IT Focus Area: security
January 13, 2018
How to Implement a Data-First Security Strategy
Today’s digital transformation — from mobile devices to embedded systems, hypervisors, social media applications and the proliferation of connected devices — has created a “borderless” network perimeter with multiple attack vectors. To adjust to this technology revolution, organizations need to ensure their most sensitive data and critical assets are secured.
People are inside and outside the network, accessing myriad applications across multiple clouds. While these dynamics have enhanced our ability to communicate, they have also introduced new means through which adversaries can penetrate our systems and siphon valuable information.
In order to protect ourselves from evolving IT changes and targeted attacks, we need to shift our focus from trying to secure everything, to protecting what matters most — securing sensitive data no matter where it is stored, used or transmitted.
Seven Critical Success Factors
1. Identify and Classify Sensitive Data
In order to execute on a data-first security strategy, you must first understand the relevance and sensitivity of your data, and then align your usage policies and business processes to the risk tolerance of your organization. It is important to gain an understanding of what data requires protection and the appropriate level of protection. Data classification helps by first discovering data, regardless of where it resides; it then facilitates determining appropriate categories, identifying various levels of sensitivity, and outlining policies and procedures that allow employees and others who come in contact with the organization’s data to operate within the framework of compliance.
2. Focus on What's Valuable
It is critical to focus your strategy and efforts on protecting the most valuable data types since most organizations have finite — if not dwindling — resources dedicated to security. For instance, almost every enterprise has a mix of personal data, financial data, and/or intellectual property that is important to their business. However, which of those would hurt the business more if it were compromised or stolen? Whatever the answer is, that should be the data you focus your security efforts on first.
3. Move Protection Closer to the Point of Risk
The perimeter is dissolving and the traffic on the network is becoming more and more encrypted, and so it is important to move your protection closer to the point of risk, either in the cloud or at the endpoint. This helps to more effectively understand the sensitivity of data and affords the most flexibility in protecting the use and movement of that information where it is most at risk of compromise.
4. Don't Rely on Point-In-Time Detection Technologies
Most security tools today focus on visibility and blocking at the point of entry to protect systems. They scan files at an initial point in time to determine if they are malicious. But advanced attacks do not occur at a single point in time; they are ongoing and require continuous analysis. An attacker only needs be right once — we need to be right every time.
By instrumenting endpoints via a proven agent that gathers a much richer set of information, we can bring much needed context and understanding that previously hasn’t been accessible. We can answer critical questions:
- When did the attack happen?
- How pervasive was its reach?
- What were the points of entry?
- What were the attackers after?
- Were their efforts successful?
Constant data surveillance provides constant vigilance, including being able to satisfy others that you are serious about data protection by proving that you have been and allowing no failure to go silent. Constant data surveillance provides constant vigilance, including proof that you have been — and continue to be — serious about data protection, and have never allowed a failure to go silent.
5. Avoid Data Loss prevention Pitfalls
Data loss prevention (DLP) is a critical part of comprehensive data-centric security. However, traditional solutions lack visibility into user and system-level events. Context and visibility around sensitive data—and how users behave with that data—are essential when it comes to mitigating risk. It is therefore important to choose a DLP solution that incorporates both user and entity behavior analytics (UEBA) and endpoint detection and response (EDR) capabilities in order to effectively see, classify and protect all data from attacks, both from risky insiders and external adversaries.
Additionally, an effective DLP implementation requires active participation from the organization; it is not a “set it and forget it” platform. When enterprise data loss prevention (DLP) deployments stall or fail, it’s usually because either the business objective(s) and/or success metrics for the investment are not clearly defined. This often leads security teams to begin an enterprise DLP project by trying to tackle too many things at once, without first breaking down the whole project into discrete, measurable steps, such as first confirming which data should be prioritized for protection or determining typical use cases from which to evaluate solutions. Success depends on the leadership acknowledgment that data protection is an ongoing journey best achieved when tackling one use case at a time and building on your initial success.
Once these fundamental questions are understood, organizations can develop a plan for implementation that answers the next simplest question: “What is our process when a violation to policy or data misuse/abuse occurs?” If you can’t answer that question, the program has a higher risk of failing. Having an adequate process defined to deal with violations is a must-have to achieve success.
6. Expand Beyond Compliance
Regulations such as the GDPR and New York Cybersecurity Requirements represent efforts to ensure that organizations are taking the right steps to protect sensitive data. They mandate knowledge of where personal data is stored and how it is used through business processes. Data-centric security solutions are poised to help with both requirements; however, compliance shouldn’t be the ultimate goal. Enterprises are increasingly expanding objectives beyond regulatory compliance towards comprehensive data protection from any threat. For years, we have said, “compliance is a byproduct of security,” but compliance happens through user awareness and applying effective controls. Becoming compliant and secure simultaneously requires implementing flexible and measurable controls that can demonstrate an ability to support your stated business objectives.
7. Understand the Threats Targeting Data
The tools that support processes must understand the threats targeting data. Many DLP solutions focus purely on the insider and lack the knowledge of external threats that place data at risk. It’s important to remember the objective of the adversary is to gain access and operate at the same privilege of the insider. Threat intelligence and understanding attack vectors is paramount to the protection of data. Many security products claim to protect data but they lack awareness of the content and sensitivity of the information. They are focused on protecting the device, but not the information being processed by the device. Effective data protection requires organizations to understand and identify the root of an attack as fast as possible to prevent it from evolving and becoming a real problem.
Putting the Pieces Together
The best way to streamline data protection is to do the basics well. Identify where sensitive data resides, set policies for handling it, implement appropriate technical controls, and educate users about current threats to the data they work with, and best practices for keeping it safe. By effectively classifying data, focusing on what’s valuable, choosing solutions that provide deep visibility into data, systems and user events and moving protection closer to the point of risk, your organization can ensure greater control over sensitive data at all times.