Part 1 (scroll down for Part 2)
The digital world has become a scary place, one in which few small- and medium-sized businesses (SMBs) feel they are adequately protected. Each day we see more news about breaches, threats, zero day attacks, adversarial groups, and a barrage of new technologies that claim to solve all of these problems.
My organization InteliSecure has led, deployed and managed more DLP technologies longer than anyone else in the world and we are uniquely qualified to share our insights to help guide organizations down the path of protecting their most critical information within their organizations.
So when we recently launched the industry’s first survey designed to address key areas inside "People Process Technology" for data protection programs, our goal was to help organizations assess their current posture and offer ideas for solutions to identified gaps.
Our free survey is open to all senior information security and risk professionals, takes just 10-15 minutes, and walks you through several questions that score and benchmark your organization’s critical data protection best practices and posture against that of your peers.
What’s ‘critical’ about the Critical Data Protection benchmark survey is that it’s a living survey that over time will amass some of the most important year-to-year benchmark and scoring data for organizations seeking to advance their overall state of critical data protection.
From intellectual property, patents, licenses, customer/patient data, salary and personal employment information, from SMBs to large enterprises, all organizations amass a wealth of critical data that has to be protected.
The fundamental problem with the efficacy of new technologies designed to protect networks and assets is the fact that they assume you are building this new technology on top of a solid programmatic foundation, and many organizations simply are not.
The problem is not a lack of desire for businesses to protect themselves – quite the opposite, in fact. Organizations today are spending increasing portions of their budgets on security initiatives, often with lackluster results. The problem is that organizations have failed to define a narrow enough scope to marshal their resources effectively to protect what’s most important.
Not all information is created equal. Some information is more important to the profitable operation of a business than other information. This is not my opinion; it is an undeniable fact for every organization, and one of the few universal truths in the information security world.
Every organization generally has three distinct types of information:
- information that can be shared freely, often referred to as public information
- information that can be shared with certain audiences in specific ways, often referred to as sensitive information
- information that should remain confidential to the company and should not be shared, often referred to as secret or internal information
The first or second step in any effective information security program is defining these three categories and what information falls into each category. Why? Because doing so allows an organization to apply special controls to enforce the proper use and sharing of that information. Why is that important? The best analogy I can use is home security.
In your house, there are likely assets of average value, things like televisions, computers, and furniture. You would not be happy if people stole those things from you, but it would not be earth shattering if it were to happen. You could replace those items and life would go on with some minor inconvenience. You protect those items with things like locks on your doors and windows and some basic home protections.
You probably also own things that hold extraordinary monetary or sentimental value, or things that are difficult to replace. Many people have a fireproof safe for these items. Since space in the safe is often limited, and buying a larger safe would be expensive or impractical due to space constructions, most people become quite judicious in the types of items they deem in need of extra protection.
Your cybersecurity program should be exactly the same. You absolutely should deploy perimeter technologies like firewalls and Intrusion Detection and Intrusion Prevention systems (IDS/IPS), and basic endpoint protections like antivirus and whole disk encryption to apply broad protection to your digital enterprise.
However, much like your home, there are pieces of information that are worthy of an even higher level of protection. We call those critical information assets. Think of those assets as the items you would put in your fireproof safe. The larger your security budget, the larger that safe will be, but very few for-profit businesses can buy a safe large enough to fit all their assets, just like it would be impractical for the average homeowner to turn their entire home into a bank vault.
These critical information assets should become the focus of your more resource-intensive detection and response capabilities. Technologies like Data Loss Prevention and Security Information and Event Management systems would form the foundation that allows an organization to deploy next-level technologies to protect their assets within a defined scope that is justifiable from a cost/benefit analysis perspective.
This approach seems logical, but organizations truly leveraging this approach represent the minority of organizational security programs. In order to understand this dynamic, we must first understand the threats we face and the alternatives we have.
The Threat Landscape and Your Three Options
You do not have enough budget to protect everything in your environment from all threats that could possibly target you. This is not my opinion, it is a statement of fact.
A recent presentation given to a group of security professionals by the Las Vegas Field Office of the United States Federal Bureau of Investigation (FBI) identified six groups, each with its own unique set of actors, capabilities, limitations, motivations, and tactics. They are:
- Hacktivists: Hacktivists use network exploitation to advance their political or social causes.
- Criminals: An individual or group who steals information and extorts victims for financial gain.
- Espionage: Nation-states who conduct operations to steal state secrets or other proprietary information from private companies.
- Insiders: Trusted personnel and employees who steal information for personal, financial or ideological reasons.
- Terrorism: Terrorist groups that target facilities such as water treatment plants that are the backbone of the country’s critical infrastructure.
- Warfare: Nation-states sabotaging military and critical infrastructure systems to gain advantages during conflicts.
The fact that you cannot protect everything and that there are so many different threats you may face leaves you with three, and only three, macro-level options for your security program.
First, you can do nothing except stick your head in the sand and hope you don’t become a victim. If you do, you can blame circumstances outside of your control or proclaim the Information Security battle hopeless. This used to be a quite popular strategy, but this approach is quickly waning as most consumers, investors, board members and executives recognize this is not an acceptable approach.
Second, you can decide which threats you will protect yourself from, building your risk treatment plan on the threat level. This is a popular strategy as many people will tell me, “We aren’t likely to be attacked by XYZ actor group.” Most people take this approach whether they do so consciously or not. The problem with this approach is that it assumes that you know all the possible threats out there, what motivates them, and that the information around the threats will never change. That is an unrealistic expectation because the threats do change, and often.
The FBI has expanded their threat actor group from four to six since 2015. Symantec’s threat research team has been tracking a specific threat actor group they call Black Vine which has changed the information they are targeting from Aerospace to manufacturing to energy to healthcare, all since 2014. The research from Symantec suggests that the group is targeting different industries as they steal the information they need from a previous industry.
The point is not to focus on a single threat actor group, but instead to show that groups are constantly changing and evolving. Trying to keep up with all the threat actor groups, their current targets, and current tactics would take as many personnel dedicated to that task alone as most Information Security teams have on staff. Given enough resources, this approach could be quite effective, but it is horribly inefficient.
Finally, you can fashion your programs to protect the most important pieces of information in your environment, therefore shrinking the attack surface you must protect and the scope of your programs. This is my recommended approach and is, in my opinion, the only way to be effective at Information Security in the private sector.
Part 2: The Concept of Focus
In Part one of this two-part series, I outlined steps necessary to achieve effective information security through identification and prioritization of key assets most important to the business.
The essence of focus is that when we decide to do something, we consciously decide not to do something else. The idea is that spreading our limited resources too thin results in our inability to be effective in any of our initiatives.
The bottom line: we must properly set scope and choose not to do some things. In information security, this means that there are risks we must accept in order to focus risk mitigation resources on the assets where the mitigation is likely to provide the greatest benefit to the business.
If you do not know which organizational assets fall into which category, you have essentially limited yourself to a single option. Realistically, you are not going to choose to do nothing because it’s not a very good option. Further, if you don’t know which assets are most critical to business operations, your only method of achieving focus is by picking the threats you want to protect against; this is limited naturally by the extent of your imagination and the amount of resources you can dedicate to threat research.
Therefore, the identification of critical information assets, and, by extension, the implementation of a good content analytics program to distinguish critical information from commodity information, is paramount.
So, Is Content Analytics the Panacea?
In short, absolutely not. Nothing is the panacea for all of Information Security. There is no silver bullet and there will never be an ‘easy’ button. This is a struggle between smart and adaptable human beings on both sides of the equation.
There is not now, and will never be, a technology that will make you impervious to a well-funded, skilled and adaptable attacker. Protecting yourself from such adversaries will always require a program.
Therefore, content analytics is not a universal solution in and of itself, but tracking behavior, both authorized and unauthorized, with respect to critical information assets, is the foundational element that increases efficacy of several other solutions.
I will discuss several solutions that are popular, or are likely to be popular in the near term, along with why content analytics helps to enable each of the following:
Many organizations would like to deploy Rights Management solutions, which allow them to exert control over information after it has left their environment. These controls could be removing the ability to copy and paste from a document or print it, removing the ability to forward an email, digital expiration which can destroy a document after a specific time period, or digital shredding, which can destroy all copies of a document on demand.
The reason Rights Management is notoriously difficult to deploy, though, is that applying these protections to all information is very resource-intensive to the point where it is infeasible for many organizations. Effective content analytics programs allow organizations to only apply these controls to the information that needs them.
Closely related to Rights Management, encryption is generally deployed on files to ensure that only the designated recipient is able to access the file. In order for this to be effective in its intent, a separate key must be generated for each file and each intended recipient, as re-using keys means that there is a possibility that an intended recipient for one file can decrypt not only that file, but also other files they should not be able to decrypt.
Therefore, key management can become a major burden and barrier to implementation. Reducing the number of files that are encrypted by using content analytics makes this key management process much more feasible.
Identity and Access Management (IAM)
IAM in this context is not the traditional two-factor authentication, but instead IAM with respect to information. This generally would need to be paired with an encryption strategy, but it allows certain controls to be placed on the conditional decryption of information.
For example, you could require two-factor authentication to open a document, or put geo-fencing in place so information couldn’t be stolen from employees or they couldn’t be coerced into sharing it when traveling abroad. Similarly to encryption and rights management, the key to successful implementation is limiting the scope to information that requires this level of protection.
Cloud Access Security Brokers
Two of the four pillars of CASB are Data Protection and Compliance. You cannot be compliant without an effective content analytics engine to definitively determine what information is in scope for a specific regulation and what information is not. Similarly, Data Protection as an initiative obviously requires effective content analytics as they are essentially one and the same.
User and Entity Behavioral Analytics
This is one of the few things on the list that could be effective without an effective content analytics capability, but it would make it very difficult to prioritize risky behaviors from a true business impact perspective. This means that the scope of the program would have to be much wider and much more resource-intensive. Effective content analytics can make UEBA far more efficient to implement.
Security Information and Event Management
SIEM systems are unique because they give you a window into your entire environment and also incorporate your security devices and your perimeter devices. While SIEM should monitor your overall security apparatus, you can use an effective content analytics program to prioritize effectively.
For a physical world example, if any motion sensors go off when there shouldn’t be any motion, you should investigate that. If the motion sensors right in front of the room that contains your crown jewels go off, that response should be much more swift and forceful. Effective security programs should be built exactly the same way.
Counter-Recon and Lures
In order for proactive security measures to be effective, they must mirror the actual information that bad guys want. In order to make the lure as effective as possible, you must first understand the information, where it’s stored, and how it behaves in your environment. To use an example from my childhood: some fish are hungry and they will bite a hook baited with only corn, whereas more fish will bite a lure that mimics the look and movement of a real fish.
It is my firm belief that content analytics is the bedrock for an effective business-centric security program.
As I have outlined, many of the capabilities that may be aspirational for your security program, or may be cutting edge, can be built on the foundation of an effective content analytics program. The good news is you can start now! You don’t have to wait.
There are phenomenal content analytics engines in the form of Enterprise Data Loss Prevention solutions currently available now and will be extensible to these emerging platforms and capabilities. It all starts with defining critical information assets and building accurate policies to detect them, accompanied by building in exclusions for authorized business processes. Doing so is hard work, but doing so effectively will lay the foundation for a more secure future for your organization.
About Jeremy Wittkop
Jeremy Wittkop is CTO at Denver-based InteliSecure, where he leads a team that investigates and ensures the integrity and functionality of every custom solution designed for clients. Jeremy focuses on evaluating potential new offerings for InteliSecure clients, developing solutions that address the new and ever-changing security risks to the enterprise.