In this blog post, we’ll identify where today’s data security programs often fail and look at six steps to effective data security. These cover everything from product definition, minimal viable discovery, and services, to telemetrics, metrics as well as threat detection and response capabilities. If you’ve ever asked the question: ‘How can my company reduce insider threats?’ then read on.
You have probably heard something like this before: to implement any kind of meaningful data security, you must first:
- Discover your data
- Find out where it lives
- Catalog who uses it and who owns it
- Map its flows and lifecycle
- Determine which regulatory / compliance rules apply to it
These platitudes have existed for so long that they are accepted as truth. Be honest – how long would it take your organization to complete each step? Can you plausibly estimate this? Even if you did complete your data discovery effort, why would anyone in your organization care?
In this blog, we explore the shortfalls of discovery-first data security approaches and describe key principles to help organizations shift to value-centric data security.
Contents
The Limitations of Discovery-First Data Security
Imagine a manufacturing company that spent their first 6-12 months finding inventory and storing it. No concrete product plans or capital investment in manufacturing – that would simply work itself out once inventory has been bought, stored, and meticulously catalogued.
Sound like an appealing business plan?
This is the approach taken by discovery-first data security. Begin with a long (and comprehensive!) data discovery cycle. Once data is discovered and cataloged, then perform a risk analysis, and only then begin to implement controls to address data vulnerabilities.
In theory, discovery enables a targeted control approach that protects the most sensitive data and results in less business disruption. In practice, data discovery in complex, expensive, and slow. Common challenges include:
- Inaccurate milestone dates: there is no good way to estimate how much data exists to be discovered and how responsive the business will be. Further, this indicates a definite “end date” to data discovery; in reality, as the business creates new data, more discovery is needed.
- Long duration: many organizations start building an inventory with a top-down interview process. They reach out to senior leaders from across the company, intending to discover what data their organization handles and who “owns” the data. They soon discover that most leaders ignore them. Leaders who engage are irritated by the ambiguity of the interview or unequipped to answer these questions, leading to unending delegation cycles.
- High costs: discovery tools can run hundreds of thousands of dollars, with costs increasing for additional scope (structured vs. unstructured, cloud vs. on premise). Resources must be dedicated from the discovery team and business units. Finally, organizations need to allot resources to maintain their discovered body of knowledge as new data is created and business units change.
What’s the Alternative? Six Principles of Value-Centric Data Security
Prioritizing the discovery element of data security results in misuse of time and resources. Instead, organizations should focus on the end goal – practical controls addressing data vulnerabilities and threats. Read on to learn the essential principles to start your journey to value-centric data security.
1. To produce value, first define the product
Agile and its cousins, lean / just-in-time manufacturing, were born out of the inefficiency of long planning processes and excessive inventory gathering. Both begin by identifying a goal or product, identifying how the product is delivered, and then optimizing the value chain to produce the product quickly and well.
In software development, the product is code that fixes a problem or provides a service. In manufacturing, the product is the widget produced on the factory floor. This realization subordinates specific elements of the value chain (planning, inventory gathering, testing) to the end goal of delivering a usable product.
Data security’s products are not:
- A list of sensitive data and where it lives
- A list of data owners
- Data classification definitions
- Data flow diagrams
These are all fine things, but by themselves do next to nothing to protect data. They only become valuable when mobilized through data security controls and user training. Therefore, data security controls and user training, which either directly protect data or help users do the same, are the product.
2. Practice Minimally Viable Discovery
Discovery data, while not bad, should not be the focus of a data security program since it does not create direct value.
Instead, start by addressing obvious security risks with broad controls suitable for all data. Examples include:
- Alerting on or blocking data moving to personal cloud storage or email accounts
- Removeable media control
- Automatic remediation of folders accessible to everyone in the organization
- Quarantining or purging severely aged data (e.g., 2+ years since last viewed)
Organizations should start conservatively with conditions that are unlikely to disrupt legitimate business activity. Even a cautious approach will address glaring vulnerabilities and generate success stories to fuel further growth.
3. Build Services First and the Controls Will Follow
Successful data security controls are supported by layers of governance and infrastructure to ensure they align with business objectives. These layers comprise a service and include:
- User experience considerations
- Communications and knowledge articles
- Exception processes
- Metrics
- Telemetry (e.g., ingress or egress APIs)
For example, a control to alert on uploads to personal webmail accounts should:
- Provide a pop-up educating the user and linking them to secure collaboration guidance
- Link to exception processes for legitimate use cases
- Include metrics to signal user behavior improvements to leadership
Each service can create multiple, unique controls and serve as a landing place for data that is discovered.
4. Use Discovery to Enable Telemetry
Well-designed data security services (data access governance, insider risk management, etc.) can consume inputs from data discovery or classification efforts. While discovery on its own is of little value, the service can operationalize discovery-driven insights. These insights could stem from discussions or data owners or tagging done with labeling technology like Microsoft Information Protection.
For instance, an existing control within a DLP service may alert on uploads to personal webmail. After discovering a trade secret and confirming with a data owner, the existing control could be copied and enhanced with a REGEX identifying the trade secret and trigger a complete block, instead of a simple alert.
5. Use Metrics Intentionally
Security organizations often struggle to demonstrate value from their controls. Can be used to not only improve controls but to demonstrate value the products are creating. This is especially important for cyber board communications, Each data security service should entertain the following metrics types:
Improve – internally facing metrics to ensure the service is producing intended results. Examples include:
- Exception request growth (shows how precisely controls were configured)
- Time to close (for detective controls)
Impress – upward metrics designed to show the success of your program and obtain more buy-in
- Volume-based (amount of aged data purged, number of overly permissive ACLs remediated, number of unsanctioned cloud service uploads blocked)
- Success stories (egregious incidents contained or organizational processes improved due to insights from the service)
Invoke – upward metrics showing service weakness to garner additional funding or support
- % of environment visible (could be used to support buying additional software)
- Escalation response time (may highlight unresponsiveness from leadership, requiring re-assignment of responsibilities or additional support from program sponsors)
6. Enhance Insider Risk Management capabilities
Data detection and response capabilities (best manifested in Insider Risk Management) is quickly becoming the predominant data security service. There are a few reasons for this phenomenon:
- Follow the leader: for close to a decade, the security industry has shifted to from a prevent-centric to detect/respond paradigm. This is evidenced by the growth of threat hunting and literal inclusion of “detection and response” into new product and service names (EDR, MDR, etc.). While discovery and prevention have their place, they struggle to keep up with large, complex, and hybrid operating environments.
- Boundary–spanning improvements: security services that demonstrate the broadest value statements get the most support. More than any other security service, Insider Risk Management (IRM) is holistic and seeks to understand why employees violate policy instead of just addressing incidents. Insights gleaned from asking “why” can improve not only security controls, but user training, employee retention and satisfaction, and the alignment of technology offerings with business needs (shadow IT).
- Scalability: the core of IRM is people and process, meaning that technology is rarely a barrier to entry. No CASB, DLP, UEBA, or SIEM? No problem. Start by assigning responsibilities and building repeatable investigation and escalation processes. Stretch current technology to provide as much incident visibility as possible. As the IRM service matures and gains political capital, invest in technology to increase visibility and integrate it into existing processes.
Want to learn more about maturing your insider risk management program? Download our latest ModernCISO Guide, A Four-Step Framework for Managing Insider Risk ,for a deeper dive into the topic. Or contact a member of Kudelski Security’s team of data security experts today [email protected]