WHO IS BEHIND DATA BREACHES?
- 98% stemmed from external agents (+6%)
- 4% implicated internal employees (-13%)
- <1% committed by business partners (<>)
- 58% of all data theft tied to activist groups
HOW DO BREACHES OCCUR?
- 81% utilized some form of hacking (+31%)
- 69% incorporated malware (+20%)
- 10% involved physical attacks (-19%)
- 7% employed social tactics (-4%)
- 5% resulted from privilege misuse (-12%)
A good starting point for any Data Loss discussion, is to Assume that you have already been breached, and plan your management and containment strategy.
Lets dispel a bit of fantasy here...
If that's what they're selling you, turn and run. The only way to stop all data leakage is to NEVER STORE ANYTHING, and Certainly DO NOT TRANSMIT ANYTHING. You know...
The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one.—Dennis Hughes, FBI
All existing DLP solutions use one of two methods to identify sensitive data. The "Precise" method relies on some type of tagging of the data in question. Now this can be as easy as "Anything coming from this database", or "This column in this table", "this field in this record type", "this folder on this share", or "this LUN on the SAN".
Typically data at rest (static data stored or archived on a file share, in a database table, or in an email system, for example) is protected from innapropriate access by Operating System level access controls. This type of control relies on group or role memberships. You may be given the ability to read a file, read and update, or no access at all. Most files within a folder share the same permissions, so the permissions folders themselves dictate the level of access per role.
Data in Use:
Data in use, shares much of the same features of data at rest, except that it most commonly refers to dynamic data that is changing frequently, and potentially residing on end point systems as well as in the data center systems.
Data in use can be protected through the use of End Point DLP solutions as well as those controls in place for Data At Rest.
Data in Motion:
Once data has been accessed by a user, and is "sent" somewhere via email, file transfer, uploaded to a website (Cloud Storage) it is considered to be "in motion".
At this point we need to heavility lean on "Perimeter Data Loss Prevention". Your perimeter is typically considered the edge of your network, protected by a firewall which connects your network to the Internet. Here, you will typically see data leaving via email, Instant Messaging, ftp, and web transfer. A perimeter solution must account for these plus any other method that data may leak outside of your network. There are many strong point solutions out there that tackle one or more of these Perimeter Data Loss vectors by such reputable security providers as Symantec, WebSense, Cisco, Fortinet, McAfee, Sophos, etc...
So, to sum up quickly: To reduce your risk of data loss, you must tackle the problem in a layered approach, through Policy and Awareness, at the endpoint devices, the data center, and on the perimeter.
- Updated Security Policies and Compliance programs
- Strong Awareness programs
- Laptop Encryption
- Removeable Media Encryption
- EndPoint Data Loss Protection
- Network Access control
- File Integrity Monitoring
- Data Access Controls
- Storage Encryption
- Data Classification
- Data lifecycle
- Logging / Monitoring / Corelating / Reporting
- Web Filtering (URL Category filtering, blacklisting, AntiMalware, as well as Content filtering)
- Mail filtering (blacklisting, SPAM filtering, AntiMalware)
- Intrusion Prevention
- Network Traffic monitoring / logging / trending
- Botnet Detection and Prevention
Finally... Create a Breach Incident Plan.
Have the necessary tools, policies, training, contacts, and escalation in place, and test it regularly. Make sure that you have engaged Legal, Compliance, Brand, and your Corporate Communications teams and that they all know and can follow the plan.