One could argue that cybersecurity is the most intellectually demanding profession on the planet. The rate of change is so great that no challenge is ever solved and no problem ever resolved completely. That said, security failures more often result from a lack of direction and focus, not of skills or resources.
The five myths in this slideshow, identified by Dan Geer, were selected because they address pain points common to many organizations, and successfully addressing them will give reasonable assurance of some quick wins. In reviewing this list, continue to ask yourself how to apply the advice to your organization and its unique cybersecurity ecosystem. The myths endeavor to challenge you a bit on how you think about the difficulties we all face.
Dan Geer is the chief information security officer at In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the CIA and the broader U.S. intelligence community. Previously he was chief scientist at Digital Guardian (formerly Verdasys). Geer was a key contributor to the development of the X Window System as well as the Kerberos authentication protocol while a member of the Athena Project at MIT in the 1980s. Shortly after, Geer created the first information security consulting firm on Wall Street in 1992, followed by organizing one of the first academic conferences on electronic commerce in 1995. Geer is also the past president of the USENIX Association where he earned a Lifetime Achievement Award.
Five Security Myths Debunked
Click through for five myths that address common security pain points organizations must deal with to ensure their data remains safe, as identified by Dan Geer.
Level of Control
Myth #1: Security success depends on the level of control you have over your environment.
The Reality: It’s not about implementing more stringent controls. What’s more important is having better visibility into your organization’s data. The primary point of risk is anywhere data is in motion. Just having controls everywhere is insufficient. If your controls fail, chances are you won’t even notice. Most organizations victimized by data breaches are discovered by a third party.
Dan’s Advice: The shorthand advice here is: “Focus on data visibility, not the controls.” Controls can’t be effective without real visibility on data movement. This is the primary focal point for any successful security regime. With better visibility into what is happening to the data, the controls you develop will be more intelligent.
Data Discovery and Classification
Myth #2: Effective data protection must start with a lengthy and complex data discovery and classification process.
The Reality: Data discovery and classification are important, but be practical. It’s disabling to your efforts to march step by step in a linear quest to attain the perfect schema. Discovery and classification are ongoing processes that are never complete. Continue to rely on them for mid-course corrections.
Dan’s Advice: Start with building a baseline set of protections based on data context. There are fewer kinds of context than there are types of data. Start with the assumption that breaches are inevitable and base your contextual hierarchy on where the critical IP resides. Focus on blocking or blunting the effect of an attacker’s potential malicious activities, which is most likely a small and reasonable number of potential actions. Combining context awareness with transfer visibility makes your data protection schema more scalable.
Keeping the Bad Guys Out
Myth #3: The goal of cybersecurity is to keep the bad guys out.
The Reality: In today’s interconnected world, what does “in” and “out” even mean anymore? Any external attacker who steals the credentials, authority and access rights of an insider can be considered “in.” Anyone who has access rights is a potential threat, including employees behaving badly.
Dan’s Advice: Designing data protection regimes around the “insider threat” by default also controls for an outsider posing as an insider. The outsider attack problem is solved as a side effect. The goal of this inside-out approach is to egress control: to keep the data from leaving. Don’t allow data movement in outbound network traffic to go unnoticed.
Myth #4: Data surveillance means breaking employee trust and invading employee privacy.
The Reality: Surveillance doesn’t have to be an attack on the employee’s privacy rights. It’s not about reading every email. Reading every email may identify single security incidents but it won’t reveal the more powerful insight: patterns of data movement and their context.
Dan’s Advice: The proper level of acceptable surveillance is a matter of debate inside each individual organization. Event data can be collected without examining actual file contents. It can be anonymized yet descriptive of the types of users, files, repositories and applications involved. Defining responses based on context will help prioritize your surveillance efforts.
Securing Your Own Environment
Myth #5: If you can secure your own environment, your data is safe.
The Reality: Any third party who can see your data is a potential risk, even though they have access rights. Any determined attacker knows how to work the data supply chain progressively from tertiary targets up to secondary and ultimately primary targets.
Dan’s Advice: A complex data supply chain calls for a collaborative approach between partners, suppliers and other stakeholders. Reach out to your peers at these organizations. Use a common language when discussing protection of your data. Try to run the same technology – that’s a consistent control. If you can, mandate adoption of security practices.
Security regimes age, while data’s value as a percentage of corporate valuation is only rising. As Bruce Schneier so eloquently said, “complexity is the worst enemy of security.” Simplify by focusing on data, not individuals or networks. Pursuing data-centric data protection puts you in a better position to weather the withering rate of change in our industry.