugati, Engie's director of information security.

In the company's experience, the most comprehensive way to defend against modern cyber attacks is to layer multiple preventative and detective controls to ensure maximum protection and response capabilities at all times, according to Carugati.

"This is known as 'Defense in Depth' and is a best practice for enterprise information security programs," Carugati said.

One of the most intriguing aspects of data protection for an organization after having been a victim of a cyber attack is to know how other companies protect and secure their data.

In order to ensure its client and sensitive data remain unsullied the information security program is aligned with industry standards such as the NIST Critical Infrastructure Protection and ISO 27001-2013 framework, which focus on a combination of people, process, technology and risk management controls to minimize incident and response, containment and recovery.

Society thinks of health prevention as a wise step, something that keeps us away from being victims of illness and virus attacks and, for Carugati, it's no different in the enterprise. "The more prevention the less risk [there is] to let unattended vulnerabilities damage and steal our data," he said.

For Carugati, technology such as next-generation firewalls, intrusion prevention, data leakage detection and anti-virus are all valuable, foundational security controls for prevention, or early detection.


The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"But true prevention lies with the understanding of critical information assets and the knowledge of associated enterprise risks which drive right-sized controls around the data that is most crucial to the organization," Carugati said. "A purpose-fit information security program must be well-rounded and driven by the data of concern."

Together with prevention and the understanding of critical risks the enterprise might be exposed to, is security education. And humans, if not educated in how to prevent security threats, represent the most serious internal risk a company can have.

"Above all else," Carugati added, "people are the most critical component to any information security program. People are the new threat landscape and as such, are the primary targets in modern cyber attacks. Users are the attack vector, but also the first line of defense."

Proper security education, coupled with frequent assessment and testing, is an organization's greatest preventative control to thwart an impending cyberattack.

"Enterprises should never underestimate the power of their people to report the early warnings signs that could lead to a major data breach," Carugati said.

Related posts:

Susan Fourtané is a science and technology journalist and content writer, whose work has appeared in global publications and Youris.com, the European Research and Innovation Media Centre. She is based in Europe. Follow her on Twitter @SusanFourtane.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...