It brings to mind the story of the little Dutch boy attempting to stop a leaking dike with his finger. When a hole is discovered (through testing or an attack) we work to plug the leak quickly, and then wait for the next leak.
The problem with this approach is obvious. It focuses on defending against the last successful attack, and requires organizations to anticipate all possible weaknesses and attack vectors. We see proof every month that this strategy will eventually fail.
A better approach starts with a simple threat modeling exercise: For your organization, what are the likely goals of an attack? In the vast majority of cases, the answer is stealing data. It may be personal information or credit card numbers for criminals interested in financial gain, or source code, design documents, and trade secrets targeted by nation-states or competitors.
Rather than enumerate every possible attack vector and build a corresponding defense (and there are probably some you won’t think of), a better solution is to protect the data itself. A data-centric approach applies protection to the data and enforces usage policies based on the sensitivity of the data, the user, and the intended action (e.g. email, move, copy, print).
At its core a data-centric approach focuses on three things: identifying your most sensitive data, continuously monitoring that data so you know what’s happening to it at all times and locations, and protecting that data through the right level of usage controls and encryption. Protection that travels with the data simplifies the security challenge.
Or, like the little Dutch boy, we can continue to plug holes, hoping not to run out of fingers…
Dan Geer: The 5 Myths Holding Your Security Program Back
Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.
Related ArticlesThe Role of Security Analytics in Information Security Programs
18 infosec pros and analytics experts reveal the role of security analytics in information security programs today.Insider or Outsider - Does it Matter?
Much noise is made about the risks associated with insider threats versus outsider threats, but why?Breaking Down the Best Practices & Tools for Data-Centric Audit and Protection (DCAP)
Data classification, discovery, and encryption: We reached out to 18 security experts for insight on implementing a data-centric audit and protection program in an organization.