Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/21/2020
10:00 AM
Moti Gindi
Moti Gindi
Commentary
100%
0%

Data Awareness Is Key to Data Security

Traditional data-leak prevention is not enough for businesses facing today's dynamic threat landscape.

Data attacks reached an all-time high in 2019 as we continued to transform our lives digitally — moving our work, health, financial, and social information online. In response, businesses must meet hefty data and information protection regulatory and compliance requirements. There's no room for error. Protections are required for everything from simple user mistakes, such as downloading a file on the corporate network and sending it to a personal account, to malicious insider behavior and nation-state attacks. This task and associated fines are daunting.

Governments worldwide are also addressing these challenges by mandating new data protection regulations and privacy acts, including the Global Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulations are introducing stricter information protection standards and unprecedented fines companies must plan for and comply with — up to 4% of their annual revenue — for handling business and customer data.

To keep up with these regulations and the global demand for security and privacy, compliance and data risk officer roles are increasing. They create policies and implement tools to track how data is collected, used, managed and stored across its life cycle so businesses remain compliant and earn customers' trust.

Security and Compliance Are Two Different Worlds
Even with heightened focus on reducing risk, security and compliance teams have different backgrounds and responsibilities, and historically they have not worked together, which means they don't always understand the other's business needs.

When it comes to information protection and compliance, most companies focus on thwarting data leaks by locking down data within their perimeter, which can be a device, file server, or network boundary. Data leakage prevention (DLP) identifies sensitive content and defines policies to prevent data egress across the network, devices, and applications.

In parallel, companies' security teams operate disconnected threat protection solutions — EPP, EDR, SEG, CASB, UEBA, NTA, etc. — designed to prevent, detect, and respond to attacks on companies' intellectual property. But often these tools — separate from the information protection and DLP tools — don't know where this intellectual property and sensitive content resides.

Most data protection solutions focus on prevention and ignore a key aspect of risk management and compliance: attackers' access to sensitive data, which can reside on devices, applications, and/or in the cloud. Threat protection solutions, by contrast, identify attackers in the network but ignore the key aspect of security incidents: the sensitivity of data accessed during an attack.

So, how should we as an industry eliminate the walls between them to deliver a higher level of protection?

Create a Better Security Posture
Unifying security and compliance under a new model of data-aware threat protection will enable businesses to create trust while reducing risk to users and data. By integrating and sharing signals between the DLP and threat protection solutions, companies can determine the business context and impact of each security incident, and the actual risk to each piece of sensitive data. Security teams and data officers can then work in tandem, instead of in silos, to respond to and address incidents faster and more reliably.

This new data-aware threat-protection model has four key advantages:

Risk-based incident prioritization: Security operators typically prioritize incident response based on severity, but that neglects the overall business impact. Data classification awareness by threat protection solutions contributes to how alerts, incidents, and vulnerabilities are prioritized. It helps better determine the risk of the activity, which influences its prioritization. An alert on a corporate device that stores sensitive data is more important than an alert on a device that doesn't. Even if the security threat on its own is lower, sensitive data in a compromised environment is a reason to act — fast.

More precise threat hunting: By tracing each attacker action and intertwining it with data classification context, analysts can better understand attackers' motivations and searches. This also arms hunters with the ability to reference data severity. For example, analysts can create a hunting query to address a request like, "Get all PowerShell processes that accessed a sensitive Word doc." Such context also enables better hunting for data exfiltration threats by understanding whether activity is malicious or benign. For example, reading a file, copying a file to another folder, or taking a screen capture are legitimate actions most times. However, sensitive data is different. Reading such a file may indicate anomalous access to sensitive data, copying a file may be part of staging for exfiltration, and screen capturing may be a way to steal sensitive data.

Automatic remediation across security and compliance boundaries: Automation allows often understaffed security and compliance teams to do more and react more quickly. But missing the incident's context makes all response playbooks the same. Data classification awareness allows defenders to become more effective by defining customized response actions based on data sensitivity. For example, automatically locking access to sensitive data on at-risk devices until the risk is mitigated or blocking a process performing anomalous access from accessing sensitive files until it's determined whether the activity is benign or malicious.

More effective security posture management: Security and compliance teams should not just respond to data leaks or data exfiltration incidents after they occur; they should think about being proactive to reduce leaks. Visibility is key. Do you know where your sensitive data is, where it's stored? Knowing that and combining the compliance (data sensitivity) and security (risk) disciplines enable us to proactively reduce the chance and impact of data breaches. For example, you can prioritize patching devices with sensitive documents, or force two-factor authentication to access sensitive document folders.

Old-school data leakage prevention is not enough for businesses facing a dynamic threat landscape. Adversaries are sophisticated, and no matter how high the wall, they will find a way around. Then, it's game over. Trust is lost. The industry should recognize that data-aware threat protection is essential to proactively protecting customers' data and establishing trust and consistency across privacy and security.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Moti Gindi is the Corporate Vice President for Microsoft Defender Advanced Threat Protection (ATP). In his role, he manages an engineering team that is responsible for Microsoft's endpoint security, specifically Microsoft Defender ATP (recently recognized as a leader in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.