Refocusing Our Efforts to Secure Data

Written By Kaysie Anthony

It Starts With Data

This is the first blog in a series of blogs meant to address how organizations are addressing data defense in a dynamically changing environment. Each blog will address one of seven pillars that should be included when strategizing goals to secure data. 

Over the years I conducted reviews of multiple security programs at different organizations across a broad range of industries, and one of the most overlooked sets of controls I found were the tools that enable organizations to inventory and set protections around the data itself. It was eye opening that network protection got so much attention, but the basics surrounding who could modify, create, and even delete data were not considered. Especially with the massive push to migrate most, or all, of an organization’s data to the cloud. Now, in some cases these tools were “considered” but passed by because it would take too much effort to implement, but with the proliferation of the cloud and the complexities that are associated with monitoring where data is stored, who has access to that data, and the loss of simple visibility into the data I believe that a strong argument can be made that these tools are essential to the success of any program. So, let us break down the different controls and tool sets that are required for a good data protection program. 

The Three Stages of “data” 

There are three areas we need to ensure we have hooks and visibility into: data-at-rest, data-in-use, and data-in-motion. All three stages of the cycle are pivotal when it comes to forming a complete picture of what we have, what is happening to it, and where it is going. 

Data Inventory 

It is impossible to protect data unless we know what data we have and where it is located, and with new data being created every minute the race to gain visibility into what data exists and where it is being stored is becoming harder to get a handle on. Ultimately, taking the time to use a tool that can investigate structured and unstructured data, classify it, and create an inventory log should be a requirement. There are solutions out there that can perform what is referred to “auto-tagging.” This is important to know because it allows an organization that is established but late to party to catch up relatively quickly. It also enables the tagging of data that is newly created and cuts back on the time investment that it could take to manually review data. 

Data Loss Prevention 

The next step in the process is implementing tools that enable an organization to create policies concerning whether data can be modified, shared, deleted, etc. To do this, we must first set a classification around each individual data set. This requires a tool that can evaluate the dataset and apply a proper classification based on different variables. Some DLP solutions come equipped with templates that can be applied, but ultimately you will want to get a tool that can be customized. While it is true that most healthcare organizations are going to store ePHI, it is also true that different healthcare organizations are going to use different medical equipment and different software for patient records. The DLP solution needs to be able to be customized to look for identifiers within the datasets that proceed the relevant information. A commonly used example of this would be something like “Social Security Number,” “SSN,” or “Social” followed by nine numbers typed into a box, but it can become challenging when the software is something in house and the identifiers are not commonly used. So, having a robust and mature DLP solution is pivotal to successfully creating in-depth policies. 

While we are talking about DLP, it is also important to keep in mind that it needs to have the capability to be agent based. The agent needs to be local to the computer and constantly monitor the creation of new data, attempts to modify data, and report logs to a SEIM whenever an event occurs. Network-based DLP solutions are great for monitoring data-in-motion as it leaves the network, and there will be a need for those in the security stack: however, we need to ensure that we have full visibility into data-in-use to be proactive. 

Data Protection 

Having a solid DLP solution allows an organization to create a robust data protection policy. This is not just locally on a desktop or workstation, but this also includes SaaS products where data is stored. There are products available that have API integrations with the Azures and G-Suite type platforms that can inventory the data, apply classifications, and then enforce DLP policies. The reason this is important is because it allows organizations to have granular controls over things like sharing, modification, and deletion. It also provides logs back to the SEIM that provide much needed visibility. The latter point is important because the greater the visibility the more chance we have of stopping an action before it can become an incident, while at the same time reporting the event or events back to a SEIM. For example, if an individual in finance starts trying to share multiple files or files with elevated classifications outside of the organization those are logged and evaluated against a playbook. If a threshold is met, we can fire off an alert to someone in a SOC. This alert gives the SOC a head start on a potential issue. It also adds a wealth of information for creating searches into what could potentially be a bigger or more widespread issue. 

Data Encryption 

A lot of organizations are moving away from the traditional “butts in seats” model to a more flexible work from anywhere model, and there are new risks associated with this shift. The traditional practices are no longer going to secure an asset unless they are properly configured. Having tools that are automated in nature and provide protection over the data itself are more essential today than they were five years ago. So, every organization should be encrypting the hard drives on mobile assets at this point. If you have a device that comes up missing, you want to know that the information on that device is encrypted and safe from being accessed when out of your control.  

Bad threat actors are only concerned with your organizations data, and this does not mean only ePHI, PII, credit card numbers and the like. It also includes emails, notes, IM messages, and more. There have been several incidents over the last few years where this type of data has been used as a tool to persuade executives to give in to demands. So, ensuring that all data is inventoried and protected is essential to the success of every organization. If you are interested in learning more about tools available to accomplish these tasks, let us know

Kaysie Anthony
Previous

May 2023 Reading Roundup
Next

DaaS vs VDI