As practitioners across all industries expand their business operation protection programs in the continuing onslaught of global cyberattacks, a common concern is data exfiltration defense. In today's complex technology environments, a single process, technology or policy won't provide an adequate operational preventative capability to prevent exfiltration and identify and respond to negative impact events. A tiered approach of critical network hygiene basics, advanced prevention techniques, better technology and security intelligence capabilities may be the difference between knowing you have a potential issue in time to respond versus finding out too late.
Knowing thyself is the first step in any operational cyberdefense program. Have a clear understanding of the entirety of your network and internet flows, IP address schemas, ranges, net blocks and architecture. Although exfiltration can happen in almost any form, I'm focusing on mass data exfiltration through internet edges, the mechanism of some of the largest attacks recently.
Generalized edge management and controls are your first concern. I've heard the edge is dead, but defining your edge and what traverses it isn't. Use whatever routing and security technologies you prefer driving bi-directional port and protocol management, leveraging authenticated proxy capabilities, where applicable, and generalized dedicated port management for the remainder. Once you've established a baseline, work with your IT and operations groups to enforce infrastructure assurance processes – like change management/detection and vulnerability management services – to maintain that baseline and record required changes. Rounding out the baseline objectives will be simplistic platform and systems management, like AAA, and forced blogging objectives into centralized monitoring platforms, OS and application patching, and IDM access insurance for data storage.
Work with your IT groups to enforce infrastructure assurance processes...”
As you're geared up to begin deploying advanced detection monitoring capabilities, set yourself up for data exfiltration prevention through anchoring techniques, such as segmentation and funneling. Create network containment techniques to define areas containing the most critical data, use techniques within your information lifecycle and data storage technologies to migrate data to these locations and force the movement of data to/from that environment through specific tunneling routes.
Next, implement technologies, like data leakage prevention, using multiple interrogation techniques beyond simple data matching in a tiered fashion at the host, network and edge. Each layer implemented has a specific control requirement, feature set and policy with an integrated overlapping framework of preventative, detective and defensive control purpose. Through the use of security intelligence and analytics technologies, extend the use of in-place controls through advanced analytics or correlation efforts – all correlated to signify a potential data exfiltration event.
Further, implement inflow decrypt capabilities where legally permissible, handoff to your existing data inspection capabilities and employ application level encryption techniques to extend the most use of the encryption of your critical data across all parts of your stack. Use good encryption hygiene to ensure segregation of duties.
The key to it all is establishing your data exfiltration defense program on top of good fundamental control hygiene and leveraging as much of your existing technology control infrastructure as possible to limit access, protect and monitor the data itself. By doing this, adding in advanced monitoring and focusing on only those business assets necessary to defend, you have a very good chance of advancing your business operations protection data defense capabilities.
Roland Cloutier is global CSO at ADP.