Application Security //

Database Security

8/11/2015
03:30 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Protection: The 98 Percent Versus The 2 Percent

Four steps for defending your most sensitive corporate information from the inside out.

Successful criminals always have a target. The malicious groups that attack major organizations are trained, well-funded, and have diligently prepared for a successful data heist.

But they’re not after all your data. Logically, they only want what they can leverage for other crimes or can easily re-sell to other nefarious groups. Capable threat actors are only targeting about two percent of the data on a given network — basically, where email, customer information, intellectual property, and regulated data are stored. Unfortunately, they are savvy enough to use the other 98 percent of your network (e.g., employee workstations, websites) to gain illegal access to that two percent.

It makes sense. Why are banks armored and heavily guarded? Because it houses the most valuable resources in a given area or community — but criminals also know it’s there. Think of your data in the same way.

This begs the question: “Why don’t I start by protecting that two percent and make sure any connections coming over from the other 98 percent of my network are authenticated as legitimate traffic?”

By now, you are rolling your eyes and saying, “It’s not that easy.” Yes, it is. But only if you have a strategy of defending the most sensitive data from the inside out. Here are four initial steps to defining which data you want to contest.

Step 1. Classify data, then protect
First step: identify that 2 percent. Start with the obvious (e.g., regulated data such as PCI) then progress through a maturity model that identifies which data is most sensitive. Categorize this data based on risk, sensitivity, compliance requirements, etc. These categories will be unique to your company and its business objectives.

Ensure this two percent of data is running on hardened operating systems and is regularly backed up. And always make this data set the priority for patching, which remains the best method of keeping even the most sophisticated actors off your hosts.

The result of this exercise ideally will be what most security professionals believe to be unachievable: a true data loss protection program.

Step 2. Build a host-level detection strategy
Next, select a host-level detection strategy that provides the best opportunity to catch the threat actor early in the kill chain: at the moment of exploitation.

You’ll hear many security professionals scoff at antivirus solutions as old technology and a losing strategy. What they don’t realize, however, is that antivirus controls now do much more than just matching bad binaries. Capable AV technology will provide host-level intrusion prevention systems (HIPS), as well as URL- and IP-blacklisting. Many AV products also monitor memory for symptoms of a compromised host. And that’s the one place a threat actor has to reveal his/her actions.

Step 3. Encrypt data at different levels
Next, be sure you’re encrypting data — the right way. Most security professionals think only of disk encryption. This is a sound approach for laptops that could get stolen. But when was the last time a criminal organization broke into a well-guarded co-location facility and ran out with a disk array under their arm? Maybe in the movies, but not in reality.

A different approach must be used for data encryption. Apply file- and application-level encryption with the keys stored in a secure location. When executed correctly, this tactic will stop threat actors from accessing data in a readable format. Truthfully, I am very surprised at the few options available for strong encryption tools that can protect data at multiple levels.

Step 4. Establish a protected enclave
From here, segregate the targeted two percent of data from the other 98 percent. This can be achieved via a number of secure architectures such as virtual private clouds or dedicated private clouds. The innovative CIOs and CISOs I engage with treat that 98 percent of data as contested space and assume it is compromised.

What does this mean? Simply, they don’t trust any hosts or systems in that contested space. From there, they require strong authentication (in most case two-factor authentication) for a host in the 98 percent to connect to that critical two percent of data.

Smart organizations don’t stop there. Data also is forbidden to flow from the 2 percent to the 98 percent. Conversely, the 98 percent is only authorized to view or interact with the other two percent.

If an unauthorized user attempts to move data against its established path, the connection is dropped and actions halted. (As a note, this also is the secure architecture we should build for the “Internet of Things” (IoT).

While this initial framework provides solid guidance, organizations should incorporate this strategy into a more complete cybersecurity plan. The key takeaway: understanding which data is most sensitive — whether because of business sensitivity or customer privacy — and defend it diligently. After all, this is the information threat actors systematically target. And it’s the information that will cause the most damage if stolen, leaked, sold, or leveraged for untold malicious gain.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client services, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.