It's no secret that data breaches are on the rise, just look for the headlines that mention Target, eBay, JP Morgan Chase, Home Depot, etc. The 2014 Verizon PCI DSS report states that only 11% of companies were fully compliant. The JP Morgan breach was said to have been caused by an employee working from home, the VPN connection was then used to extract the data. We all know that for Target it was the HVAC vendor and a phishing email that started the extraction of millions of credit cards.
The ways to compromise any online business entity are endless, we as security and governance professionals must account for every possible way to breach a network, but the cyber-criminal only needs to find one. This is not an IT issue, it's a Governance issue. In her book "Alpha Males and Data Disasters", Gwen Thomas does an excellent job of describing Data Governance which is the foundation for securing corporations. The Alpha Male part of the title refers to the typical middle-management style that emphasizes handling decisions yourself and only consulting peers or higher authority when there is no other alternative. This can lead to decisions about data that may make perfect sense to the manager's immediate organization but are disastrous to the enterprise.
Just what is the difference between management and governance? Data Governance refers to the organizational bodies, rules, decision rights, and accountabilities of people and information systems as they perform information-related processes. Data Governance sets the rules of engagement that management will follow as the organization uses data. The three missions of Data Governance are: 1) Proactively define/align rules, 2) Reactively resolve issues arising from non-compliance with rules, 3) Implement rules while protecting and serving data stakeholders.
So back to data breaches, just how many of the above data breaches tie back to Data Governance? All of them! With this in mind let's take a look at what's needed to secure enterprise systems today. What can we do now to stop or dramatically slow data breaches? First we need to be 100% compliant, PCI DSS, FISMA, GLB, SOX; whatever your compliance model is fully implement it. Next train users in cyber security and cyber security awareness. The Verizon 2012 data breach investigations report stated that "end users are the most effective means of detecting a breach internally".
Next continuously PEN test and scan daily not weekly or yearly. Cyber criminals attack 24x7 not weekly or yearly. This is the new reality per Shore Break Security's CEO Mark Wolfgang. This new paradigm shift is what's needed and is a game changer. We can no longer just sit back and keep doing what we have always done; we need to think long term and strategic vs being purely reactive.
Finally, look at Gartner's 2014 Adaptive Security Architecture. It's summarized as follows:
- Existing blocking and prevention capabilities are insufficient to protect against motivated, advanced attackers.
- Most organizations continue to overly invest in prevention-only strategies.
- Detective, preventive, responsive and predictive capabilities from vendors have been delivered in nonintegrated silos, increasing costs and decreasing their effectiveness.
- Information security doesn't have the continuous visibility it needs to detect advanced attacks.
- Because enterprise systems are under continuous attack and are continuously compromised, an ad hoc approach to "incident response" is the wrong mindset.
Information security architects:
- Shift your security mindset from "incident response" to "continuous response," wherein systems are assumed to be compromised and require continuous monitoring and remediation.
- Adopt adaptive security architecture for protection from advanced threats using Gartner's 12 critical capabilities as the framework.
- Spend less on prevention; invest in detection, response and predictive capabilities.
- Favor context-aware network, endpoint and application security protection platforms from vendors that provide and integrate prediction, prevention, detection and response capabilities.
- Develop a security operations center that supports continuous monitoring and is responsible for the continuous threat protection process.
- Architect for comprehensive, continuous monitoring at all layers of the IT stack: network packets, flows, OS activities, content, user behaviors and application transactions.
Today's cyber criminals are professionals and are often state sponsored. They are well funded and organized. They are targeting intellectual property and financial assets 24x7 across the Internet connected globe. Want to see them in action, look at map.ipviking.com.
Companies can't just do some compliance. They must be forward looking and proactive, this includes doing continuous PEN testing, educating users, and finally looking at the very latest methods that can detect IOCs (indicators of compromise) early.
Gartner says "you have malware in your network, deal with it." Always assume you have unwanted traffic in your network, but rather than just looking for bad stuff alone, know what good looks like, what's normal for your environment and then detect what's new or different. If we all start doing these things; start communicating and working together on a global basis we can solve this problem. After all, our adversaries are well organized and mostly on the same page. Being reactive and clueless is simply not an option for us any longer.
George Grachis, CISA, CISSP is the ISSM, Information Systems Security Manager for Satcom Direct, a Global leader in satellite communications for air, land and sea. He is also Board member of ISSA, ISACA, InfraGard and the Space Coast Technology Council. He can be contacted at GGrachis@hotmail.com.