Leveraging Existing Security Infrastructure to Protect Against Future Threats

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/opinions/leveraging-existing/

European companies started appreciating the need for protecting sensitive
information many years ago. In comparison, U.S. companies were more likely
to see security needs from a compliance perspective. As a result, the
domestic strategy was to implement security solutions that would give you
the biggest bang for your buck. Data Loss Prevention (DLP) fell into that
category.

Usually implemented in the network layer or on end-points, DLP promised to
monitor all data transfers, identify and potentially block anything that
was not supposed be at a given network or storage location. The result, as
many CIOs hoped, was a single, compliance-enabling security solution that
would prevent data loss and leakage. Naturally DLP enjoyed incredible
deployment numbers and most major enterprises have DLP deployed in one form
or another.

Yet when looking at how many data breaches have occurred over the past
couple of years, it appears as if DLP couldn’t solve businesses’ security
problems. The Ponemon Institute estimates that DLP prevented fewer than a
fifth of data breaches. The problem with DLP and many other ‘traditional’
data protection solutions is that they operate on content and often work
against the end-user.

Operating on content means that solutions like DLP often have very limited
contextual awareness in terms of where the data comes from and what the
user’s intentions are with that data.  DLP solutions rely on content
scanning and pattern matching in an attempt to figure out if the data is
sensitive enough to be blocked. This method often leads to frustration on
behalf of the users, because they are prevented from processing the data
and instead have to figure out how to get past the DLP solution. The bad
news for DLP is that the motivated user often finds a way to bypass it,
rendering DLP ineffective.

So the question is – what can you do to significantly raise the security
bar, while leveraging your existing investment?

Putting Security into the Right Context

An effective way of increasing security is to augment your existing
investment in traditional (content-aware) security solutions with
context-aware solutions. That is, software with the ability to fully
understand the context of where the data is coming from, who the user is as
it relates to that context and where the data is going.

Here is an example that illustrates the difference between a content-aware
security solution and a context-aware security solution and how DLP might
have difficulty in properly distinguishing between sensitive and
non-sensitive engineering data of a fictitious automotive company, Acme
Auto.

John is an engineer working on the design of engine parts. All engineering
drawings are stored in a project room, and each individual part is
internally classified. The classification of those parts is linked to the
roles and authorizations of all engineers, ensuring that everyone can only
access the parts to which they are assigned. Additionally, Acme Auto relies
on original equipment manufacturers (OEMs) that supply parts. As a result,
many of the engineering drawings have to be shared with the OEMs for the
purpose of collaboration.

Engineers can export drawings for the purpose of sharing them with OEM’s
but, unfortunately, the internal classification of the computer aided
design (CAD) project room does not extend to exported files. From the
perspective of a content-aware DLP solution, it cannot tell if the exported
drawing shared via FTP (File Transfer Protocol) contains the design of a
simple screw, which is classified as ‘internal only’ or a ‘top secret’
design of a new ignition system. All it can see is that John exported a
drawing from the CAD project room and he is trying to transmit it via FTP.
Because this is a valid business case, chances are that DLP is not
configured to block such a transfer, opening the hole for classified
information leaving the company via FTP.

On the other hand, a context-aware solution, one that deeply integrates
with the CAD project room, would be aware of the internal classification
and block an unauthorized export before it happened or alternatively tag
the exported drawing with metadata (such as a classification label),
allowing the downstream DLP solution to make a reliable decision of whether
to block the data transfer or not.

By definition, context-aware solutions require integration with
applications that contain sensitive data in order to obtain the necessary
context and with such a stringent requirement, enterprises won’t find a
solution for all of their applications. The good news is, the number of
context-aware applications is growing and even DLP vendors have realized
the need to become more context-aware.

That all means that you can analyze where most of your sensitive data is
originating from —for many companies it is an ERP system — and then deploy
context-aware solutions, closing the gaps one by one. That way your
businesses can leverage your existing investments, while significantly
increasing your level of data protection and hopefully stay out of the news
for a while longer.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!