Traditional data-leak prevention is not enough for businesses facing today's dynamic threat landscape.

Moti Gindi, Corporate Vice President, Microsoft Defender Advanced Threat Protection

January 21, 2020

5 Min Read

Data attacks reached an all-time high in 2019 as we continued to transform our lives digitally — moving our work, health, financial, and social information online. In response, businesses must meet hefty data and information protection regulatory and compliance requirements. There's no room for error. Protections are required for everything from simple user mistakes, such as downloading a file on the corporate network and sending it to a personal account, to malicious insider behavior and nation-state attacks. This task and associated fines are daunting.

Governments worldwide are also addressing these challenges by mandating new data protection regulations and privacy acts, including the Global Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulations are introducing stricter information protection standards and unprecedented fines companies must plan for and comply with — up to 4% of their annual revenue — for handling business and customer data.

To keep up with these regulations and the global demand for security and privacy, compliance and data risk officer roles are increasing. They create policies and implement tools to track how data is collected, used, managed and stored across its life cycle so businesses remain compliant and earn customers' trust.

Security and Compliance Are Two Different Worlds
Even with heightened focus on reducing risk, security and compliance teams have different backgrounds and responsibilities, and historically they have not worked together, which means they don't always understand the other's business needs.

When it comes to information protection and compliance, most companies focus on thwarting data leaks by locking down data within their perimeter, which can be a device, file server, or network boundary. Data leakage prevention (DLP) identifies sensitive content and defines policies to prevent data egress across the network, devices, and applications.

In parallel, companies' security teams operate disconnected threat protection solutions — EPP, EDR, SEG, CASB, UEBA, NTA, etc. — designed to prevent, detect, and respond to attacks on companies' intellectual property. But often these tools — separate from the information protection and DLP tools — don't know where this intellectual property and sensitive content resides.

Most data protection solutions focus on prevention and ignore a key aspect of risk management and compliance: attackers' access to sensitive data, which can reside on devices, applications, and/or in the cloud. Threat protection solutions, by contrast, identify attackers in the network but ignore the key aspect of security incidents: the sensitivity of data accessed during an attack.

So, how should we as an industry eliminate the walls between them to deliver a higher level of protection?

Create a Better Security Posture
Unifying security and compliance under a new model of data-aware threat protection will enable businesses to create trust while reducing risk to users and data. By integrating and sharing signals between the DLP and threat protection solutions, companies can determine the business context and impact of each security incident, and the actual risk to each piece of sensitive data. Security teams and data officers can then work in tandem, instead of in silos, to respond to and address incidents faster and more reliably.

This new data-aware threat-protection model has four key advantages:

Risk-based incident prioritization: Security operators typically prioritize incident response based on severity, but that neglects the overall business impact. Data classification awareness by threat protection solutions contributes to how alerts, incidents, and vulnerabilities are prioritized. It helps better determine the risk of the activity, which influences its prioritization. An alert on a corporate device that stores sensitive data is more important than an alert on a device that doesn't. Even if the security threat on its own is lower, sensitive data in a compromised environment is a reason to act — fast.

More precise threat hunting: By tracing each attacker action and intertwining it with data classification context, analysts can better understand attackers' motivations and searches. This also arms hunters with the ability to reference data severity. For example, analysts can create a hunting query to address a request like, "Get all PowerShell processes that accessed a sensitive Word doc." Such context also enables better hunting for data exfiltration threats by understanding whether activity is malicious or benign. For example, reading a file, copying a file to another folder, or taking a screen capture are legitimate actions most times. However, sensitive data is different. Reading such a file may indicate anomalous access to sensitive data, copying a file may be part of staging for exfiltration, and screen capturing may be a way to steal sensitive data.

Automatic remediation across security and compliance boundaries: Automation allows often understaffed security and compliance teams to do more and react more quickly. But missing the incident's context makes all response playbooks the same. Data classification awareness allows defenders to become more effective by defining customized response actions based on data sensitivity. For example, automatically locking access to sensitive data on at-risk devices until the risk is mitigated or blocking a process performing anomalous access from accessing sensitive files until it's determined whether the activity is benign or malicious.

More effective security posture management: Security and compliance teams should not just respond to data leaks or data exfiltration incidents after they occur; they should think about being proactive to reduce leaks. Visibility is key. Do you know where your sensitive data is, where it's stored? Knowing that and combining the compliance (data sensitivity) and security (risk) disciplines enable us to proactively reduce the chance and impact of data breaches. For example, you can prioritize patching devices with sensitive documents, or force two-factor authentication to access sensitive document folders.

Old-school data leakage prevention is not enough for businesses facing a dynamic threat landscape. Adversaries are sophisticated, and no matter how high the wall, they will find a way around. Then, it's game over. Trust is lost. The industry should recognize that data-aware threat protection is essential to proactively protecting customers' data and establishing trust and consistency across privacy and security.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

About the Author(s)

Moti Gindi

Corporate Vice President, Microsoft Defender Advanced Threat Protection

Moti Gindi is the Corporate Vice President for Microsoft Defender Advanced Threat Protection (ATP). In his role, he manages an engineering team that is responsible for Microsoft's endpoint security, specifically Microsoft Defender ATP (recently recognized as a leader in Gartner's Magic Quadrant for EPP), and for building Microsoft Threat Protection, an orchestrated threat protection service across endpoints, identities, data, and applications.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights