jonathan sander


Jonathan Sander, Strategy & Research Officer for STEALTHbits Technologies, says:

Every year Verizon produces the Data Breach Investigations Report (DBIR). It’s bad form on a blog to say “stop reading my content and go read this other content,” but I’ll start by saying that if you’ve never used this report as an asset in your security planning you should absolutely drop everything and go read this. Each year it’s a treasure trove of data and analysis. It’s also readable and has a sense of humor. Many people I know use its deep data and highly visual graphs to communicate the impact of security measures (or lack of them) to the people they need to fund their security efforts.

One complaint, the only complaint, I’ve had about it over the years has been the lack of focus on insider threat. That changed this time. The DBIR team notes “an increase in insider espionage targeting internal data and trade secrets, and a broader range of tactics.” Even better is that they acknowledge this is mostly due to their having more insight into the data. In other words, the increase in insider threat doesn’t show an increase in the number of incidents but rather better visibility into the events of insider threat that have likely been there all along.

Verizon begins their thought on insider threats by stating the stark realities:

“The root cause of data theft and other illicit acts by trusted parties is, rather obviously, an employee breaking bad. While it’s impossible to stop all rogue employees, there are some steps that can reduce the likelihood of an incident occurring, or at least increase your chances of catching it quickly.”

This boils down to one word: trust. When it comes to trust, you’re handling a double edged sword. If you want to reap the many, obvious, well proven benefits of arming your people with the power of IT, then you have to trust them to some degree. You have to trust them with access to data. You have to give them the power to see, consume, change, and even transport that data. You have to trust that they will act as stewards for that data in good faith. For security professionals, that is the crux of the problem. They are there to mitigate the risks of having trust in people.

While you can never build a perfect mouse (rat?) trap to ensure perfect data security, the DBIR team does give some very sound advice on what you can do to mitigate your risks. First you need the basics. “The first step in protecting your data is in knowing where it is, and who has access to it” says Verizon. We all know that asking the question “who has access to what” is much different than answering it. None the less it’s a key starting point for getting off the ground. STEALTHbits starts our data security with what we call “effective access,” which is designed to answer these exact questions about your unstructured data.

If all you have is a huge list of effective access, you’re not going to get very far. A map is pretty, but directions tell you where you need to go next. That’s why Verizon and STEALTHbits both advise that what you need to do next is identify “the positions with access to sensitive data.” Not all data is created equal. Data that is regulatory sensitive that can have financial and operational impacts if you don’t handle it correctly, data that can cause huge reputational damage if you get caught exposing it, data that can take away your competitive edge by exposing the inner workings of your most important intellectual property and proprietary approaches, all the data that can hurt you is clearly where you need to focus your first efforts. When you know where the dangerous data is you can prioritize your responses and remediation efforts. Governance, doing simple reviews of the access people have, is a great place to start. In the process of a review, you narrow down your scope even further by focusing on the parts of access where the true data owners (as opposed to the IT staff too often put in charge of access by default) get to say what access deserves more scrutiny and action.

Once you have a handle on access, you can begin to watch what people do with that access you’ve trusted them with. This means monitoring activity. According to the DBIR team, you’d be looking for “actions that facilitate the data transfer out of the organization — these are excellent places to set up controls to detect this type of activity.” This is a complex thing to do. It means setting up sentinels in many places to see that people are not abusing the trust you’ve invested in them. But the rewards for this are obvious… sometimes. If you can stop even one Target or Barclays style breach from happening, all your efforts will have an immediate ROI. Of course, this is the imaginary math of security done well. Trust is free. Strict security costs money and if it does its job you never see the loss – but that means the loss is never there to justify the cost. This is exactly what makes the Verizon DBIR so valuable to security pros. It’s a run-down of all the things that didn’t happen to you because of your security investments, if you’ve had a good year.

All this auditing that happens produces a lot of data. Often that data stays locked up in security. The Verizon team encourages the folks who mitigate trust for a living to do something that doesn’t come naturally: share. They make a good point and ask you to publish audit results:

From an awareness perspective, regularly publish anonymized results of audits of access. Let employees know that there are consequences and that the policies are being enforced. This can act as a powerful deterrent to bad behavior.

Nothing is as powerful as data – something the DBIR folks know well. If you can take the data you’ve compiled, give it to the decision makers in a way that they can digest, then they will make many of the same conclusions you will. That’s where the security pros need to learn a little trust. They need to trust that, armed with good data, the business leaders will choose to empower security.