Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Take Off The Data Security Blinders

You can't protect what you can't see. Use these tools to learn how and where your data is at risk

I used to be embarrassed when I would recommend that people buy some sort of new, shiny security tool. I mean, it isn’t like they hadn’t already spent a ton of money on all sorts of existing stuff, and here I was coming off like a vendor’s analyst lapdog telling them to spend even more.

My presentations on data security even used to include all sorts of “alternative options” using existing or free tools instead of things like data loss prevention (DLP) or database activity monitoring (DAM). And like “alternative medicine,” they offered no more value other than the placebo effect.

Then I realized that just as we need network tools for network security, and endpoint tools for endpoint security, we need data-focused tools for data security. And nearly no organizations I worked with had even the most basic capability to assess and protect their information assets.

Which begged the question: What do we really need? Which tools provide value, which are a waste of time, and what’s the right way to use them? Despite my East Coast Jewish roots, tackling these problems was far more fulfilling than wallowing in guilt.

To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. Here are the two main foundational tools that provide the most insight, and one additional tool that’s promising, but very new.

We start with DLP, and in this case I’ll stick with talking about the full DLP suites vs. the DLP-lite tools that offer a subset of functionality. DLP is the first tool that allows us to define what kind of content we are looking for and then find out where it’s stored, where it’s moving around our network, and which endpoints it ends up on (and how it’s being used).

DLP is a heck of a lot more than simple keyword matching -- modern tools can look for customer accounts out of your database, sensitive documents loaded up in the system to protect (and even paragraphs of the documents), or common categories like PII or healthcare data. It will dig down through multiple layers of files, not simply look for plain text.

There are three primary places you’ll use DLP to find and monitor your data. Using content discovery features, you can scan your storage repositories to see where all this sensitive stuff ends up -- locations like file shares, document management systems, and even some databases. And believe me, everyone finds stuff where it isn’t supposed to be.

You also use DLP to monitor sensitive information moving in and out of your network: email, Web, and even inside SSL connections or other protocols (if your product supports it). DLP is pretty weak at monitoring internal networks, but at least you can get a good handle on the stuff moving in and out. You can also use its endpoint agents to see who has this information stored locally, is moving it onto portable storage, or even printing/faxing.

No other tool provides this level of visibility on how your organization uses information. Is it perfect? Not by a long shot. Will it miss things? Certainly. But even opening one eye is a lot better than flying blind.

The next major tool is DAM. DLP does a great job monitoring data users handle in productivity applications (email, Office, etc.), but it can’t keep up with databases. DAM is a database- and application-specific tool designed to give you incredible insight as to how your databases are being used. It watches all SQL connections, sometimes in both directions, and can track anything and everything.

Want to know which admin is peeking at data instead of simple system maintenance? You’re covered. Want to know which application user is accessing what data inside a connection pooled query? DAM can do that. Want an alert when a credit-card number shows up in a query that it isn’t supposed to be in? Some of the tools handle that as well. In short, you get deep insight into how users and applications directly interact with your database data -- and in ways well beyond what logging normally provides.

And then there are our files. While it’s still a fairly new tool, file activity monitoring (FAM) does for files what DAM does for data. Instead of looking for specific content like DLP, FAM looks at all file access, ties it to user accounts, and can pick up all sorts of interesting patterns. Want to identify a file owner? Combine who is accessing a file the most with user and group knowledge, and you can probably figure it out. Want to know when a stale user account that hasn’t been accessed in 180 days suddenly downloads an entire directory of customer information? There’s an alert for that. Users downloading a higher volume of files than usual? You betcha.

These three tools provide visibility and situational awareness on your information and data you simply can’t achieve with anything else. I’d argue it’s impossible to really protect data if you don’t know where it is or how people are using it.

Again, these tools aren’t perfect, and they won’t solve every problem, but we have to start somewhere.

Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Rich has twenty years experience in information security, physical security, and risk management. He specializes in cloud security, data security, application security, emerging security technologies, and security management. He is also the principle course designer of the ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...