Threat Management, Threat Intelligence, Incident Response, Network Security, TDR

Solving the hardest problems in enterprise data security

Verdasys believes global enterprises will most probably face the following data security challenges in 2012, listed in the order of most difficulty to manage:
  1. Targeted cyber attacks
  2. Insider threats
  3. Intellectual property containment

As this list refers to data threats with a proven potential to severely impact a business's bottom line if left unaddressed, the relatively benign “threat” of failing a compliance audit did not make the cut.

These potentially existential threats are not only prioritized by how hard they are to solve, but are also in order of their urgency to be solved. This is based on the “top down” theory of data security that says the most difficult threat requires a solution that will, by definition, mitigate all other risks of lesser complexity. For instance, to prevent insider threats one must have found a practical solution for auditing and controlling enterprise uses of intellectual property (presuming that is the primary data target of a malicious insider). Likewise, to protect intellectual property, one must have found a practical solution to audit and control all data types, and so on. A “bottom up” model does little good if it requires implementing layers of disparate technology to solve progressively harder problems, as this simply incurs greater costs without making you any safer.

If you agree with the logic of top-down defense, then you must defeat the apex predator of corporate data. In 2012, this is undoubtedly targeted cyber threats – aka the advanced persistent threat (APT).

It used to be that stopping a malicious insider from stealing trade secrets was the hardest data security challenge to solve, but APT trumps that threat by being, in effect, an invisible malicious insider. So, if you haven't found a way to identify and track how IP is used, then you wouldn't be able to monitor or enforce how a trusted employee uses that IP, which means you wouldn't be able to detect when a trusted “user” account controlled by APT is stealing it, and so on.

What are APT threats and why are they so dangerous to companies? To start, if your organization has intellectual property (IP) that can be exploited by a global competitor, there's a good chance a purpose-built APT mission to steal it is already under way. Perpetrators of APT attacks are hackers and programmers with world-class skills that are backed by “investors” with essentially unlimited resources (i.e., nation-states) which will not stop until they gain an economic or political edge with your proprietary data.

But what makes APT so challenging to solve is that a successful attack requires it to operate freely within a network forever, so it must be highly customized (at great expense) to be undetectable by typical signature-based security technologies. Unfortunately, this means that virtually all traditional signature-based anti-virus and firewall products, along with most web/email security, intrusion prevention and disk encryption technologies that companies have implemented over the last 20 years are effectively useless to stop an APT attack. Companies targeted by APT will need to upgrade their defenses strategy to include multiple, integrated layers of extremely sensitive anomaly detection and mitigation.

How do you stop an APT attack? First, you must be able to continuously track any intellectual property over its entire lifecycle. This means tagging files in such a way that it cannot be tampered with or lost, no matter how the content may be manipulated, shared or transformed. Then, you must be able to identify your privileged users and categorize them by their right to handle data of certain sensitivity (e.g., IT administrator). This means having a policy management system enforced independently of a user's other network privileges. Next, your data protection technology must be able to recognize IP by policy, and control it based on each user's data handling privileges.

At that point, you can be assured of mitigating two key APT risks, even if the attack has not been previously detected. The first one ensures that tagged IP will remain protected if APT attempts to access it with a hijacked account (regardless of system privileges) with insufficient data usage rights. The second is that even IP accessed by an account with sufficient rights could still be contained by policy (e.g., encryption or blocking) if an attempt is made to export the data to an unauthorized destination. In either case, a reporting system which continuously audits all user account activities allows you to know exactly when and how anyone – or anything – attempts to handle IP, and could be an effective tripwire if your network has been compromised.

Finally, you must be able to merge enterprise anomaly detection on workstations, servers and network traffic using policy rules created to identify specific and subtle APT tactics. This trove of enterprise event telemetry should ideally conform within an integrated policy management/data mining system that can sift through legitimate “noise” to isolate and manage multiple anomalous or threatening events (either connected or separate) simultaneously. They key to an APT security strategy is that you only need to stop one stage of an APT attack to thwart the entire mission. If a particular security layer fails to detect something, you'll still be OK as long as the another layer sees it.  

Nobody said tackling these issues was going to be easy, but the threats are only getting worse (search “cyber attack” to see why). The good news is that the technical pieces exist from which to create a security mesh woven tightly enough to trap APT before it can complete its mission, and thus also solve insider threats and IP protection challenges without affecting the business process. Will the best defense be 100 percent effective? No, but it prevents you from being a constant victim. Besides, it is 100 percent certain that doing nothing will cause one or more of these security challenges to inflict serious – maybe permanent – harm to your business.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.