Its a sunny day somewhere thousands of miles away from your data center. A savvy hacker sits in front of his monitor. He checks the current black market rates for U.S. Social Security and credit card numbers then runs down his list of potential targets — a major university, a financial services company, two retail chains and an energy company.
The energy company is of particular interest, since he was able to buy some access credentials from a former employee, but would they still be good? Probably, as it can take forever for some companies to de-provision user accounts.
A DBA of a large financial services company is working late. Earlier today he heard about upcoming merger. People would be let go — his name was on the list. He's given 20 years to this organization and can't believe that they would do this to him while his kids are still in college. He accesses the customer database and starts downloading information, covers his tracks, then emails the file to his home address.
Midnight in a New York hotel room, an employee of a major retail chain can't sleep. Might as well get some work done. She loaded all of the employee data that she would need onto her laptop before she left for the human resources conference. She searches her suitcase and looks around the room. The laptop is gone.
These scenarios describe three categories of data theft:
Database/data center breach – Someone accessed or hacked into a data server (database or file server) that stores sensitive data.
Data leakage -- email, thumb drive - Someone sends sensitive data from the enterprise to another location in an unauthorized way.
Physical loss - Atape or laptop is lost or stolen.
The real questions are: what percentage of data loss incidents fall into each category and which type of data loss causes the most damage to an enterprise?
Privacy Rights Clearinghouse, a consumer rights group that is tracking data breaches, estimates that more than 153,800,715 records containing sensitive personal information have been involved in data security breaches since 2005. To put this into perspective, on May 10, 2007, the entire population of the U.S. weighed in at 301, 809, 994 people.
According to this group, the number of data breach incidents from 2004 to 2007 (where the category of data theft was known) was approximately 318. Of these incidents, laptops came in first (frequency of 47 percent, 149 incidents), next were databases (40 percent, 126 incidents), tapes were third (11 percent) and email last (at only two percent). When we quantify data breaches by exposure, it's a different picture. Out of roughly 127 million data losses, databases are the number one point of exposure (64 percent - 84 million), laptops are number two (25 percent - 32 million), tapes take third place (10 percent) and email remains in last place (one percent). Even though the numbers are approximate (since incidents of data exposure are not always detected or reported) the statistics are very revealing — data breaches are not all equal. The source of data breaches matters.
Based on this data, let's look at the most damaging form of breach, theft of data from data centers/databases by users with credentials. These insider thieves, disgruntled workers or outsiders masquerading as insiders, typically have specific goals and objectives to wreak havoc on systems or steal sensitive data for profit.
So let's get back to our hacker with insider credentials. First he reaches the VPN, no problem gaining access, he's an insider. There is no way to determine that he is anything but what his credentials identify him as. The IPS or IDS system gives him the once over. Nothing unusual is detected. The IAM waves him on - because IAM, IPS, IDS are essentially badge readers. Once inside the data center, he begins to access data. He'll grab some data to test the waters, a small amount, to see if the download works, then he will go after his main target — the SS numbers of the company's five million customers.
What are the SIM systems doing at this point? Since the IDS or other edge security systems didn't find anything amiss the SIM doesn't have anything to analyze. It is possible that the Social Security numbers are encrypted. However, if this intruder has the right credentials encryption will not protect the data.
This is a scary scenario. Possibly even more frightening is the real insider who has intimate knowledge of your data center and your business or worse, is a database administrator – a privileged user — who can not only make changes to applications but cover his tracks. Even inadvertent mistakes, non-malicious behavior with data, can violate state or federal law and cause costly legal issues for an enterprise.
When it comes to database breaches, the real issue is lack of real-time insight into what is actually happening to the data. Most data security is about policing the edges; they are not close enough to nor do they have any meaningful insight into what is happening to data. Except for some edge solutions, which deal with data as it's leaving the building, most lack the ability to analyze data activity in a meaningful way.
To thwart the insider database breach, enterprises must have the ability to "see" what's going on with data and recognize the difference between:
Critical data assets and other data;
A "genuine" authorized user and a masquerader;
An employee accessing data in the normal course of business and a malicious insider;
This is a new way of thinking about security called Inside Out Security. It comes from the realization that visibility into data centers; databases file servers and mainframes; is required to protect data and achieve data compliance. It requires technologies referred to as data auditing and protection and database activity monitoring solutions. These policy-based solutions sit in front of data centers and watch user activity, including privileged user behavior and, using advanced analytics, they recognize suspicious activity and alert in real-time.
Let's review our database theft scenario in the context of a data auditing system. The thief comes into the VPN, slides by the IDS and past the IAM. Once in the data center, a policy triggers in the data auditing system — an employee is accessing data that he doesn't typically access from an new IP address and at a time when he is typically not on the system (or is downloading large amounts of data that he normally accesses in small amounts). A real-time alert is sent to appropriate personnel or other security device, like a SIM/SEM, and the breach is nipped in the bud. The enterprise knows exactly which data is being accessed and from where as it is happening. A detailed report is automatically sent to appropriate stakeholders.
This is in stark contrast to the way that many recent data/database breaches have been detected – which is by log analysis, a manual effort that typically happens well after the breach and damage has been done. This after-the-fact discovery and analysis is no longer acceptable to enterprises that want to avoid the costly aftermath of a data security breach
In the past the accepted method of protecting valuable data assets was to focus on the perimeter with technologies that were the equivalent of locks, badge readers and security guards. Inside Out Security requires enterprises to move security closer to the data, watch what is actually happening, analyze what user activity with data means in relation to compliance and security policies and take action based on this immediate assessment of potential risk. It is like adding a super smart surveillance camera to your data center, one that is monitored by security devices and personnel round the clock. A critical new layer that addresses damaging database and data center breaches by credentialed users as they are happening — breaches that have been hard, if not impossible, to detect from the outside in.
- Prat Moghe is founder and CTO of Tizor Systems