Modern security tools are growing increasingly capable, scanning millions of devices and gathering intelligence on billions of events each day. While the idea is to piece together more information for threat intelligence, it also begs the question of how all this data is secured.
"There's so much more data today, more than there has ever been," says Rebecca Herold, founder and CEO of The Privacy Professor consultancy. "And organizations never delete it, so they're always adding more, with more devices and more applications."
Further, she adds, there are several more locations where information is collected, stored, and accessed. Many companies lack control over employee-owned devices, which may be used to access key data.
Malicious insiders are a real and growing threat to companies, especially those who hold vast amounts of sensitive data. Twitter and Trend Micro are two examples on a long – and growing – list of organizations that have abused legitimate access to enterprise systems and information.
With sensitive data streaming in, it is imperative that security companies reconsider how they store it and who can reach it.
For many businesses, this demands a closer look at the IT department, which Herold says is often given too much access to data, even in the largest firms. IT pros who develop and test new applications are often given full access to production data for testing.
"This is a huge risk in a couple of big ways," she notes. When you give developers and coders access to production data, you're letting them see some pretty sensitive information and bring it into potentially risky situations. "Oftentimes, what is being done with those applications could leak the data, depending on what the system or app they're building does," Herold says.
Inappropriately sharing data with unauthorized entities creates a vulnerability, but that isn't the only consequence. It also violates a growing number of data protection laws and regulations that say companies can only use personal data for the purposes for which it's collected. Using data to test new applications and updates generally isn't one of these purposes, she adds.
Herold also points out how it's "still a pretty common practice," especially among IT and development teams, to share a single user ID and password for each system. They can use these credentials to log in, make changes, tweak data, or remove it. The problem is, if something happens to the data, there is no way to know who was behind malicious activity.
"When you have multiple people using the same user ID, you completely remove the accountability for those using that ID," she explains. Without a clear tie between a person and specific user ID, it's hard to ascertain whether someone used that ID to steal key information. Failing to implement controls could make it easier for an insider to get away with data theft.
Those who can access sensitive data should have their access monitored, says Herold, and using individual IDs can help keep track of employees obtaining certain types of data or sharing it outside the organization. Data backups are one area that insiders will take advantage of, but one that organizations don't often consider when they're thinking about which data to protect.
"I've seen so many organizations who have strong controls on their data that they use for production, for their daily work activities, but then their backups are pretty much left wide open," Herold says. Access to backup data often isn't strictly prohibited to employees, granting access to many people who could obtain corporate secrets or personal information.
(continued on next page: Steps to protect data)
Separation of Duties & Access
Having looked at some ways organizations could put data at risk, it bears mentioning there are steps they can take to protect it.
Tim Junio is CEO at Expanse, an organization that collects a great deal of data. To enable customers to identify unknown assets and potentially malicious traffic, Expanse "maintains a historical record of all assets connected to the Internet, who owns them, and communications between them."
To protect that data, Junio says, engineering and data science employees with access to back-end systems are required to sign an agreement, separate from their employee contracts, which states they won't use the data outside certain applications.
"The number of people in the company who could get access to the data is a relatively small number," he says. Systems are also segmented so people who don't need certain data don't have access to it. For example, employees in the marketing department can't reach back-end systems. Still, there are logging mechanisms in place to prove whether anything bad has happened, view conditions that shouldn't have arisen, and reconstruct historical activity.
Last is audit, says Junio, to ensure systems are behaving as expected. The security manager does his own compliance and audit checks; however, third-party pentesting and security checks are also in place.
Herold advises maintaining separation of duties to ensure people who have access to sensitive data are different from the people approving that access. "You don't want people to approve their own access to mission-critical data or large repositories of personal data," she adds.
Onboarding and offboarding controls are also essential to ensuring sensitive data stays where it belongs. Herold has worked with "probably well over 100" organizations that have had employees in IT and throughout the organization take data from the company when they quit or were fired. "That's a huge vulnerability that needs to be addressed," she notes.
For physical security, she suggests the addition of a "clean room," which is a space in the organization that employees use without their computers or smartphones. They enter the room, access the systems and data they need, do their work, and leave. "The only way they could take data outside of that clean room is with their human memories," she notes, adding it's an effective way to prevent employees from taking information outside the business.
(Continued on next page: Lessons from financial services)
Learning Lessons from Financial Services
Security companies are starting to face new laws and regulations that will dictate how data collected by security tools should be protected.
The financial services industry, which also is responsible for vast amounts of sensitive data, has long been tightly regulated. It's worth considering what the security industry might learn from an industry using organizational controls and peer-to-peer collaboration to protect data.
"Financial institutions depend on public trust in the financial system, just as cybersecurity firms depend on their customers' trust in their responsible data management," says FS-ISAC CEO Steve Silberstein. The financial services industry has evolved "trust-building" mechanisms such as FS-ISAC's Traffic Light Protocol, which lets members share intel in a trusted network without the fear of that information being leaked or used against them, he says as an example.
Because the industry has always been heavily regulated, individual financial firms have invested in personnel, infrastructure, services, and protocols to protect customers and themselves. Beyond this, Silberstein says, they are connected to each other and, increasingly, other sectors.
The Financial Data Exchange (FDX) is another example of how the industry has collaborated on data protection, he adds. The nonprofit was created to enable the secure exchange of financial data and address challenges in the way it's shared. Likewise, FS-ISAC subsidiary Sheltered Harbor was created to protect firms if an event such as a cyberattack causes systems to fail.
As in security, financial services organizations are implementing new technologies including cloud computing, machine learning, and artificial intelligence, all of which have "profound implications" for data protection. The same principles of sound data governance must apply.
"While these new technologies provide potentially game-changing business opportunities, they also bring new risks that institutions must manage if they are to maintain the trust of their customers, because these same new technologies are also supporting the criminals," says Silberstein. Building a strong peer-to-peer network and sharing intel are key to mitigate risks.