Get the most innovative insights
Putting Cybercrime in Perspective: What’s Your Risk Appetite?
Cybercrime is big news. It seems almost weekly, we see reports of a massive company affected by an even more massive data breach. We hear about the sophistication of the cybercrime economy on the dark web. And we hear politicians ranting about preventing cyberattacks by government-sponsored hackers.
Is it all hype? How much does cybercrime affect YOUR business—really?
Surprisingly, many mid-market companies and smaller enterprises often tell us they don’t feel they are really a target. They brush off the need for data security by telling themselves a couple of different kinds of stories:
Those brush-offs are myths. The truth is:
To ensure effective, cost-efficient data protection, mid-market companies need to put their security needs into business terms.
To put some perspective around your risk for data loss, don’t compare yourself to the big media stories. Instead, consider the way criminals take advantage of opportunity.
Say you are a midsize regional hospital. In the gift shop, an employee leaves a $100 bill on the counter during a transaction. That bill is an opportunity; a fast-thinking criminal can snap up the bill and run out without any planning. Of course, the risk of getting caught with that $100 is reasonably high.
What if instead the gift shop employees leave an unsecured router on the counter? A thoughtful criminal might recognize that as a greater opportunity. The motive for stealing data through that router might be to sell employee and patient personally identifiable information (PII)—or it might be just to prove that they can break in. But the theft itself may not be discovered for a long time, and the chance of getting caught is pretty low.
Regardless, now that PII is in somebody else’s control. You have a data breach.
What will that cost you? According to the Ponemon Institute’s 2019 Cost of a Data Breach Report:
That kind of impact could be devasting to your midsize hospital.
Of course, an unsecured router is only one of many ways cybercriminals can access your systems and the sensitive information of your customers and company. How can you implement data protection in a way that’s going to make the biggest impact in the most cost-efficient way?
The Cost of a Data Breach report offers recommendations for security program elements that make the greatest reductions in the financial impact of a breach:
Ultimately, investing in a data protection program is your most important form of risk management. Companies of all sizes must be highly aware of their risk tolerance and make informed decisions about how to invest appropriately to provide the level of protection their customers, regulators, and stakeholders demand.
For any size enterprise, from mid-market organizations to large global corporations, seeking the experience of a trusted managed data protection provider is a risk-reducing solution that makes good business sense.
InteliSecure experts bring more than 15 years’ experience in security analysis and data protection strategy. Contact us to discuss your organization’s data protection needs—and find the solution that fits.
August 15, 2019
3 Ways Dynamic Data Protection Impacts the Future of DLP
Dynamic Data Protection is a conceptual shift introduced by Forcepoint, a longtime leader in the field of data security and DLP solutions. A few years ago, Forcepoint acquired the User and Entity Behavior Analytics (UEBA) company Red Owl, which had developed a solution for parsing through logs from a multitude of sources in order to baseline normal behavior and identify behavioral risk anomalies in a user base.
Many technologies have the ability to build similar models to identify risk, but what Forcepoint did next was revolutionary. They decided they were going to integrate those risk scores into their DLP product so that the decision to block or allow a specific data transaction over a specific channel could be determined by the risk level of the user.
Let’s look at how the ability to dynamically adjust user controls is a game changer for three of the most common use cases you’ll encounter.
In some countries, it’s common to require companies to present a data protection program to a worker’s council before implementing the program. Users then evaluate the program to determine whether it meets their standards for workers’ rights, especially a worker’s right to privacy. Two of these countries, Switzerland and Germany, have many companies that depend primarily on Intellectual Property (IP) for revenue generation, including biotechnology, manufacturing, and pharmaceutical companies, so the approval process has been well tested.
One of the major issues that workers’ councils raise with data protection programs is that all traffic from all users must be inspected for the program to be effective, and the rules engines are not 100% accurate. The councils argue that workers are exposed to monitoring that may unintentionally violate their privacy and that level of intrusion isn’t proportionate to the necessary protection.
To make such a control acceptable to workers, the councils recommend that the control only be activated for individuals when the organization has probable cause to look into their behavior. To establish probable cause, the analysis should be automated and free from human bias.
When faced with that challenge, organizations have either abandoned their programs or used rudimentary manual mechanisms to identify risk and turn monitoring on. But manual programs, while better than nothing, were hardly effective.
UEBA meets the standard of an automated system free from human bias, allowing us to assess the risk of users without collecting any additional information about them; we are simply analyzing logs that contain data we’ve already collected. With Dynamic Data Protection, we can configure a policy to report a violation only if a user has a risk score that’s over a specified threshold. Therefore, we can satisfy the requirements of the workers’ council and potentially deploy data-centric information security programs in more countries than we could previously.
An account belonging to a trusted user may suddenly begin exhibiting risky behavior for a variety of reasons. The two most common are 1) compromised credentials and 2) the three-week notice.
If a user’s credentials are compromised, that user’s behavior will change. Whoever compromised the credentials will begin exploring the access permissions they now have, what information they can access, and what they may want to exfiltrate.
With Dynamic Data Protection, that change in behavior will be detected, and the policy can be dynamically updated to prevent the user from downloading sensitive information or emailing it outside the organization. Security personnel then have time to remediate the compromised account. This approach is vastly superior to what normally happens—which is that the compromise is discovered after large volumes of data have left the company.
The three-week notice (a term I believe I “borrowed” from Scott Gordon, a Cloud Strategist for Symantec) begins when, during the week before an employee gives their formal notice, they start downloading company information that may be helpful to them in their next job. Many studies have verified this behavior, and it’s estimated that more than half of people take data with them from one job to another.
This behavior isn’t necessarily malicious, but they shouldn’t be doing it, and they know it. Most employees have a pretty specific skill set, and when they leave one organization and go to work for a competitor, they take that knowledge with them. With this behavior, they are also taking information with them. Typically, they intend only to make their own lives easier, not necessarily harm their former employer. But they do harm their former employer in one way or another.
Dynamic Data Protection will identify that behavior and restrict that users’ ability to take data with them by applying a more restrictive policy when their behavior changes. InteliSecure client organizations that have a UEBA or Insider Threat program can generally identify users that are going to leave between one and four weeks ahead of formal notice based on behavior patterns alone.
According to IBM’s Security Intelligence news site, annual cybercrime proceeds have exceeded $1.5 trillion. If cybercrime were a country, it would have the thirteenth-highest GDP in the world, ranking just above Spain and slightly below Russia. Global proceeds of cybercrime exceed the GDP of countries such as Australia, the Netherlands, Switzerland, Saudi Arabia, and Turkey.
One third ($500 billion) of that annual cybercrime revenue comes from stealing IP and trade secrets. In contrast, ransomware generates $1 billion annually, or about .2% as much as IP and trade secret theft. It’s common knowledge that very well-funded actors and nation states are often behind IP theft. Contrary to popular belief, however, those attacks are generally not launched using zero-day threats or sophisticated malware.
Take the case of American Semiconductor, a wind turbine component manufacturer who was the victim of Chinese IP theft which resulted in massive long-term impacts and almost put the company out of business. The Chinese didn’t hack into their systems. Instead, a Chinese government operative met a privileged user at a coffee shop and offered him $2 million to download some important files and turn them over.
Many employees would be tempted by such an offer, and all of the fancy anti-malware engines and perimeter defenses you hear so much about would be completely powerless to stop such activity.
However, Dynamic Data Protection could stop it.
As soon as that user returned from the coffee shop and logged in, his behavior would change. He would immediately begin looking for the data and downloading specific information to a USB file. UEBA could detect that behavior change and Dynamic Data Protection could stop that download.
I am vendor-neutral in everything that I do, and this is not an advertisement for Forcepoint. Forcepoint has come up with a game-changing capability in my view that revolutionizes the art and science of data protection.
However, the approach isn’t perfect in its current form. It could be easier to deploy, faster to react, and integrated with many other Forcepoint and third-party products.
That being said, the idea of Dynamic Data Protection is amazing and should be embraced across the industry. Our focus as a security community on networks and endpoints is antiquated and failing. To move our data protection models into the future, we need to focus on people, data, and cloud. Dynamic Data Protection takes a meaningful step towards that future.
Are you looking for a meaningful way to transform your approach to data protection—and help secure the future of your company? Talk to the experts at InteliSecure and learn the options that are available to you today.
August 1, 2019
Intellectual Property Theft Prevention: Black, White, and Shades of Gray
I work with organizations around the world across a variety of industries, and I’m perplexed by one thing that most of them have in common: their data protection programs are focused solely on regulated data such as social security numbers, credit card account information, and other personally identifiable information (PII).
Complying with data security regulations is important, but rarely is regulated data the only data worth protecting in a company. In most organizations, risks associated with regulatory fines presents far less risk than the potential losses associated with intellectual property theft—loss of market share, loss of competitive advantage, loss of revenue, and potentially loss of the entire company.
Protecting IP requires making calls that are not black and white, yes or no. IP data is often unstructured and doesn’t fit neatly into established categories. It takes Information Security teams into gray areas that’s uncomfortable. Before you can protect your IP effectively, you need to identify the difficulties around dealing with those gray areas.
Here are some of the most common issues.
It’s true that protecting IP is not as straightforward as protecting other types of sensitive information. Regulated information is well defined in the public space. Something is either a credit card number or it’s not. It’s either personally identifiable information (PII) as defined by global regulations or it’s not.
Mature organizations have a list of people who can handle that regulated sensitive information and have defined acceptable use of that information. The Information Security team can set up rules to enforce those documented policies easily. It’s black and white.
IP protection, in contrast, is messy. It isn’t black and white. It’s one big squishy gray area. Although a few rules govern how IP cases can be brought to court, no external entity dictates what constitutes Intellectual Property or how an organization must protect it.
IP is difficult to define even for the organizations it belongs to. To properly protect IP, the Information Security team must engage the business leaders who create and profit from it. They need to know what drives revenue for the organization, what role the IP plays in that revenue, and whether the information would be valuable to an outside entity. And they need to understand who plays a role in the creation, storage, usage, and transmission of the data.
After that, they need to speak with the legal team to see what portions of the Intellectual Property are legally protected and therefore not sensitive—and what portions of the IP are considered Trade Secrets or Know-How and have few legal protections.
Even when IP is defined, quantifying the risk of its loss is a challenge. The ability to quantify risk is a measure of a company’s overall health. Publicly traded companies must produce an annual report known as a 10k report. In that report, section 1A is a detailed list of the risk factors affecting their business.
In that evaluation, regulatory fines are risks that are easy to understand. If you don’t comply with a specific regulation, the regulating body will fine your company for non-compliance with data security regulations. The company can look at the legal precedent to see what organizations were held accountable and what the actual costs were in the event of a breach. It’s black and white. And it’s easy to quantify the value of mitigating that risk too: I am going to invest X dollars to reduce my exposure to a risk of a fine that will cost Y dollars.
In my experience, effectively protecting IP will also mitigate 25%-40% of those easily quantifiable risks. However, organizations struggle to quantify risks associated with not protecting the IP itself, even though those risks are very real. It’s a gray area.
Organizations often maintain lists of users who can interact with regulated information. Data security regulations also typically define the allowed activities related to that information. For example, the Health Insurance Portability and Accountability Act (HIPAA) states that a health record being transmitted via email must be encrypted. That rule is black and white—easy to implement and enforce.
For Information Security teams asking whether a user can interact with IP inside an organization, the answer is almost never “yes” or “no.” In nearly all cases, “it depends.”
That answer is governed by a variety of factors related to the person’s job role and normal pattern of behavior. How that information should be used often changes quickly, and the changes are typically not well defined. The entire rule set for IP is a gray area.
These are conversations that many organizations’ Information Security teams are unwilling or unable to engage in.
In many organizations, data protection programs are categorized under the same umbrella as information security tools. This makes sense from an outside perspective; after all, data protection programs do fall under Information Security and are often operated under the same budgets as traditional security technologies such Security Incident and Event Management (SIEM), Endpoint Protection Platforms, and Intrusion Detection and Prevention Systems (IDS/IPS).
Data protection programs though, are fundamentally different from those technology tools because they require business engagement in order to be effective. And that can be a challenge.
Even in organizations that attempt to force that communication to happen, most Information Security teams do not use the same language (or jargon) to communicate security concepts that business leaders use. Business leaders are becoming more technically savvy, but many Information Security teams struggle to provide information in ways that make sense to their executive teams.
As a result, the IT Security teams default to the areas where they are most comfortable: protecting regulated data with black-and-white security tools. A firewall checks a list of senders, destinations, and ports and allows or denies each piece of traffic that attempts to traverse its network segment. A web gateway puts websites into categories and allows or denies users access to that category. A traditional antivirus program scans a file against a list of known bad files and if a match is identified, the program blocks or quarantines the file.
This is all very straightforward and not nuanced. The decision is black and white.
There is good news for companies that recognize the value of their IP. Managed data protection solutions are enabling companies to access highly specific protections for structured and unstructured data while dramatically reducing the complexity of security management for their staffs.
In addition, emerging and newly available technologies are helping companies overcome the difficulty of working in the gray areas of data protection. Machine learning is an area showing tremendous promise. Although automated technologies aren’t capable of supporting nuanced decision patterns, they can help streamline responses, improve reporting, and allow for dynamic actions.
In my next post, I will walk through a concept called Dynamic Data Protection, a solution based on the idea is that if you combine analysis of the riskiness of human behavior with what is happening with respect to data, you can program machines to make nuanced, automated decisions in those gray areas.
This is an exciting concept and a major leap forward. It is also not a silver bullet. Organizations still must engage with the business to define what sensitive IP is, and they should start doing that now. Capabilities exist to protect sensitive Intellectual Property, and the stakes are higher than they’ve ever been.
The question is not whether you can afford to protect your intellectual property. The question is quickly becoming whether you can afford not to.
InteliSecure offers consulting services to help organizations navigate the gray areas of critical asset protection. Connect with us to start working through your complex conversations.
July 24, 2019
Future-Proofing Your Information Security Strategy
This blog post doesn’t focus on data loss prevention (DLP); it is about security in general. I don’t often write about the broader topic of Information Security because there are large portions of the security space that I am not involved in. However, after much thought, I feel obligated to share some ideas with the larger Information Security community, and specifically Information Security leaders inside of organizations, about what I believe the future will hold.
My responsibilities require me to travel the world and talk to a lot of people. I hear business leaders expressing growing concern at their ability to protect their information and their businesses in the face of seemingly overwhelming security threats. My response is to offer a take on the message that Gary Ryan Blair expresses in the quote above: Don’t look to past paradigms to protect your business. Instead, focus on what’s ultimately important—and within your control—as you move into the future.
Information Security professionals I talk to readily admit that the “perimeter”—that imaginary protective wall around a business and its data—is dissolving. One major driver of this dissolution is the fact that we already live in a hybrid world today. Very few organizations store and use their data 100% on premises and very few are 100% in the cloud. As a result, on-premises security and cloud security are equally important today.
However, digital transformation has progressed to the point where the key question about data has changed. Instead of asking what data will go to the cloud and what will stay on premises, we should ask how long it will be before the majority of organizations don’t operate data centers at all.
Despite the wide recognition of this shift, organizations still try to apply perimeter concepts to a world without boundaries. For example, some organizations are deploying firewalls inside of Amazon Web Services. Why?
It’ my job to look into the future—and the future holds some revolutionary innovations. Consider the concept of quantum computing offers orders-of-magnitude more processing power than any binary system ever could because a single qubit can operate in 256 distinct states, whereas a traditional bit has only 2. The potential power of this type of computing is staggering.
However, most organizations will never own a quantum computer; the operating environments for this type of technology will be prohibitively expensive for most data centers, so it’s likely that the primary model for quantum computing will be Quantum Computing as a Service (QCaaS). Pair that with the rapid growth of Infrastructure as a Service (IaaS) that we’re already seeing, and it’s not hard to envision a world where all workloads are elastic and rented rather than static and purchased—and where the only organizations that own data centers are global governments and cloud services providers.
Many paradigms will change if such a world comes to fruition, but it is the most efficient way to operate and distribute resources. The shift will restructure many capital markets—and it will also challenge many security models.
The Cyber Security Hub published this graphic detailing the disciplines of security and describing the products that fall into each bucket.
This model is helpful for understanding how we have navigated a crowded and confusing information security landscape. However, it is also useful for examining the future of security—and weeding out the sections we can no longer control.
What are you left with? Outside of policy management and limited operations, you are left with control over your data. If you look inside the teal bubble, you also have control over who you allow to access that data and the resources you rent.
Therefore, in this world, all that matters are people and data.
For those of us who are passionate about the importance of Information Security, the scary part of this new model is that most security strategies focus on the purple, blue, gold, and red sections—the sections that I don’t think organizations will control in the future I am describing.
I firmly believe we are moving at an accelerated pace towards the future I have described. I can’t realistically predict exactly when we will get there. When skeptics express doubts about the pace of the digital transformation, I ask them a simple question: “What trends are you seeing that suggest a massive move back on premises for services that have gone to the cloud?”
I just don’t see that trend going backwards. The elasticity, flexibility, and reduced barriers to entry into markets offered by cloud services is too appealing to ignore, especially for smaller and mid-market businesses, which still form the majority of the economy. I cannot imagine a new business starting today and borrowing capital to build out a data center. It would be difficult to imagine not utilizing SaaS and IaaS when those options allow you to be up and running in days instead of months or years.
Information Security leaders should start pivoting now to emphasize the two elements of security that are not likely to be diminished: people and data.
Most important, begin re-skilling your workforce to address the problems of the future. It’s fine to maintain your legacy systems like Security Incident and Event Management (SIEM), firewalls, intrusion detection and prevention services (IDS/IPS), and endpoint protection, but don’t make those the center of your strategy. If you do, you’re likely to see diminishing security efficacy over time.
If there’s one thing digital transformation should have taught us so far, it is that business is going to move towards innovation, efficiency, and mobility as quickly as possible. The advantages the future offers to business are essential to retaining a competitive advantage, and security leaders will not be able to slow or prevent the evolution.
We must prepare now so we can be ready to protect the business as it continues to innovate, rather than being dragged through digital transformation kicking and screaming. It’s time to challenge our thinking and finally accept there is no perimeter and we cannot build a castle. The future of Information Security is asymmetrical, dynamic—and already a reality.
When it’s time to future-proof your DLP strategy, you may still need to convince your leadership of the value of that change. Download the case study Making the Case for Critical Asset Protection and learn how a major cancer center implemented a Critical Asset Protection Program™ (CAPP) with InteliSecure and gained control of the flow of information inside and outside the organization.
July 17, 2019
Know What We're Up To!