The quote above was attributed to Willie Sutton, an (in)famous bank robber in the 1930’s - 40’s and a 2014 Security Change Agent as nominated by 451 Research Senior Analyst Garrett Bekker. It was Willie's legendary quip in response to being asked why he robbed banks. In his 1976 memoir, he corrected the record, writing “Go where the money is...and go there often.”
Cyber criminals still follow Willie’s pragmatic advice. Financial services companies are subject to attacks every day, and with good reason. They hold information on millions of credit card holders as well as information on mergers, acquisitions, and other financial data. These are attractive targets for thieves.
These organizations also need to learn from their predecessors. The bankers of Willie's era faced outsider and insider threats, and knew their perimeters could be breached with sufficient brute force. They could hire more guards and build stronger vaults, but that didn’t address an insider working with the criminals to execute fraudulent transactions, or outside criminals that were able to stay one step ahead of banks' security efforts. They learned that the best way to complement a strong perimeter was (in today’s words) visibility and correlation; know where the cash was at all times, track each movement of cash carefully, and perform reconciliations whenever the cash was moved to identify any discrepancies.
Logical safeguards in today’s cyber world mirror those. Build a strong perimeter and harden repositories, but accept as fact that perimeter defenses can and will be breached. The attack may come from an outsider using legitimate credentials gained through a phishing attack. It could also come from a disgruntled insider working alone or in concert with outsiders. Even more commonly, attacks and data loss result from unintentionally risky employee behavior that makes data theft even easier. From a defensive standpoint, it doesn’t really matter. The target of the attack – information – remains constant.
This brings us back to visibility and correlation. A strong perimeter must be complemented by visibility to where data resides at all times, an understanding of the context of each requested action, and real-time correlation to identify misuse. This allows legitimate actions to continue unimpeded, but blocks actions that put data at risk. For example, consider privileged users with administrative rights on computers storing sensitive information – perhaps the modern day equivalent of security guards. How do you allow them to access “the vault” to perform service, but prevent them from taking “the cash?"
In a data-centric environment, it’s simple. A data-centric approach separates a user's privileges on a device from their privileges with data, and it’s the latter that is more important. By correlating the classification of data, the user, and the action, information can be protected from misuse without interfering with permissible business activity. The privileged user can perform service on the device, but be prevented from copying, moving, or changing sensitive data.
So while criminals get better and better and finding out "where the money is," we still mimic many of the defenses used by his targets. However, a data-centric approach provides advantages Willie’s adversaries lacked; visibility to where data is at all times, an understanding of the intent of the user, and real-time correlation to block actions that puts data at risk.
Want more on the Willie Sutton story? Watch Garrett Bekker's video below or check out our 2014 Security Change Agents.
Dan Geer: The 5 Myths Holding Your Security Program Back
Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.
Related ArticlesA Tribute to a Change Agent: James P. Anderson
Paying tribute to the infosec pioneer behind the reference monitor conceptInfographic: Looking Back at the 2014 Security Change Agents
A visual recap of our 2014 Security Change Agents, chosen by 25 information security experts.