Perimeter
12/20/2011
02:39 PM
Rich Mogull
Rich Mogull
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Take Off The Data Security Blinders

You can't protect what you can't see. Use these tools to learn how and where your data is at risk

I used to be embarrassed when I would recommend that people buy some sort of new, shiny security tool. I mean, it isn’t like they hadn’t already spent a ton of money on all sorts of existing stuff, and here I was coming off like a vendor’s analyst lapdog telling them to spend even more.

My presentations on data security even used to include all sorts of “alternative options” using existing or free tools instead of things like data loss prevention (DLP) or database activity monitoring (DAM). And like “alternative medicine,” they offered no more value other than the placebo effect.

Then I realized that just as we need network tools for network security, and endpoint tools for endpoint security, we need data-focused tools for data security. And nearly no organizations I worked with had even the most basic capability to assess and protect their information assets.

Which begged the question: What do we really need? Which tools provide value, which are a waste of time, and what’s the right way to use them? Despite my East Coast Jewish roots, tackling these problems was far more fulfilling than wallowing in guilt.

To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. Here are the two main foundational tools that provide the most insight, and one additional tool that’s promising, but very new.

We start with DLP, and in this case I’ll stick with talking about the full DLP suites vs. the DLP-lite tools that offer a subset of functionality. DLP is the first tool that allows us to define what kind of content we are looking for and then find out where it’s stored, where it’s moving around our network, and which endpoints it ends up on (and how it’s being used).

DLP is a heck of a lot more than simple keyword matching -- modern tools can look for customer accounts out of your database, sensitive documents loaded up in the system to protect (and even paragraphs of the documents), or common categories like PII or healthcare data. It will dig down through multiple layers of files, not simply look for plain text.

There are three primary places you’ll use DLP to find and monitor your data. Using content discovery features, you can scan your storage repositories to see where all this sensitive stuff ends up -- locations like file shares, document management systems, and even some databases. And believe me, everyone finds stuff where it isn’t supposed to be.

You also use DLP to monitor sensitive information moving in and out of your network: email, Web, and even inside SSL connections or other protocols (if your product supports it). DLP is pretty weak at monitoring internal networks, but at least you can get a good handle on the stuff moving in and out. You can also use its endpoint agents to see who has this information stored locally, is moving it onto portable storage, or even printing/faxing.

No other tool provides this level of visibility on how your organization uses information. Is it perfect? Not by a long shot. Will it miss things? Certainly. But even opening one eye is a lot better than flying blind.

The next major tool is DAM. DLP does a great job monitoring data users handle in productivity applications (email, Office, etc.), but it can’t keep up with databases. DAM is a database- and application-specific tool designed to give you incredible insight as to how your databases are being used. It watches all SQL connections, sometimes in both directions, and can track anything and everything.

Want to know which admin is peeking at data instead of simple system maintenance? You’re covered. Want to know which application user is accessing what data inside a connection pooled query? DAM can do that. Want an alert when a credit-card number shows up in a query that it isn’t supposed to be in? Some of the tools handle that as well. In short, you get deep insight into how users and applications directly interact with your database data -- and in ways well beyond what logging normally provides.

And then there are our files. While it’s still a fairly new tool, file activity monitoring (FAM) does for files what DAM does for data. Instead of looking for specific content like DLP, FAM looks at all file access, ties it to user accounts, and can pick up all sorts of interesting patterns. Want to identify a file owner? Combine who is accessing a file the most with user and group knowledge, and you can probably figure it out. Want to know when a stale user account that hasn’t been accessed in 180 days suddenly downloads an entire directory of customer information? There’s an alert for that. Users downloading a higher volume of files than usual? You betcha.

These three tools provide visibility and situational awareness on your information and data you simply can’t achieve with anything else. I’d argue it’s impossible to really protect data if you don’t know where it is or how people are using it.

Again, these tools aren’t perfect, and they won’t solve every problem, but we have to start somewhere.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio