Why Identifying and Protecting Critical Information Assets Should be a Foundational Element of your Security Program
The digital world has become a scary place, one which many people fear, and one in which few organizations feel they are adequately protected. Every day, there is more news about breaches, new threats, zero day attacks, adversarial groups, and a barrage of new technologies that claim to solve all of these problems. Some of the technologies are very good, logical extensions to the security platforms we already have in place. A good example is the Cloud Access Security Broker (CASB) market which helps to extend well-built data and threat protections to cloud applications and infrastructures. The fundamental problem with the efficacy of new technologies though is the fact that they assume you are building this new technology on top of a solid programmatic foundation, and many organizations are not. The problem is not a lack of desire for organizations to protect themselves, quite the opposite, organizations are spending ever increasing portions of their budgets on security initiatives, often with lackluster results. The problem is that organizations have failed to define a narrow enough scope to marshal their resources effectively to protect what’s most important.
Not all information is created equal. Some information is more important to the profitable operation of a business than other information. This is not my opinion, it is an undeniable fact for every organization, and one of the few universal truths in the information security world. Every organization likely has three distinct types of information: information that can be shared freely, often referred to as public information, information that can be shared with certain audiences in specific ways, often referred to as sensitive information, and information that should remain confidential to the company and should not be shared, often referred to as secret or internal information.
The first or second step in any effective information security program is defining these three categories and what information falls into each category. Why? Because doing so allows an organization to apply special controls to enforce the proper use and sharing of that information. Why is that important? The best analogy I can use is home security.
In your house, there are likely assets of average value, things like televisions, computers, and furniture. You would not be happy if people stole those things from you, but it would not be earth shattering if it were to happen. You could replace those items and life would go on for you with some minor inconvenience. You protect those items with things like locks on your doors and windows and some basic home protections. You also likely own things that hold extraordinary monetary, are of sentimental value, or that are difficult to replace. Many people have a fireproof safe for these items. Since space is limited in that safe, and buying a larger safe would be expensive, most people are judicious with what they choose to apply that extra protection to.
Your cyber-security program should be exactly the same. You absolutely should deploy perimeter technologies like firewalls and Intrusion Detection and Intrusion Prevention systems (IDS/IPS), and basic endpoint protections like antivirus and whole disk encryption to apply broad protection to your digital enterprise. However, much like your home, there are pieces of information that are worthy of an even higher level of protection. We call those critical information assets. Think of those assets as the items you would put in your proverbial safe. The larger your security budget, the larger that safe will be, but very few for-profit businesses can buy a safe large enough to fit all of their assets, just like it would be impractical for the average homeowner to turn their entire home into a bank vault.
These critical information assets should become the focus of your more resource intensive detection and response capabilities. Technologies like Data Loss Prevention and Security Information and Event Management systems. Those systems would form the foundation that allows an organization to deploy next-level technologies to protect their assets within a defined scope that is justifiable from a cost/benefit analysis perspective. This approach seems logical, but organizations truly leveraging this approach represent the minority of organizational security programs. In order to understand this dynamic, we must first understand the threats we face and the alternatives we have.
The Threat Landscape and Your Three Options
You do not have enough budget to protect everything in your environment from all threats that could possibly target you. This is not my opinion, it is a statement of fact. A recent presentation given to a group of security professionals by the Las Vegas Field Office of the United States Federal Bureau of Investigation (FBI) identified six groups, each with its own unique set of actors, capabilities, limitations, motivations, and tactics. They are:
- Hacktivists: Hacktivists use network exploitation to advance their political or social causes.
- Criminals: An individual or group who steals information and extorts victims for financial gain.
- Espionage: Nation-states who conduct operations to steal state secrets or other proprietary information from private companies.
- Insiders: Trusted personnel and employees who steal information for personal, financial or ideological reasons.
- Terrorism: Terrorist groups that target facilities such as water treatment plants that are the backbone of the country’s critical infrastructure.
- Warfare: Nation-states sabotaging military and critical infrastructure systems to gain advantages during conflicts.
The fact that you cannot protect everything and the corresponding fact that there are so many different threats you may face leaves you with three, and only three, macro-level options for your security program:
First, you can do nothing, stick your head in the sand and hope you don’t become a victim. If you do, you can blame circumstances outside of your control or proclaim the Information Security battle hopeless. This used to be a quite popular strategy, but this approach is quickly waning as most consumers, investors, board members and executives recognize this is not an acceptable approach.
Second, you can decide which threats you will protect yourself from, building your risk treatment plan on the threat level. This is a popular strategy as many people will tell me, “We aren’t likely to be attacked by XYZ actor group”. Most people take this approach whether they do so consciously or not. The problem with this approach is that it assumes you know all of the possible threats out there, what motivates them and that the information around the threats will never change. That is an unrealistic expectation because the threats do change, and often. The FBI has expanded their threat actor group from four to six since 2015. Symantec’s threat research team has been tracking a specific threat actor group they call Black Vine which has changed the information they are targeting from Aerospace, to manufacturing, to energy, to healthcare all since 2014. The research from Symantec suggests that the group is targeting different industries as they steal the information they need from a previous industry. The point is not to focus on a single threat actor group, but instead to show that groups are constantly changing and evolving. Trying to keep up with all the threat actor groups, their current targets, and current tactics would take as many personnel dedicated to that task alone as most Information Security teams have on staff. Given enough resources, this approach could be quite effective, but it is horribly inefficient.
Finally, you can fashion your programs to protect the most important pieces of information in your environment, therefore shrinking the attack surface you must protect and the scope of your programs. This is my recommended approach, and is, in my opinion, the only way to be effective at Information Security in the private sector.
The Concept of Focus
There is a saying that some of the most influential leaders in my life have championed in one form or another which essentially says that the essence of focus is that when we decide to do something, we consciously decide not to do something else. The idea is that spreading our limited resources too thin means that we cannot be effective in any of our initiatives. That does not mean that we don’t diversify our positions, because the same leaders also say that you can bet on both colors and stay in the game longer, but it does mean that we cannot do everything. We must properly set scope and choose not to do some things. This means in Information Security, there are risks we must accept, so we can focus our Risk Mitigation resources on the risks whose mitigation are likely to provide the greatest benefit to our business.
If you do not know which organizational assets fall into which category that I defined above, you have essentially limited yourself to a single option with respect to focus. You’re not realistically going to choose to do nothing, that’s simply enumerated because it is an option, albeit not a very good one. Further, if you don’t know which assets you have that are most critical to your business operations, your only method of achieving focus is through picking which threats you’re going to protect against, which is limited by your imagination and the amount of resources you can dedicate to threat research. Therefore, the identification of critical information assets, and by extension, the implementation of a good content analytics program to distinguish critical information from commodity information is paramount.
So, Is Content Analytics the Panacea?
In short, absolutely not. Nothing is the panacea for all of Information Security. There is no silver bullet and there will never be an “easy” button. This is a struggle between smart and adaptable human beings on both sides of the equation. There is not now, and will never be, a technology that will make you impervious to a well-funded, skilled and adaptable attacker. Protecting yourself from such adversaries will always require a program.
Therefore, content analytics is not a universal solution in and of itself, but tracking behavior, both authorized and unauthorized, with respect to critical information assets, is the foundational element that increases efficacy of several other solutions. I will discuss several solutions that are popular, or are likely to be popular in the near term, along with why content analytics helps to enable each:
- Rights Management: Many organizations would like to deploy Rights Management solutions, which allow them to exert control over information after it has left their environment. These controls could be removing the ability to copy and paste from a document or print it, removing the ability to forward and email, digital expiration which can destroy a document after a specific time period, or digital shredding, which can destroy all copies of a document on demand. The reason Rights Management is notoriously difficult to deploy though, is that applying these protections to all information is very resource intensive to the point where it is infeasible for many organizations. Effective content analytics programs allow organizations to only apply these controls to the information that needs them.
- File-Based Encryption: Closely related to Rights Management, encryption is generally deployed on files to ensure that only the designated recipient is able to access the file. In order for this to be effective in its intent, a separate key must be generated for each file and each intended recipient, as re-using keys means that there is a possibility that an intended recipient for one file can decrypt not only that file, but also other files they should not be able to decrypt. Therefore, key management can become a major burden and barrier to implementation. Reducing the number of files that are encrypted using content analytics makes this key management process much more feasible.
- Identity and Access Management (IAM): IAM in this context is not the traditional two-factor authentication, but instead IAM with respect to information. This generally would need to be paired with an encryption strategy, but it allows certain controls to be placed on the conditional decryption of information. For example, you could require two factor authentication to open a document, or put geo-fencing in place so information couldn’t be stolen from employees or they couldn’t be coerced into sharing it when traveling abroad. Similarly to encryption and rights management, the key to a successful implementation is limiting the scope to information that requires this level of protection.
- Cloud Access Security Brokers: Two of the four pillars of CASB are Data Protection and Compliance. You cannot be compliant without an effective content analytics engine to definitively determine what information is in scope for a specific regulation and what information is not. Similarly, Data Protection as an initiative obviously requires effective content analytics as they are essentially one in the same.
- User and Entity Behavioral Analytics: This is one of the few things on the list that could be effective without an effective Content Analytics capability, but it would make it very difficult to prioritize risky behaviors from a true business impact perspective. This means the scope of the program would have to be much wider and much more resource intensive. Effective content analytics can make UEBA far more efficient to implement.
- Security Information and Event Management: SIEM systems are unique because they give you a window into your entire environment and also incorporate your security devices and your perimeter devices. While SIEM should monitor your overall security apparatus, you can use an effective content analytics program to prioritize effectively. For a physical world example, if any motion sensors go off when there shouldn’t be any motion, you should investigate that. If the motion sensors right in front of the room that contains your crown jewels go off, that response should be much more swift and forceful. Effective security programs should be built exactly the same way.
- Counter-Recon and Lures: In order for proactive security measures to be effective, they must mirror the actual information bad guys want. In order to make the lure as effective as possible, you must first understand the information, where it’s stored, and how it behaves in your environment. To use an example from my childhood, some fish are hungry and they will bite a hook baited with only corn. More fish will bite a lure that mimics the look and movement of a real fish.
It is my firm belief that content analytics are the bedrock for an effective business-centric security program. As I have outlined, many of the capabilities that may be aspirational for your security program, or may be cutting edge, can be built on the foundation of an effective content analytics program. The good news is you can start now! You don’t have to wait. There are phenomenal content analytics engines in the form of Enterprise Data Loss Prevention solutions currently available now and will be extensible to these emerging platforms and capabilities. It all starts with defining critical information assets and building accurate policies to detect them, accompanied by building in exclusions for authorized business processes. Doing so is hard work, but doing so effectively will lay the foundation for a more secure future for your organization.