Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/21/2020
10:00 AM
Moti Gindi
Moti Gindi
Commentary
100%
0%

Data Awareness Is Key to Data Security

Traditional data-leak prevention is not enough for businesses facing today's dynamic threat landscape.

Data attacks reached an all-time high in 2019 as we continued to transform our lives digitally — moving our work, health, financial, and social information online. In response, businesses must meet hefty data and information protection regulatory and compliance requirements. There's no room for error. Protections are required for everything from simple user mistakes, such as downloading a file on the corporate network and sending it to a personal account, to malicious insider behavior and nation-state attacks. This task and associated fines are daunting.

Governments worldwide are also addressing these challenges by mandating new data protection regulations and privacy acts, including the Global Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulations are introducing stricter information protection standards and unprecedented fines companies must plan for and comply with — up to 4% of their annual revenue — for handling business and customer data.

To keep up with these regulations and the global demand for security and privacy, compliance and data risk officer roles are increasing. They create policies and implement tools to track how data is collected, used, managed and stored across its life cycle so businesses remain compliant and earn customers' trust.

Security and Compliance Are Two Different Worlds
Even with heightened focus on reducing risk, security and compliance teams have different backgrounds and responsibilities, and historically they have not worked together, which means they don't always understand the other's business needs.

When it comes to information protection and compliance, most companies focus on thwarting data leaks by locking down data within their perimeter, which can be a device, file server, or network boundary. Data leakage prevention (DLP) identifies sensitive content and defines policies to prevent data egress across the network, devices, and applications.

In parallel, companies' security teams operate disconnected threat protection solutions — EPP, EDR, SEG, CASB, UEBA, NTA, etc. — designed to prevent, detect, and respond to attacks on companies' intellectual property. But often these tools — separate from the information protection and DLP tools — don't know where this intellectual property and sensitive content resides.

Most data protection solutions focus on prevention and ignore a key aspect of risk management and compliance: attackers' access to sensitive data, which can reside on devices, applications, and/or in the cloud. Threat protection solutions, by contrast, identify attackers in the network but ignore the key aspect of security incidents: the sensitivity of data accessed during an attack.

So, how should we as an industry eliminate the walls between them to deliver a higher level of protection?

Create a Better Security Posture
Unifying security and compliance under a new model of data-aware threat protection will enable businesses to create trust while reducing risk to users and data. By integrating and sharing signals between the DLP and threat protection solutions, companies can determine the business context and impact of each security incident, and the actual risk to each piece of sensitive data. Security teams and data officers can then work in tandem, instead of in silos, to respond to and address incidents faster and more reliably.

This new data-aware threat-protection model has four key advantages:

Risk-based incident prioritization: Security operators typically prioritize incident response based on severity, but that neglects the overall business impact. Data classification awareness by threat protection solutions contributes to how alerts, incidents, and vulnerabilities are prioritized. It helps better determine the risk of the activity, which influences its prioritization. An alert on a corporate device that stores sensitive data is more important than an alert on a device that doesn't. Even if the security threat on its own is lower, sensitive data in a compromised environment is a reason to act — fast.

More precise threat hunting: By tracing each attacker action and intertwining it with data classification context, analysts can better understand attackers' motivations and searches. This also arms hunters with the ability to reference data severity. For example, analysts can create a hunting query to address a request like, "Get all PowerShell processes that accessed a sensitive Word doc." Such context also enables better hunting for data exfiltration threats by understanding whether activity is malicious or benign. For example, reading a file, copying a file to another folder, or taking a screen capture are legitimate actions most times. However, sensitive data is different. Reading such a file may indicate anomalous access to sensitive data, copying a file may be part of staging for exfiltration, and screen capturing may be a way to steal sensitive data.

Automatic remediation across security and compliance boundaries: Automation allows often understaffed security and compliance teams to do more and react more quickly. But missing the incident's context makes all response playbooks the same. Data classification awareness allows defenders to become more effective by defining customized response actions based on data sensitivity. For example, automatically locking access to sensitive data on at-risk devices until the risk is mitigated or blocking a process performing anomalous access from accessing sensitive files until it's determined whether the activity is benign or malicious.

More effective security posture management: Security and compliance teams should not just respond to data leaks or data exfiltration incidents after they occur; they should think about being proactive to reduce leaks. Visibility is key. Do you know where your sensitive data is, where it's stored? Knowing that and combining the compliance (data sensitivity) and security (risk) disciplines enable us to proactively reduce the chance and impact of data breaches. For example, you can prioritize patching devices with sensitive documents, or force two-factor authentication to access sensitive document folders.

Old-school data leakage prevention is not enough for businesses facing a dynamic threat landscape. Adversaries are sophisticated, and no matter how high the wall, they will find a way around. Then, it's game over. Trust is lost. The industry should recognize that data-aware threat protection is essential to proactively protecting customers' data and establishing trust and consistency across privacy and security.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Moti Gindi is the Corporate Vice President for Microsoft Defender Advanced Threat Protection (ATP). In his role, he manages an engineering team that is responsible for Microsoft's endpoint security, specifically Microsoft Defender ATP (recently recognized as a leader in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...