Millions of pieces of data were stolen this year by cyber-criminals who were able to bypass the sophisticated security systems of some of the world’s largest companies. We’ve all seen the headlines and read the findings from research and analyst firms like Protiviti, whose 2014 IT Security and Privacy Survey found that organizations are not confident they can prevent data breaches.
Those findings are not surprising considering that, as attacks have grown more sophisticated and difficult to detect and prevent, the security policies and systems organizations deployed have not evolved correspondingly. Despite the growing number of high profile breaches, too much information security spending still focuses on the prevention of attacks, while not enough has gone to creating or improving information monitoring and response capabilities. The priorities must shift from protecting information from the outside-in to an approach I call ‘information-centric security’.
The typical approach is to harden the perimeter and monitor the endpoints with tools like endpoint security software, firewalls, and antispam solutions, and monitor for attacks – and if/when an attack is (finally) detected, react to it by creating a patch before too much damage is done. In the most sophisticated environments it is readily accepted the network will be penetrated and defense is then reliant upon detecting the intruder. Many organizations now measure success in cybersecurity by the ‘dwell time’ of an intruder operating inside an enterprise.
Norse Corporation now identifies over 5000 new malicious binaries per day. It’s no wonder Symantec recently admitted that antivirus software is ‘dead’, an acknowledgement that the traditional approach of hardening the network perimeter is growing obsolete, particularly as companies move their data to cloud-based services and allow employees remote access using personal computers or mobile devices. Where organizations will make time and financial investments to create lines and lines of hacker-resilient code, attackers will subjugate their systems using a few lines of code with high gains.
According to the Commercial Crime Bureau of the Hong Kong Police Force, cyber-thieves landed $75 million in cash using devices like Predator Pain and Limitless, off-the-shelf key loggers designed to collect and withdraw data at a price point of $40. Endpoint security, malware detection, encryption and other reactive technologies are still a necessity, but are insufficient without also proactively monitoring your data.
Hackers are all too keen to uncover design flaws in encryption, and will take the first opportunity to quietly exploit them. Retail giant Target learned this lesson the hard way when thieves were able to install data-collection software on the point-of-sale systems and steal information before it could be encrypted. The attack took almost three weeks to detect and by then 40 million credit and debit cards were stolen.
There is still value in hardening your network and using endpoint security software to try to keep the bad guys out, but those steps are now part of a larger strategy that must address the fact that so much information is outside the company’s servers and being accessed by so many different devices. You must know exactly where sensitive data lives at rest, employing technologies like document fingerprinting, pattern matching, and keyword dictionary comparisons that can track the genealogy and chain of custody of digital files.
You should also be aware of how your sensitive data is being used and moved, and that requires pervasive monitoring of the data itself to identify meaningful deviations from normal behavior that signal malicious intent. This can include examining file location, time of day, what devices are being used, IP addresses and URL reputation.
This combination of content-aware monitoring plus context-aware monitoring equals information-centric security: knowing your digital assets are protected against unauthorized use, disclosure, modification, recording or destruction. It not only helps to prevent thieves from stealing data, it also guards against the innocent employee who mistakenly tries to email confidential information to an unauthorized recipient.
Traditional antivirus software may not be entirely ‘dead’, but the practice of solely relying on it to protect your data is. It simply cannot keep the bad guys out, and when those attackers do break through the network security system, they can steal data for months or years before they’re discovered. The fact organizations are moving more information to cloud or SaaS-based services and permitting employees to access that information with their own personal devices makes an attacker’s job easier and increases the risk of accidental loss by a well-meaning employee.
Instead of only fighting to keep the attackers out and prohibiting the use of cloud computing applications or forcing employees to use IT-issued laptops and smartphones, adopt an information-centric approach that enables real-time monitoring of data at rest and in motion to help better manage the risk associated with your data and better protect against a data breach
About the Author
Greg Sullivan is CEO at Global Velocity. He is an experienced professional and has been acknowledged with the 2000 Entrepreneur of the Year Award and the 1999 United States National Small Business Person of the Year Award. Previously, Greg was Founder and CEO of technology consulting firm GA Sullivan, which he operated for over 20 years until acquired by Avanade, a joint venture originally created by Accenture and Microsoft