Perimeter
12/20/2011
02:39 PM
Rich Mogull
Rich Mogull
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Take Off The Data Security Blinders

You can't protect what you can't see. Use these tools to learn how and where your data is at risk

I used to be embarrassed when I would recommend that people buy some sort of new, shiny security tool. I mean, it isn’t like they hadn’t already spent a ton of money on all sorts of existing stuff, and here I was coming off like a vendor’s analyst lapdog telling them to spend even more.

My presentations on data security even used to include all sorts of “alternative options” using existing or free tools instead of things like data loss prevention (DLP) or database activity monitoring (DAM). And like “alternative medicine,” they offered no more value other than the placebo effect.

Then I realized that just as we need network tools for network security, and endpoint tools for endpoint security, we need data-focused tools for data security. And nearly no organizations I worked with had even the most basic capability to assess and protect their information assets.

Which begged the question: What do we really need? Which tools provide value, which are a waste of time, and what’s the right way to use them? Despite my East Coast Jewish roots, tackling these problems was far more fulfilling than wallowing in guilt.

To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. Here are the two main foundational tools that provide the most insight, and one additional tool that’s promising, but very new.

We start with DLP, and in this case I’ll stick with talking about the full DLP suites vs. the DLP-lite tools that offer a subset of functionality. DLP is the first tool that allows us to define what kind of content we are looking for and then find out where it’s stored, where it’s moving around our network, and which endpoints it ends up on (and how it’s being used).

DLP is a heck of a lot more than simple keyword matching -- modern tools can look for customer accounts out of your database, sensitive documents loaded up in the system to protect (and even paragraphs of the documents), or common categories like PII or healthcare data. It will dig down through multiple layers of files, not simply look for plain text.

There are three primary places you’ll use DLP to find and monitor your data. Using content discovery features, you can scan your storage repositories to see where all this sensitive stuff ends up -- locations like file shares, document management systems, and even some databases. And believe me, everyone finds stuff where it isn’t supposed to be.

You also use DLP to monitor sensitive information moving in and out of your network: email, Web, and even inside SSL connections or other protocols (if your product supports it). DLP is pretty weak at monitoring internal networks, but at least you can get a good handle on the stuff moving in and out. You can also use its endpoint agents to see who has this information stored locally, is moving it onto portable storage, or even printing/faxing.

No other tool provides this level of visibility on how your organization uses information. Is it perfect? Not by a long shot. Will it miss things? Certainly. But even opening one eye is a lot better than flying blind.

The next major tool is DAM. DLP does a great job monitoring data users handle in productivity applications (email, Office, etc.), but it can’t keep up with databases. DAM is a database- and application-specific tool designed to give you incredible insight as to how your databases are being used. It watches all SQL connections, sometimes in both directions, and can track anything and everything.

Want to know which admin is peeking at data instead of simple system maintenance? You’re covered. Want to know which application user is accessing what data inside a connection pooled query? DAM can do that. Want an alert when a credit-card number shows up in a query that it isn’t supposed to be in? Some of the tools handle that as well. In short, you get deep insight into how users and applications directly interact with your database data -- and in ways well beyond what logging normally provides.

And then there are our files. While it’s still a fairly new tool, file activity monitoring (FAM) does for files what DAM does for data. Instead of looking for specific content like DLP, FAM looks at all file access, ties it to user accounts, and can pick up all sorts of interesting patterns. Want to identify a file owner? Combine who is accessing a file the most with user and group knowledge, and you can probably figure it out. Want to know when a stale user account that hasn’t been accessed in 180 days suddenly downloads an entire directory of customer information? There’s an alert for that. Users downloading a higher volume of files than usual? You betcha.

These three tools provide visibility and situational awareness on your information and data you simply can’t achieve with anything else. I’d argue it’s impossible to really protect data if you don’t know where it is or how people are using it.

Again, these tools aren’t perfect, and they won’t solve every problem, but we have to start somewhere.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.