[BreachExchange] A Prioritized Risk Approach to Data Security

Destry Winant destry at riskbasedsecurity.com
Tue Mar 5 04:46:18 EST 2019


A new approach to security strategy is required – one that is based
more on resilience than on prevention. It’s become more important for
a security team to quickly identify and respond to an attack to
minimize the impact of risks to the business rather than trying to
prevent attacks from occurring. The old castle-and-moat strategy
simply cannot survive the new threat landscape.

No organization can prevent every cyberattack. And none has the
resources to protect all of its data assets, devices and
infrastructure uniformly. Highly virtualized distributed computing
architectures, cloud-based applications and increasingly mobile users
have opened new attack surfaces and vectors for cybercriminals and
malicious insiders by erasing the traditional network perimeter. These
bad actors exploit vulnerabilities with more sophisticated and
innovative attacks that target privileged users who have access to
valuable data assets.

The growth of containers and microservices and the emerging Internet
of Things (IoT) ushers in a new wave of apps and connected devices,
exponentially increases the amount of data at risk. These trends
marginalize the effectiveness of traditional network and perimeter
security solutions, which were designed to prevent earlier generations
of malware.

Advanced persistent attacks (APTs) succeed because many organizations
lack a cohesive security approach that might prevent or rapidly detect
an attack. Legacy stateful firewalls, intrusion prevention systems,
Web gateways, antivirus software and email anti-spam solutions have
proven to be no match for the current threat environment.

So as APTs expand targeted threat surfaces, why do organizations still
invest most of their security budget in yesterday's preventive
technologies? Security strategy needs to focus on finding and rooting
out these modern threats.

A “Contain and Respond” Strategy

In this environment, security teams need to shift their focus – and
resources – from prevention to resilience. This entails accepting that
their organization is already compromised. This perspective better
prepares them to quickly identify an attack, contain it from
spreading, and recover from any losses – minimizing risk exposure for
the business. A holistic approach to prioritizing risks takes into
account risks across the entire organization.

A “contain and respond” security strategy starts with a holistic
approach to prioritizing risks across the organization. These risks
include business interruption, intellectual property loss, private
data theft, regulatory noncompliance, physical plant and personal
injury and reputational damage.

Instead to trying to prevent every threat, security teams target
defenses against the highest priority risks – those that can most
negatively impact operations and finances. Once risks are prioritized,
a multilayered data-centric approach establishes a secure perimeter
around the data associated with risks, locks down the data, removes
risk from privileged users and provides the information that
identifies malicious insiders and possibly compromised accounts.

Just as risks have different priorities, it follows that the different
data assets associated with those risks also have different protection
and privacy requirements. The data of highest value to attackers –
personal identifiable information, intellectual property,
customer-specific data and confidential financial information – are
also the most valuable “crown jewels” for the security team to

As opposed to conventional security layering by infrastructure,
application, device and user, a prioritized risk approach allows the
security team to dedicate more resources and attention to the assets
that are most important to the organization. This strategy is more
proactive and intelligence-based, enabling the security team to better
secure the organization’s most valuable data assets, respond to and
remediate incidents in a timely fashion and meet GRC (governance,
regulatory, compliance) requirements.

It also helps manage escalating security and compliance costs,
including team skills. As more functionality is automated, more of the
skill set should be skewed towards intelligence – threat analytics,
forensics and incident response.

The Need for Greater Intelligence

Traditional signature-based defenses remain a core component of
security strategy, protecting against non-targeted malware. But to
protect the organization’s most valuable data assets in virtualized,
cloud and big data environments, security teams need greater
visibility and intelligence. Specifically, they need to know what data
is going into these environments, who is authorized to work with this
data, when data is attempting to leave and how this data and its users
can be monitored while adhering to GRC mandates.

Not surprisingly, the databases and data warehouses that contain the
most valuable data – and the servers they reside on – are the primary
source of breaches. As organizations increasingly integrate big data
with traditional data in their quest to gain deeper insights and
improve decision outcomes, threats to these repositories will continue
to increases, exposing the organization to more risk. Much of this
data also drives decision-making – by both people and machines. If
that data were to be tampered with the resulting decision outcomes
could be disastrous.

Since big data represents less than 15% of most organizations’
decision-making inputs today, it's recommended that big data be part
of broader data management and data governance initiatives. As such,
security governance should be linked with data quality and integration
components of these programs. Similarly, securing big data should be
part of a broader security strategy rather than having a separate big
data security strategy that potentially creates yet another data silo.

Automated continuous monitoring of network traffic, application-level
awareness and user-specific rules provide granularity into activity in
the IT environment. Monitoring that is more pervasive, automated and
intelligent allows security teams to better understand risks and
prioritize threats.

Correlations, machine learning engines and advanced behavioral
analytics and data visualization create context based on granularity
about users, applications and endpoint characteristics. These allow
security teams to establish baselines of normal vs. abnormal activity.
Key performance indicators (KPIs) provide real-time visibility into
anomalous behavior patterns, driving faster and more accurate incident

Software-defined perimeter (SDP) is a relatively new protocol that
creates a next-generation access control system for the
software-defined network (SDN). A cloud-based SDP controller creates a
logical boundary around network and application resources, and only
grants access to this virtual perimeter after first authenticating
user identity by their device and permissions. Infrastructure and apps
remained concealed from potential intruders. Separating the control
plane from the data plane allows security teams to build more
automated and sophisticated security configurations and dynamically
provision standardized security services in the cloud.

The better these tools are integrated, the more of the kill chain can
be automated. Unifying disparate data points provides security teams
with more actionable intelligence to speed incident response and
contain risk. It also facilitates consolidating internal threat
intelligence and external services from the cloud and mobile networks.

Automation provides speed and scale to keep up with new architectures
and traffic growth. It improves agility and governance, reduces costs
and helps security teams mitigate human error and remediate more

People are Integral to Security Governance

Finally, because people are usually the common denominator in risks,
they should be included in security strategy – as they are in
effective data governance and disaster recovery and business
continuity initiatives. They can be made aware of their
vulnerabilities, trained to be more vigilant and incentivized to
adhere to policies or penalized for transgressions.

It’s believed that a company’s ability to demonstrate stronger
security governance relative to peers will become viewed as a
competitive advantage. This includes how it responds to a breach. How
a company informs customers, regulators and investors that an attack
has occurred and what they are doing/have done to contain it is
critical to maintaining security governance and preserving company

Security is everyone’s business; yet, responsibility still rests with
the security team. Security governance should be considered as much a
business initiative as data governance or disaster recovery and
business continuity. But to be truly effective, it must be endorsed
and practiced by senior management and board members. That is the only
way common business objectives can be achieved more securely.

More information about the BreachExchange mailing list