How to Protect Sensitive Data without Having to Guess the Next Attack Vector



Focusing on data for effective and sustainable protection

In my previous post, I wrote about the futility of constantly protecting against the most recent breach rather than focusing on protecting the data itself. I want to expand on why I think focusing on the data is a much more effective way to defend against outsider attacks.

In the vast majority of cases, an adversary is attacking a target in an effort to steal data. The type of data varies depending on the goals of the attacker (e.g. financial information, consumer data, competitive designs, or source code), but in all cases their end goal is stealing the data. An effective, sustainable defense against these attacks has three core requirements that are centered on applying protection directly to the data:

  1. Identify sensitive data continuously. It is obviously hard to protect data if you don’t know where it is at all times. Generating a point-in-time inventory of data is a first step, but doesn’t account for data that is created or modified after the inventory, or the movement of data over time. To protect data, an organization must consistently and continuously identify and classify data as it is created or modified.
  2. Monitor sensitive data continuously. Data isn’t static. Employees, customers, and partners use and modify it, as do business applications. Protecting a data store is good, but critical data also exists on laptops and mobile devices, or in email to users inside or outside the enterprise. Knowing where the data “used to be” doesn’t help. It must be tracked throughout its life (and maintain appropriate classification).
  3. Protect sensitive data use contextually. Protecting data doesn’t mean simply locking it down. It requires a contextual understanding of three factors: what actions may be taken with the data; by whom; and, under what circumstances. Certain actions may be permissible on the corporate network, but not off the network. Privileged users need to configure devices but should prohibited from viewing specific files on those devices. (This is context aware security.)

Reacting to previous breaches can obviously plug holes in an organization’s defenses, but it’s not a sustainable strategy. By applying protection directly to data, organizations gain continuous visibility to data creation and use. If you know where your data is, at all times, policies controlling its use (and blocking misuse) are simpler to implement. In short, data-centric security protects sensitive information without having to guess the next attack vector.

Mike Pittenger
Related Articles
Insider or Outsider - Does it Matter?

Much noise is made about the risks associated with insider threats versus outsider threats, but why?

Breaking Down the Best Practices & Tools for Data-Centric Audit and Protection (DCAP)

Data classification, discovery, and encryption: We reached out to 18 security experts for insight on implementing a data-centric audit and protection program in an organization.

The Role of Security Analytics in Information Security Programs

18 infosec pros and analytics experts reveal the role of security analytics in information security programs today.

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at] caddisadvisors.com.

Please post your comments here