Defending Your Castle from the Inside: Data Breaches and How to Minimise Their Impact

Author: James Billingsley, Senior Solutions Consultant, Nuix

Every business holds at least some sensitive data. This may be sensitive personal information belonging to clients or employees, or confidential data relating to business operations. Keeping this secret information secret should be a concern to every business, no matter what industry or size.

Verizon's 2013 Data Breach Investigations Report shows that hackers target businesses from every sector and of any size. This report, which combined the expertise of 19 global organisations that study and combat data breaches, found that attackers used many different methods to compromise business systems. As the technology evolves, hackers change their targets and attack methods - becoming more and more tailored to the type of business or even the individual organisation.

Expect Attacks from Every Angle

The majority of attacks originate from outside the business, often from overseas, the report found. Against these attacks, companies try to build higher and more impenetrable walls around their networks and data. This is a never-ending arms race, as even the most advanced systems may, before long, present weaknesses that malicious technology can exploit.

However, this is not the only risk that keeps information security professionals awake at night. Attacks originating from inside the business are typically harder to detect and prevent, and have more potential to significantly damage the business. In other words, it is not the outsiders charging at the walls but the people with the keys to the castle who present the greatest threats.

The Ponemon Institute's 2012 Cost of Cyber Crime Study found 'malicious insider' attacks were one of the most costly cybercrimes to a business. Other studies have reported a spike in the number of cases involving the theft of confidential information over recent years. A major catalyst for this increase is the availability of cloud-based storage services such as Dropbox. Bodies such as Wikileaks and recent, high-profile instances of whistleblowing are also making disclosures seem acceptable.

Of course, not all leaks are malicious. Flexible working arrangements that necessitate remote access also contribute to this rise, as does the increasing use of 'bring your own device' policies. In some cases, lax or unclear human resources policies result in some employees not realising it's unacceptable to take intellectual property with them when they leave a business.

Whatever the underlying cause, it has never been easier for a worker to transfer huge amounts of data very rapidly outside the business.

Make Sure Your Castle is Tidy

As a community, information security professionals have started to accept that data breaches are a clear and continual risk. We are instead working to minimise the potential damage if a breach were to occur.

The basic rules for defending your business still apply, and are repeated year after year by security professionals - Confidential Integrity and Availability. CIA means all data should be confidential & protected via encryption. Integrity of the data should be maintained through auditing of access and finally, there must be availability of backup and disaster recovery plans if data is lost. This translates into a handful of practical action points such as:

  • Eliminating any copies of sensitive data that your business holds unnecessarily.
  • Maintaining a good level of logging which allows for regular review and audit of your business systems.

The key to eliminating unnecessarily held sensitive data is understanding where this data resides in your systems. However, this is not as simple as it sounds. Businesses produce huge volumes of unstructured data which are stored in unstructured repositories such as email, file shares, collaboration systems and on individual hard drives. Understanding which data presents risk and where it is stored requires a powerful indexing software that can automatically identify sensitive information based on pre-defined parameters such as credit card numbers, references to companies, social security numbers and monetary values.

Fast Response is Enabled by a High-Level View

The Verizon survey found the majority of breaches in large businesses were detected by someone outside the company. The proposed EU General Data Protection Regulation (GDPR), if adopted in 2014, would give businesses in Europe only a single day after a data breach to figure out what went wrong, who could be hurt by it, and how to prevent it from happening again. This stands in stark contrast to current practices, which often involve months-long investigations before admitting fault.

I would argue that your incident response plan is the most import element of your defence. Clearly a practical way to minimise the business impact of a breach is to detect and contain the incident as soon as possible. Yet in this area there is considerable room for improvement.

An attacker will rarely leave an obvious trail to follow. Following a system compromise, investigators need a broad window into the organisation's data, following a trail through potential evidence sources including email, documents, mobile phone images, server logs and cloud-based data. Techniques such as searching, date filtering, entity extraction and clustering similar documents can help investigators quickly identify the relevant compromised data.

After the Breach

Post-event autopsies are difficult because companies don’t know where their data is, and because hackers or rogue employees will cover their trail through a wide variety of data formats, repositories and devices. Most tools simply can't handle such large volumes of data and provide a big-picture overview.

Data quantities and sources are growing so rapidly that traditional data forensic tools and methodologies simply can't keep up. Security professionals must evolve and consider new techniques to effectively manage the data. The only effective solution is a toolset that can take vast data sets and quickly reduce it to a small, more relevant set of evidence by casting a wide net and culling with powerful and repeatable search technology with a full audit trail.

This crucial ability allows you to effectively respond to any incidents. It provides a robust first response for your security team, who can then focus their tools and analysis efforts on the most likely sources.