Through third party trends and fads, from magical layer three switches to freakishly smart suits with leather-bound pad-folios, from shadowy sorts paid to XXS, SQL inject, DDOS and / or socially engineer their way into your most trusted networks to the silver bullet of the all-knowing IPS on a tap, there remains but one undeniable truth: knowledge is power.
Knowledge in what your user community is doing with the currency that is your data. Knowledge about what happens outside of the crunchy hardened perimeter of the corporate network. Knowledge about the real work process of the over-eager sales manager, or the ever efficient general counsel or the fat-fingered marketing ambassador. Knowledge is the only effective way for an organization, large or small, with an army or a single soldier in the fight against insider threat or cyber espionage, to gain a leg up in the ever-changing theater of conflict that is big data security.
I’ve been lucky enough to sell for several distinguished organizations. I’ve sold lots of different point-in- time security solutions. Magic bullets have included network stuff, endpoint bits, wireless sniffers, application sand boxers, main frame “fronters”, POS Terminal encrypters, man-in-the-middle browsers and all of the “gotta have it stuff to be secure” things in between. All promised to be the next 11 foot fence for the bad guys armed with 10 foot ladders. I’ve also worked through the people pieces, “people” based vulnerability scanners, penetration testers, social engineers, code reviewers (“Yes, that will be manually validated”) and even “CISOs in a box”, no, not a literal box, but you get the picture. All of these solutions had merit, value and even, to a degree, provided protection. But most often these solutions fueled more questions than answers. Questions that leave the information security team begging and vulnerable. What are we protecting against? What do we need to protect in the future? How did that interview with the guy from the three letter firm actually help me validate my policies? Where do we start? What the what! Classify EVERYTHING? And on it goes. The answer is knowledge. See what your user community sees, protect where they work. BRING DATA TO POLICY, not the other way around.
The three things that can be done to drive knowledge acquisition and gain control and provide stewardship of your data:
-
Run a mock data loss or cyber attack incident. Do this in a room with all the requisite resources. Now, re-run with all those resources also doing their day jobs in their day job locations.
- You will gain an understanding of critical systems
-
You will gain an understanding of critical people
- Folks you didn’t know you needed to know in some cases
- You will gain an understanding of the ripple effect on business process
- You will uncover any deficiencies in your internal and external communication plans
- You will gain an understanding that like fire, flood or tornado drills there is huge value in knowledge transfer shared during this exercise and they are critical to the survival of your data – and maybe your company
- You will begin to understand the peripheral costs of lost productivity and business disruption that a significant data breach imparts on an organization
-
Accept that the user community is a big part of the solution, not just the weakest link in the security chain.
- Educating after the “acceptable use policy” is signed and filed (buried) away is paramount to success
- Firms have adopted many formal techniques including “Cyber Security Awareness” week and quarterly trainings
- Look for ways to provide feedback in real time – as data is being altered or used
- Dig into the process of data creation (does it come from a specific application or out of a specific repository) and understand how data propagates based on job function
- Users generally want to do the right thing – they just want the least impact in getting there
- Provide mechanisms that enable the user to feed back into the loop of data security awareness
-
Leverage technologies that sit at the point of use, gather all events and pass them up for analysis un-filtered or altered by any preconceived notion of what is important.
- If your information security team could “approve” all aspects of data movement on a machine based on the agreed to “data governance” policy they would, but they can’t so...
- Gather everything, nothing is too small to capture
- Suggesting you or they or anyone knows the exact nature of risk and how to protect it without first observing is ludicrous
So, from the eyes of the Security Sales guy I can tell you that there are lots of “close enough” and “almost right” answers. But, in order to say any solution or ecosystem can perfectly mitigate risk and provide the exact right security posture to the exact right process at the exact right time against the exact right threat is impossible. Find knowledge, gather from people, mock incidents and at the point of use. These three steps will provide the insight and visibility required to defend to the best of your (and today’s available technology) ability.
