A fresh look at cyber practices can make high-value assets more secure
Data breaches happen when organisations fail at fundamental data protection practices. A fresh look at those practices can make your organisation and your high-value assets more secure.
Consider for a moment some of the most significant data breaches of the recent past:
- More than 140 million customer records exfiltrated from a leading credit reporting agency, exposing highly valuable personally identifiable data, such as Social Security numbers, dates of birth and driver’s license information.
- Half a billion user accounts compromised at a leading Internet service provider, revealing names, e-mail addresses, telephone numbers, dates of birth, password information and more.
- 80 million patient and employee records breached at a health insurer, potentially exposing names, dates of birth, Social Security numbers, e-mail addresses, employment information and income data.
- More than 50 million credit card accounts compromised at one leading retailer, and more than 40 million at another.
The list goes on. But when you take a step back to assess what these breaches have in common, you reach an inescapable conclusion: the numbers would be on a less staggering scale if the organisations involved had effectively practiced the basics of data-centric security.
Let’s start with the obvious. Data breaches of the scale in the examples cited are incredibly costly. Estimates put financial losses from a severe event into the tens or even hundreds of millions of dollars. Add on to that damage to brand and reputation, and ongoing financial and legal exposure. The pain can be immense and long lasting, to both the victimised organisations and their partners and customers. Even in everyday breaches of more manageable scale, the financial and reputational damage takes a toll; research by the Ponémon Institute sponsored by Accenture estimates the cost of cybercrime to the average organisation has increased by nearly 23% in the last year to $11.7 million.
A related similarity is that organisations victimised by breaches have not fully appreciated the value of data as the lifeblood of business. In the intelligence community, loss of data means loss of life. Hence there is an absolutely urgent focus on protecting data to save lives. In business, losing data may also cost lives in sectors like energy, chemicals and healthcare, but it is currently more likely to lead to competitive disadvantage, damage to brand and reputation, and significant legal and financial consequences. Business runs and depends on the secure processing of data, and protecting data deserves a commensurate level of attention, respect and investment. In the digital era, data is value. Those who guard that value have significant advantage over those who do not.
The third characteristic shared by organisations victimised by breaches is multiple points of failure. The issue is not whether criminal attackers exploited a known website vulnerability the victim organisation failed to patch, or instead launched a zero-day attack. The issue is that multiple processes and procedures had to fail for tens of millions, or hundreds of millions, of customer records to be exfiltrated, and for that exfiltration to go undetected for days, weeks or months.
Then there is also the unexpected disrupter, the proverbial dark horse that is legislation. With new legislation such as GDPR coming into effect, it has become vital to understand what data you have, where it is, and how it is being processed. In this case, not just to put a tick in an audit box, but to be able to demonstrate to the regulators how you are effectively managing the data that you are a custodian of at all times.
All of which adds up to straightforward, prescriptive advice: Organisations need to put their data protection fundamentals in order. To fend off and minimise the impact of data breaches, they need to “harden” their data assets and be brilliant at practicing data-centric security basics. All this, next to adhering to other good security practices of course.
1. Identify and harden your high-value assets
These are your “jewels”, the data most critical to your operations, subject to the most stringent regulatory penalties, and most important to your trade secrets and differentiation in the market. “Hardening” a high-value asset means, making it as difficult and costly as possible for adversaries to achieve their goals, and limiting the damage they can cause if they do obtain access. Some added guidelines:
- Adopt the attacker’s mind-set. What do they
want most? Design and execute your threat and vulnerability program, and overall security solution, to deny it.
- Consider and use multiple techniques including encryption, tokenisation, micro-segmentation, privilege and digital rights management, selective redaction, and data scrambling.
- If your high-value assets are on legacy systems, do not try to harden those assets all at once. Instead, add additional protection and increase visibility over control points or points of access until you migrate or modernise the legacy systems. If you have legacy systems that cannot be suitably hardened, look for opportunities to restrict access and up-level your monitoring. Be laser-focused on timely detection at your weakest links.
- Remember that with all the focus on securing data, encrypting it, keeping it in the safest of systems, if the same controls are not applied to people who have access to the data, you have simply moved the point of failure. To fully protect your high-value assets, it is critical to keep “the people dimension” in mind.
2. Build up your defenses through network enclaves both on-premises and in the cloud
The perimeter is no longer the perimeter, it has become too easy for adversaries to breach. And the enterprise that the perimeter is intended to protect now extends well beyond “the four walls” to the cloud and the field and the control rooms. Consider creating enclaves, environments both on- and off-premises where you can better monitor the comings and goings of users and the behavior of applications which limit an attacker’s maneuverability. When the perimeter is breached, the enclaves remain safe. Think of a ship, if the hull is breached, hard partitions in the compartments underneath will prevent the ship from sinking. In the same way, hard-partitioned enclaves in your network prevent a breach from moving laterally through the entire enterprise.
3. Build and execute a hunting program
There was a time when organisations felt they only had to activate their incident response plans in the event of a breach. Not any longer. Today, the best approach is to adopt a continuous response model, always assume you have been breached, and use your incident response and threat hunting teams to always look for the next breach (“find them before they find you”).
4. Catastrophe scenarios
Develop, run and test scenarios that simulate business catastrophes, for end-to-end effectiveness, so that you can verify and validate that you can detect an adversary, and that your people are prepared and ready.
5. Map your environment
Create an understanding of your data landscape by identifying the business applications, processes, information usage patterns, systems and platforms in the environment, their business value and associated risks. Understand the flow of information within and outside your organisation and communication channels that they follow. Identify the different data repositories and the respective asset owners. Knowing all of this means you know exactly where to exert time and energy on protecting your data.
6. Limit, monitor and segment access
Use two-factor authentication as much as possible, and use role-based access to make automated decisions about who is allowed to see what data and systems. Move toward micro-segmentation in your access control, recognising that when sensitive data needs to be adjudicated by different people for different reasons, none may need to see the data in totality. Micro-segmentation can show each person what he or she needs to see based on his or her roles and responsibilities, while obscuring the rest. This also limits damage in the event of a breach if any one user’s credentials are compromised, only a portion of the data is exposed. To exfiltrate whole objects or larger swaths of data, the adversary’s job becomes much more difficult.
7. Monitor for anomalous and suspicious activity
Monitor continuously and vigilantly not just for unauthorised access but also for undiscovered threats and suspicious user behavior.
8. Develop both strategic and tactical threat intelligence
Have a sustainable threat intelligence program that collects and curates both strategic and tactical threat intelligence. Strategic threat intelligence is human intelligence coming from a variety of both closed and open sources for example, an e-mail explaining that certain versions of Apache Struts are vulnerable to attack, and how that vulnerability is exploited. Other forms of strategic intelligence can provide insights on campaigns targeting certain industries or technologies, or geo-political trends that could change the incentives of attackers. Tactical threat intelligence includes machine indicators of compromise that feed in automatically to your systems for example, an automatic feed from Palo Alto Networks or Qualys directly into your tooling. Stay as current as possible on both the broader threat landscape and the specific threats posed by adversaries as they relate to your organisation.
9. Build a security ecosystem
No organisation is an island. Supplement internal talent and skills with a diverse vendor support system. When necessary and appropriate, take advantage of the assistance that managed services organisations can deliver.
10. Prepare for the worst
Transform your incident response plan into a crisis management plan that can be enacted if the worst-case scenario materialises. Make sure legal and corporate communications teams are on “stand by” and prepared to take action. Exercise the plan so that the business builds the muscle memory and identifies areas for improvement before the next issue arises. Be ready for a catastrophic cyberattack where e-mail, voice-over IP, and other communication systems used on a day-to-day basis are unavailable. For such catastrophic emergencies, consider storing critical contact information in the cloud and being prepared to use the cloud as a secondary out-of-band platform for e-mail and voice communication.
Conclusion
Any organisation intent on avoiding serious data breaches owes it to itself to review how well it is putting the fundamentals of data-centric security into practice. Closing any gaps will help fend off breaches and minimise their impact.
An article from Jaco Jacobs and Kimberley Zwaart, both consultants at Accenture.