Application Security // Database Security
8/11/2015
03:30 PM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Protection: The 98 Percent Versus The 2 Percent

Four steps for defending your most sensitive corporate information from the inside out.

Successful criminals always have a target. The malicious groups that attack major organizations are trained, well-funded, and have diligently prepared for a successful data heist.

But they’re not after all your data. Logically, they only want what they can leverage for other crimes or can easily re-sell to other nefarious groups. Capable threat actors are only targeting about two percent of the data on a given network — basically, where email, customer information, intellectual property, and regulated data are stored. Unfortunately, they are savvy enough to use the other 98 percent of your network (e.g., employee workstations, websites) to gain illegal access to that two percent.

It makes sense. Why are banks armored and heavily guarded? Because it houses the most valuable resources in a given area or community — but criminals also know it’s there. Think of your data in the same way.

This begs the question: “Why don’t I start by protecting that two percent and make sure any connections coming over from the other 98 percent of my network are authenticated as legitimate traffic?”

By now, you are rolling your eyes and saying, “It’s not that easy.” Yes, it is. But only if you have a strategy of defending the most sensitive data from the inside out. Here are four initial steps to defining which data you want to contest.

Step 1. Classify data, then protect
First step: identify that 2 percent. Start with the obvious (e.g., regulated data such as PCI) then progress through a maturity model that identifies which data is most sensitive. Categorize this data based on risk, sensitivity, compliance requirements, etc. These categories will be unique to your company and its business objectives.

Ensure this two percent of data is running on hardened operating systems and is regularly backed up. And always make this data set the priority for patching, which remains the best method of keeping even the most sophisticated actors off your hosts.

The result of this exercise ideally will be what most security professionals believe to be unachievable: a true data loss protection program.

Step 2. Build a host-level detection strategy
Next, select a host-level detection strategy that provides the best opportunity to catch the threat actor early in the kill chain: at the moment of exploitation.

You’ll hear many security professionals scoff at antivirus solutions as old technology and a losing strategy. What they don’t realize, however, is that antivirus controls now do much more than just matching bad binaries. Capable AV technology will provide host-level intrusion prevention systems (HIPS), as well as URL- and IP-blacklisting. Many AV products also monitor memory for symptoms of a compromised host. And that’s the one place a threat actor has to reveal his/her actions.

Step 3. Encrypt data at different levels
Next, be sure you’re encrypting data — the right way. Most security professionals think only of disk encryption. This is a sound approach for laptops that could get stolen. But when was the last time a criminal organization broke into a well-guarded co-location facility and ran out with a disk array under their arm? Maybe in the movies, but not in reality.

A different approach must be used for data encryption. Apply file- and application-level encryption with the keys stored in a secure location. When executed correctly, this tactic will stop threat actors from accessing data in a readable format. Truthfully, I am very surprised at the few options available for strong encryption tools that can protect data at multiple levels.

Step 4. Establish a protected enclave
From here, segregate the targeted two percent of data from the other 98 percent. This can be achieved via a number of secure architectures such as virtual private clouds or dedicated private clouds. The innovative CIOs and CISOs I engage with treat that 98 percent of data as contested space and assume it is compromised.

What does this mean? Simply, they don’t trust any hosts or systems in that contested space. From there, they require strong authentication (in most case two-factor authentication) for a host in the 98 percent to connect to that critical two percent of data.

Smart organizations don’t stop there. Data also is forbidden to flow from the 2 percent to the 98 percent. Conversely, the 98 percent is only authorized to view or interact with the other two percent.

If an unauthorized user attempts to move data against its established path, the connection is dropped and actions halted. (As a note, this also is the secure architecture we should build for the “Internet of Things” (IoT).

While this initial framework provides solid guidance, organizations should incorporate this strategy into a more complete cybersecurity plan. The key takeaway: understanding which data is most sensitive — whether because of business sensitivity or customer privacy — and defend it diligently. After all, this is the information threat actors systematically target. And it’s the information that will cause the most damage if stolen, leaked, sold, or leveraged for untold malicious gain.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief of operations and security. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.