During my trip to the Enfuse 2016 conference in May, I had a conversation with Paul Shomo, senior technical manager, Strategic Partnerships with Guidance Software. One of the things we talked about was the importance of companies taking a more data-centric approach to information security.
When we think about breaches, Shomo explained, malware and how it breaks through the network is what often comes to mind. To that end, social engineering is the primary tool for injecting malware. Hackers rely on the vulnerabilities of humans and software systems to break through the perimeter quickly, which gives them the ability to move around the network with ease. The malware and the hacker’s infiltration can go on for months without detection, and users have no idea, Shomo added:
Hackers don’t leave a lot of evidence like regular users do, so people don’t think enough about investigating breaches in terms of what users are doing on the network. A lot of times you can’t tell the difference between a hijacked user account that’s controlled externally versus an inside threat.
Shomo also believes that we don’t pay enough attention to data-centric concerns, like where to find the data and how many endpoints have access to it. All endpoints tend to be treated exactly the same and this creates security risks. Too many information security professionals can’t tell you where sensitive data is stored or accessed, and that is often caused by organizational separations, where different departments are communicating with each other. He said:
This puts organizations into a situation where one group knows what the sensitive data looks like and has the means to find out where it is, and the other group is supposed to defend it but they don’t know where it is or which endpoints it is on. There is a need to work together.
A problem for many companies is the tendency to put these two concerns into separate boxes. Over here we have malware breaking through perimeters and that’s where much of the security focus is spent, but in that other box on the other side of the room, we have the data that we are supposed to be protecting. Shomo thinks that companies need to become more data-centric in their attitude toward overall cybersecurity.
How can they make this switch? Shomo said it starts with departments working together to come up with solutions. For example, the people who know the keyword set for sensitive data and intellectual property in your system can put those keywords into a privileged account. The keywords can (and should) be encrypted. Someone with privileged access from another department – say a security professional or someone in charge of corporate governance – will have access to the sensitive data.
Shomo admits that data-centric security can be tricky because it involves the coordination between so many departments and there will always be privacy and legal issues to take into consideration.
Knowing where data is stored is the first step. The second step is figuring out how to share all this information with security professionals. They may only have bits and pieces of information about the data, including the endpoints where it is accessed and who has access.
It’s not an easy task to become a data-centric security operation, but it should improve security efforts. After all, gathering data is the goal of most hackers; malware is just a tool they use to get to it. By paying more attention to protecting the data first, we can focus on preventing the malware.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.