Perimeter
12/20/2011
02:39 PM
Rich Mogull
Rich Mogull
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Take Off The Data Security Blinders

You can't protect what you can't see. Use these tools to learn how and where your data is at risk

I used to be embarrassed when I would recommend that people buy some sort of new, shiny security tool. I mean, it isn’t like they hadn’t already spent a ton of money on all sorts of existing stuff, and here I was coming off like a vendor’s analyst lapdog telling them to spend even more.

My presentations on data security even used to include all sorts of “alternative options” using existing or free tools instead of things like data loss prevention (DLP) or database activity monitoring (DAM). And like “alternative medicine,” they offered no more value other than the placebo effect.

Then I realized that just as we need network tools for network security, and endpoint tools for endpoint security, we need data-focused tools for data security. And nearly no organizations I worked with had even the most basic capability to assess and protect their information assets.

Which begged the question: What do we really need? Which tools provide value, which are a waste of time, and what’s the right way to use them? Despite my East Coast Jewish roots, tackling these problems was far more fulfilling than wallowing in guilt.

To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. Here are the two main foundational tools that provide the most insight, and one additional tool that’s promising, but very new.

We start with DLP, and in this case I’ll stick with talking about the full DLP suites vs. the DLP-lite tools that offer a subset of functionality. DLP is the first tool that allows us to define what kind of content we are looking for and then find out where it’s stored, where it’s moving around our network, and which endpoints it ends up on (and how it’s being used).

DLP is a heck of a lot more than simple keyword matching -- modern tools can look for customer accounts out of your database, sensitive documents loaded up in the system to protect (and even paragraphs of the documents), or common categories like PII or healthcare data. It will dig down through multiple layers of files, not simply look for plain text.

There are three primary places you’ll use DLP to find and monitor your data. Using content discovery features, you can scan your storage repositories to see where all this sensitive stuff ends up -- locations like file shares, document management systems, and even some databases. And believe me, everyone finds stuff where it isn’t supposed to be.

You also use DLP to monitor sensitive information moving in and out of your network: email, Web, and even inside SSL connections or other protocols (if your product supports it). DLP is pretty weak at monitoring internal networks, but at least you can get a good handle on the stuff moving in and out. You can also use its endpoint agents to see who has this information stored locally, is moving it onto portable storage, or even printing/faxing.

No other tool provides this level of visibility on how your organization uses information. Is it perfect? Not by a long shot. Will it miss things? Certainly. But even opening one eye is a lot better than flying blind.

The next major tool is DAM. DLP does a great job monitoring data users handle in productivity applications (email, Office, etc.), but it can’t keep up with databases. DAM is a database- and application-specific tool designed to give you incredible insight as to how your databases are being used. It watches all SQL connections, sometimes in both directions, and can track anything and everything.

Want to know which admin is peeking at data instead of simple system maintenance? You’re covered. Want to know which application user is accessing what data inside a connection pooled query? DAM can do that. Want an alert when a credit-card number shows up in a query that it isn’t supposed to be in? Some of the tools handle that as well. In short, you get deep insight into how users and applications directly interact with your database data -- and in ways well beyond what logging normally provides.

And then there are our files. While it’s still a fairly new tool, file activity monitoring (FAM) does for files what DAM does for data. Instead of looking for specific content like DLP, FAM looks at all file access, ties it to user accounts, and can pick up all sorts of interesting patterns. Want to identify a file owner? Combine who is accessing a file the most with user and group knowledge, and you can probably figure it out. Want to know when a stale user account that hasn’t been accessed in 180 days suddenly downloads an entire directory of customer information? There’s an alert for that. Users downloading a higher volume of files than usual? You betcha.

These three tools provide visibility and situational awareness on your information and data you simply can’t achieve with anything else. I’d argue it’s impossible to really protect data if you don’t know where it is or how people are using it.

Again, these tools aren’t perfect, and they won’t solve every problem, but we have to start somewhere.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.