The business of data is changing. Data is on the move and in high demand; it’s no longer contained within your internal network. Nearly every organization has some form of network access for partners, suppliers, remote employees, support, cloud services and customers. All of these serve as potential vulnerabilities in your perimeter network security to leak information – poke enough holes and the entire system will collapse like a sinking ship.
In an age of advanced cyber attacks and insider threats, traditional perimeter-based or device-centric security is no longer enough. We see this through the daily stream of data breaches, hacking schemes and security threats making the headlines. No one company or industry is immune. Any companies that rely solely on perimeter-based security are putting everyone at risk—employees, customers, investors, partners, and the business itself.
In order to even the odds and give companies a fighting chance against the world’s most sophisticated hackers, companies need to adopt a data-centric security strategy that focuses on protecting the data itself, providing more effective security in a world without walls.
Recent Trends in Data Breaches
During the past 18 months, we have seen the largest and most complex data breaches on record. By analyzing some of the most high-profile incidents, several trends emerge that illustrate how criminals are breaking through the perimeter and the sensitive data they’re after.
Third party access -- The 2013 attack on Target exposed 40 million payment card accounts and leaked 70 million personal records. Third parties–such as the HVAC company in the case of Target’s massive breach—can be an open gateway for attackers. It is common for large retail operations to grant network access to contractors to monitor things like energy consumption, temperature, etc. in stores and to alert them if something goes wrong. Since Target’s network was reportedly improperly segmented, the credentials stolen from the HVAC company also could have provided access to Target’s payment system network.
Signed malware -- One of the major shifts represented in the recent breaches is the explosion of malware breaches – in particular, signed malware. According to a recent McAfee Labs Threat Report, signed malware continues to set records, increasing by more than 50 percent in Q4 2013 versus the previous quarter. Signed malware is sophisticated software that poses as approved legitimate software in order to avoid detection while it seeks and collects sensitive information. It can essentially render SIEM and other detection systems useless. Only the most sensitive filters are capable of catching it, but such high sensitivity produces massive amounts of “noise,” or otherwise normal activity that raises a similar alarm. This noise makes detection very difficult, as evidenced by the fewer than 14 percent of breaches detected by internal security tools, according to Verizon’s 2014 Data Breach Investigations Report (DBIR).
Privacy data -- The Target breach showed that attackers are focused on stealing not only payment card data, but also privacy and identity data. Nearly every organization stores some sort of privacy data, whether it’s employee, customer, healthcare or otherwise, and it’s often difficult to track where it goes or how it is used within large enterprises, making it much more difficult to protect with network or access controls. That issue is also compounded when you consider that a single breach can compromise the identities of millions of people.
Unprotected data -- All it takes is one or two employees with weak login credentials to gain access to the company’s network and, through it, compromise multiple databases containing customer or employee names, passwords, social security numbers, email addresses, physical addresses, phone numbers and dates of birth. The recent eBay breach is thought to have revealed such information on the majority of the company’s 145 million members. Once the attackers are in, all of the data is available at their disposal.
The New Reality of Data Theft
The new reality for businesses is this: attackers are outwitting and outsmarting even their outdated security systems. Verizon’s 2014 DBIR concluded that enterprises are losing ground in the fight against persistent cyber-attacks. What’s more, hackers are increasingly focused on stealing personally identifiable information (PII), resulting in an urgent need to secure the sensitive data with modern data-centric—rather than perimeter-based—approaches.
Verizon’s report also shows that data breaches caused by hacking continue to rise steeply. Breaches caused by malware and social “threat actions” are increasing at a steady pace as well. This tells us that companies have not done enough to deter criminals and keep data secure.
How Perimeter-Based Security is Failing Us
Perimeter-based security, once considered to be the keystone of enterprise protection, is unable to offer the support or protection companies need against hackers. Even with the most sophisticated perimeter security technologies in place, attackers continue to uncover new ways to penetrate networks and access sensitive data. There are many reasons for that, including the following:
Malware might already be inside your perimeter -- McAfee Labs researchers have seen steady growth in malware. Malware’s devilish advantage is its ability to go undetected by most SIEM security systems. For example, it may add itself to the registry and disable data monitoring so that it won’t be noticed, then send itself to all members of an internal email list to propagate throughout the organization. It’s still visible in the process list, but with so many processes running on a typical enterprise server, it hardly gets a second look.
Monitoring the perimeter is ineffective -- Simply put, perimeter monitoring will not help companies deter hackers. Current approaches as well as monitoring and intrusion detection products are unable to determine what normal looks like in your own systems, so it’s impossible to tell what abnormal looks like. Further, SIEM technology is simply not smart enough to be useful for security analytics. Advancements in Big Data security analytics may help to fill gaps over time, but companies cannot afford to sit back and wait.
Cloud concerns are warranted --The rapid rise of cloud data storage and applications has led to unease among adopters over the security of their data. A recent report by the Ponemon Institute reveals that 66 percent of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information and 64 percent believe it makes it difficult to secure business-critical applications.
Physical and digital borders add complexity -- Companies that conduct business internationally—for example, via a third-party service provider or business process outsourcer (BPO)—face a separate set of data security-related challenges that perimeter-based approaches cannot protect. Data breach legislation is still in its infancy, and even if established, differs from country to country. This makes it more difficult for companies to protect against, identify and recover from breach events in compliance with both local and international standards.
What is the Future of Enterprise Security?
While companies cannot eliminate hackers and threats, steps can be taken to make it immensely more difficult for them to get what they want.
Avoid old school security thinking -- According to a recent survey by Ponemon Institute, 49 percent of IT professionals believe that database encryption is the best way to avoid mega data breaches. However, only 19 percent of their IT security budgets are allocated to database encryption, while 40 percent is allocated to network security. This is a not balanced investment and it reflects old school thinking about security best practices. The threat landscape is changing and new cost effective technologies for data security are now available.
Protect the data at its core -- Criminals will find a way in to your systems, and there is only one way to secure enterprise data at all points from creation to destruction: data-centric protection through encryption or tokenization. Criminals will not find a way to use your data in a meaningful way if you encrypt or tokenize it, and tokenization can also offer a means to maintain transparency and usability of the information.
Security must be balanced with usability -- Recent innovations in tokenization technology have made it faster and more user-friendly than ever before. Companies who dismissed it in the past should strongly reconsider, as implementing tokenization technology significantly reduces the corporate risk profile while keeping data useful for authorized users.
Secure the data before it goes to the cloud -- The recent report, “Data Breach: The Cloud Multiplier Effect” from Ponemon Institute, states: “There is a lack of confidence in the security practices of cloud providers. Respondents are critical of their cloud providers’ security practices. First, they do not believe they would be notified that the cloud provider lost their data in a timely manner. Second, they do not think the cloud provider has the necessary security technologies in place.” However, emerging gateway-based encryption and tokenization solutions secure the data before it goes to the cloud, providing internal control over external data and adding an essential layer of protection.
Develop a consistent enterprise data security policy -- In order to educate business users about data security and enforce a consistent message across the enterprise, it is essential that companies establish a strict data security policy. Such a policy needs to address several key factors, including: which information needs security, who can access it, where and when it can be accessed, how it’s protected, and keeping thorough logs on all access attempts. It is also essential to ensure that your data access policy is driven at the enterprise-level, versus a traditional system-by-system silo approach.
If the latest headlines are any evidence, it’s clear that perimeter-based security has failed to keep up with the demands of modern enterprises. The traditional company “walls” have disappeared, and the techniques and technologies used by attackers have far outpaced the capabilities of network-based approaches alone.
As we look to the future, the only way to truly protect data today is to adopt security that moves with the data—whether inside or outside of the corporate network, across borders and enterprises, and throughout its lifecycle. New data-centric security technologies such as tokenization have been developed to protect data at a highly granular-level, without limiting the data’s value potential in analytics and other business processes. Now is the time for companies to stop living in the past. Attackers have gained ground and are ten steps ahead of today’s typical enterprise. Companies must view security as a dynamic challenge and use the best technologies to protect their data if they hope to stand a fighting chance.
About the Author: Ulf Mattsson is the Chief Technology Officer at Protegrity.
