Preparing for the new norm: 2013 Guarding against a data breach survey

Targeted attacks, like those that hit some organizations last month, are more frequently the cause of breaches and so are becoming the norm, agree experts. As a result, it's crucial that organizations understand how they happen and when.

“Attacks, at least the sophisticated ones, aren't a single-stage process,” says Charles Kolodgy, analyst with IDC, a provider of market intelligence and advisory services with corporate headquarters in Framingham, Mass. "They generally involve multiple steps."

First, there may be a targeted spear phishing email that entices an unsuspecting user to visit a website that infects them with custom malware that includes a backdoor. From there, attackers are inside the network where they can search out data and start removing it. And, though understanding if any anomalous behavior is happening on the network is critical, so too is preventing the download of the custom malware in the first place. Companies, as a result, are taking multiple steps to deal with these kinds of attacks, says Kolodgy, including bolstering information security awareness training to help staff spot phishing emails. As well, organizations are looking to deploy “better network-based advanced malware detection” to catch malicious payloads.

“At the endpoint, companies are looking at whitelisting and application control to prevent unknown executables from running," Kolodgy says. "They are using network forensics and improved SIEM [security information and event management] to see communications from the network to a location that is suspicious,” he adds. “One solution isn't going to do it.”

Vormetric's Stewart agrees, noting that traditional data protection models that enlisted network-focused security methods, using solutions such as firewalls, intrusion detection systems and more are no longer sufficient on their own.

“Any data-centric approach must incorporate encryption, key management, strong access controls, and file monitoring to protect data in physical data centers, virtual and public clouds, and provide the requisite level of security,” she says. “Today, it is table stakes to ‘firewall the data'. By implementing a layered approach that includes these critical elements, organizations can improve their security posture more effectively and efficiently than by focusing exclusively on traditional network-centric security methods.”

Unsurprisingly, respondents across all the regions queried through this year's SC Magazine survey already have deployed such solutions as email management and content filtering, network monitoring solutions, database security, and file and email encryption. As well, to a lesser degree, some have implemented vulnerability management solutions and web application security. Regarding plans for future deployments this year, many of these solutions make the lists for both respondents from the U.S. and U.K./Australia, with other technologies, such as mobile security, two-factor authentication, cloud security services and data loss prevention getting some attention.

Consultant Bayuk adds that some organizations that often find themselves the targets of APTs, such as government contractors or public agencies, are enlisting attack “kill chain monitoring” techniques. In undertaking these more advanced monitoring methods, organizations avoid confusing a series of malicious activities as stand-alone happenings, which enable them to suss out the patterns behind attacks and therefore better prepare for them in future. “That's the state of the art now – knowing enough about the individual steps of attacks.”

Working with others

Information security departments also are becoming more adept at making connect data protection efforts with other departments beyond IT, such as human resources, public relations, legal, boards of directors and others, Bayuk says.

Indeed, compared to the results of past data breach surveys, this year a higher number of respondents across the regions queried say they are meeting with various departments more frequently than in previous years – usually monthly or quarterly. As well, business continuity and recovery plans are reviewed much more frequently than in the past.

“Security is not a department. It's an architecture,” says Bayuk. “These links are part of your security program – an evolving part of your ability to respond. It's observe, orient, decide, act. It's a living thing.”

This is especially true in bolstering an organization's business continuity and response efforts in times of both IT-based attacks and physical disruptions, such as those experienced by many companies in New York, New Jersey and other northeastern states during Hurricane Sandy.