By Stuart Clarke, Director of Cybersecurity & Investigation, Nuix
Information security experts and practitioners are united in the belief that we cannot prevent data breaches by building bigger walls around our networks.
As Gartner’s bluntly titled report, Malware Is Already Inside Your Organization; Deal With It argues “organisations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviours indicative of malicious intent.”
In a recent survey of corporate information security practitioners, published by Nuix and conducted by Ari Kaplan Advisors, a senior security official said, “That paradigm of relying solely on the perimeter is long gone; it is part of a security architecture, but it doesn’t even begin to be a dependable approach to security.” Another explained that “[Data breach] prevention is an unobtainable goal in the current environment so our focus is a very fast pathway to remediation because we know we cannot eliminate all compromises.”
Look inwards for greater insight
So, if the current approach to data protection isn’t working, what is the answer? Perhaps the answer lies in looking inwards at information management practices and policies as much as you focus on external threats.
Organisations must tackle data security on all fronts. On one level, this is a vastly complex undertaking that requires cross-border law enforcement and governmental collaboration and the development of more robust international standards. From a corporate perspective, it involves using better technology and more advanced security but also continuously advancing information security—not just ticking a box once you have implemented a perimeter defence system.
In this new paradigm, the main priority of information security is reducing the delay between when breaches occur and when you detect and deal with them. This requires rapid, thorough and effective post-breach investigation and remediation.
Fast detection and remediation of breaches
In any breach situation the clock is ticking; data has gone missing; costs are building up and there is an increasing risk that someone else could exploit the same vulnerability. There is also the risk the attacker could introduce backdoors into your network, expand the compromise and cover their tracks.
Take the Home Depot breach in the US last year. Analysts believe the breach was exploited over a five-month period, during which over 50 million customers’ payment cards where affected. Following a wake of fraudulent transactions on customer cards a result, some customers have filed class-action lawsuits against the home improvement retailer, one to the tune of US$500 million. US retailer Target recently settled a class action suit brought by its customers after a data breach for a relatively modest $10 million.
Closer to home, the daily deals website Catch of the Day took until July 2014 to disclose to the public that it had been the victim of a data breach in 2011. The company reasoned that it “informed police, banks and credit card companies” at the time and that it was only disclosing the breach to its customers three years later because advances in technology meant hashed customer passwords could now be compromised. A more cynical interpretation is that the website did not discover the breach until much later, which could explain why the Australian Federal Police had no record of receiving a complaint from Catch of the Day in 2011.
Where is your data?
One reason organisations take so long to detect and remediate breaches is that they are unsure where their high-risk data resides. After a breach, there is no way of knowing which systems the data was stolen from, so they must examine all of their data stores. This takes a long time.
An alternative approach is to gather data from a random sample of devices, but that risks missing the compromised systems. To make it even harder, typically 80% of an organisation’s data is unstructured, human-generated information, including email and the contents of file shares. It often lives in proprietary formats such as email databases and archives that are difficult to search and understand.
Knowing this, information security specialists must become ‘good shepherds’ of their data to reduce the costs and extent of cybersecurity breaches. Data shepherds know where their flock are, separate them into different paddocks, make sure the fences are sound, and regularly check on the health of their sheep.
This has many benefits. Even if a wolf manages to get into one of the fields, most of the flock will be safe. And the shepherd will instantly know the scale of the incident. The good shepherd methodology also helps organisations comply with regulations around data retention, privacy, freedom of information and information security.
Here are the four most important steps in becoming an information good shepherd:
Delete low-value data
Organisations store large volumes of electronic data that has no business value because it’s duplicated, trivial, no longer used or past its retention period. It may contain unknown business risks or confidential information. While most organisations have strict compliance rules around how long they must retain data, once the retention period is over, the risks and costs of keeping that data greatly outweigh any residual value. Deleting this low-value data, according to predeﬁned and legally sanctioned rules, reduces risks and also minimises the volume of data that could be compromised. This, in turn, reduces the scope of a post-breach investigation.
Fence in valuable data
Records managers and end users alike struggle to ﬁnd the time to file important documents correctly. As a result, many organisations have intellectual property and company records stored inappropriately in ﬁle shares or email attachments. Information governance technology can locate these records ‘in the wild’ and move them to controlled repositories with appropriate security, access controls and retention rules. This makes it much harder for anyone to gain unauthorised access. It has the added benefit of making them easier to find and gain use or value from.
Enforce data security
Personal, ﬁnancial and health details of employees and customers must be kept in the strictest conﬁdence. But even when organisations set up controlled repositories for this information, it regularly escapes, whether through poor policies or employees not following the rules. By conducting regular sweeps of email, ﬁle shares and other unprotected systems, organisations can quickly locate and remediate unprotected private data. They can then ensure they protect this high-risk data with appropriate encryption and access controls.
Maintain appropriate access controls
Organisations should apply policies to restrict access to important data only to staff members who need it to do their jobs. It is also essential to regularly audit access controls on important systems as staff members come and go and their information access needs change with their job roles. Regular sweeps of employees’ security proﬁles help ensure the policy theory matches reality.
Everyone can be a good shepherd
While people can be a big part of the problem, it’s important to remember they also play a large part in the solution. Businesses should train their staff to become good shepherds. The buck doesn’t stop with information security experts; everyone must be part of the strategy. Employees should be educated on the importance of following security processes and storing documents correctly – with the motivation that when they do these things the right way, it can make their jobs a lot easier.
These four steps have a huge effect on how quickly and effectively organisations can respond to data breaches – internal or external, deliberate or accidental – which in turn has a big impact on how much they cost. It also gives organisations a clearer understanding of what data is worth so they can concentrate on protecting high-value data and more easily calculate the return on their security investments.