Four steps for defending your most sensitive corporate information from the inside out.

Jeff Schilling, Chief Security Officer, Armor

August 11, 2015

4 Min Read

Successful criminals always have a target. The malicious groups that attack major organizations are trained, well-funded, and have diligently prepared for a successful data heist.

But they’re not after all your data. Logically, they only want what they can leverage for other crimes or can easily re-sell to other nefarious groups. Capable threat actors are only targeting about two percent of the data on a given network — basically, where email, customer information, intellectual property, and regulated data are stored. Unfortunately, they are savvy enough to use the other 98 percent of your network (e.g., employee workstations, websites) to gain illegal access to that two percent.

It makes sense. Why are banks armored and heavily guarded? Because it houses the most valuable resources in a given area or community — but criminals also know it’s there. Think of your data in the same way.

This begs the question: “Why don’t I start by protecting that two percent and make sure any connections coming over from the other 98 percent of my network are authenticated as legitimate traffic?”

By now, you are rolling your eyes and saying, “It’s not that easy.” Yes, it is. But only if you have a strategy of defending the most sensitive data from the inside out. Here are four initial steps to defining which data you want to contest.

Step 1. Classify data, then protect
First step: identify that 2 percent. Start with the obvious (e.g., regulated data such as PCI) then progress through a maturity model that identifies which data is most sensitive. Categorize this data based on risk, sensitivity, compliance requirements, etc. These categories will be unique to your company and its business objectives.

Ensure this two percent of data is running on hardened operating systems and is regularly backed up. And always make this data set the priority for patching, which remains the best method of keeping even the most sophisticated actors off your hosts.

The result of this exercise ideally will be what most security professionals believe to be unachievable: a true data loss protection program.

Step 2. Build a host-level detection strategy
Next, select a host-level detection strategy that provides the best opportunity to catch the threat actor early in the kill chain: at the moment of exploitation.

You’ll hear many security professionals scoff at antivirus solutions as old technology and a losing strategy. What they don’t realize, however, is that antivirus controls now do much more than just matching bad binaries. Capable AV technology will provide host-level intrusion prevention systems (HIPS), as well as URL- and IP-blacklisting. Many AV products also monitor memory for symptoms of a compromised host. And that’s the one place a threat actor has to reveal his/her actions.

Step 3. Encrypt data at different levels
Next, be sure you’re encrypting data — the right way. Most security professionals think only of disk encryption. This is a sound approach for laptops that could get stolen. But when was the last time a criminal organization broke into a well-guarded co-location facility and ran out with a disk array under their arm? Maybe in the movies, but not in reality.

A different approach must be used for data encryption. Apply file- and application-level encryption with the keys stored in a secure location. When executed correctly, this tactic will stop threat actors from accessing data in a readable format. Truthfully, I am very surprised at the few options available for strong encryption tools that can protect data at multiple levels.

Step 4. Establish a protected enclave
From here, segregate the targeted two percent of data from the other 98 percent. This can be achieved via a number of secure architectures such as virtual private clouds or dedicated private clouds. The innovative CIOs and CISOs I engage with treat that 98 percent of data as contested space and assume it is compromised.

What does this mean? Simply, they don’t trust any hosts or systems in that contested space. From there, they require strong authentication (in most case two-factor authentication) for a host in the 98 percent to connect to that critical two percent of data.

Smart organizations don’t stop there. Data also is forbidden to flow from the 2 percent to the 98 percent. Conversely, the 98 percent is only authorized to view or interact with the other two percent.

If an unauthorized user attempts to move data against its established path, the connection is dropped and actions halted. (As a note, this also is the secure architecture we should build for the “Internet of Things” (IoT).

While this initial framework provides solid guidance, organizations should incorporate this strategy into a more complete cybersecurity plan. The key takeaway: understanding which data is most sensitive — whether because of business sensitivity or customer privacy — and defend it diligently. After all, this is the information threat actors systematically target. And it’s the information that will cause the most damage if stolen, leaked, sold, or leveraged for untold malicious gain.

About the Author(s)

Jeff Schilling

Chief Security Officer, Armor

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance risk and compliance, cloud operations, client relations, and customer engineering support.

Previous to joining Armor, Schilling was the director of the global incident response practice for Dell SecureWorks, where his team supported over 300 customers with incident-response planning, capabilities development, digital forensics investigations and active incident management. In his last military assignment, Schilling was the director of the U.S. Army's global security operations center under the U.S. Army Cyber Command.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights