Critical Capabilities for Detecting Insider Threats and Protecting Sensitive Data

Protecting Sensitive DataSensitive data is at the heart of all data breaches and protecting it is among most organizations’ top priorities. But why is protecting the data crown jewels so difficult? Firstly, regardless of controls on how data is exchanged among organizations and countries, data spread is unavoidable.

Having visibility to the spread is a first order problem before you can protect it and detect potential threats. The big challenges that organizations must first solve to protect sensitive data are:

  • Lack of enterprise visibility to sensitive data
  • Not knowing where to start – what / where are the most critical data to protect?
  • Inadequate data protection
  • Inaccurate and slow detection of threats – insider activities are just as important as hackers – around 20% of data breaches are caused by insiders or 3rd

Solutions for detecting insider threats and protecting sensitive data need to address these problems.

Enterprise Visibility – Confirm What You Know and Learn What You Don’t Know

When asked whether they know where all their sensitive data are located, some information security professionals, data owners, and enterprise architects may believe that they have this information. But with the amount of data proliferation, shadow IT, and information sharing across individuals and organizations, is their confidence false or do they have true visibility? Regardless of the state of knowledge within your organization, it is always prudent to confirm what you know and learn what you may have missed. For this purpose, enterprise sensitive data discovery and classification is an essential first step.

Discovery and classification is usually a combination of an automated process for scanning data stores across the enterprise to identify sensitive data and iterative human curation. A solution that scans data stores across the enterprise need to be able to scale for hundreds to thousands to tens of thousands of data stores and provide both an offline and interactive approach to review the results in a meaningful way for data owners and security staff to act on it.

Classification policies also need to be flexible and support advanced rules and analytics to enable the identification of the combination of data elements that truly make up sensitive data. For example, a person’s name by itself is not sensitive data, but combined with the individual’s address or phone number or email address would be. Rich enough rules to express the possible combination of data elements that could constitute sensitive data is required, especially with regulations such as GDPR. Also, data that may be sensitive now may not be in a month. An example of such information is a public company’s quarterly results – which is confidential until its quarterly reporting announcements. Therefore, ability to determine sensitivity based on time increases the accuracy of the discovery.

Visibility is not only about knowing what sensitive data you have and where it is, but also:

  • What is its level of sensitivity?
  • What is its value to the organization?
  • Where did it come from?
  • Where has it gone to?
    • Where has the data been copied, moved to, shared with?
    • What other data stores has it been propagated to?
    • Has it crossed regional boundaries governed by inter-country regulations?
  • Who has access to it?
  • Who accessed it?
  • How was it accessed? From where?  How often? 
  • What are the regulations governing it?
  • Is it protected?
  • How is it protected?

Risk Driven Approach to Prioritize Data Protection

All of the above information about sensitive data determines the risk associated with it, how you should prioritize its protection, and how it should be protected. Based on the risk assessment: weigh the likelihood vs. impact of the risk, you can determine whether to avoid, mitigate, transfer, or accept the risk.

If you decide to avoid or mitigate, you can determine the method. The following are among the possible methods depending on the types of threats to defend against:

  • Encrypt (device, file, database, field level)
  • Tokenize
  • Mask (persistent or dynamic)
  • Control access
  • Quarantine
  • Purge
  • Block
  • Archive (Manage retention)
  • Notify Owner

Policy-based Protection

Once you’ve determined the priority of protection and how a data set should be protected, the deployment and enforcement of protection needs to be automated and easy to apply to multiple data stores across the enterprise. A policy-based approach allows the definition, application, and enforcement to be standardized across the organization and easily managed and monitored.

Bridging the Gap between Policy and Enforcement

Usually, the staff who defines what data and how they should be protected are different from those who actually implement and enforce the protection. How do you ensure that the defined policy are actually enforced? An automated method to orchestrate the application of policies is required, so that there is an automated hand-off, audit, and resolution of the protection enforcement on target data stores.

Timely Detection of Threats to Sensitive Data

The average time between a breach and detection is over 100 days. Detection is even more difficult when it involves employees, contractors, administrators, business partners, customers, or compromised credentials. Detection of insider threats requires monitoring and logging of users’ activities and advanced analytics and machine learning to baseline a user’s and its peer group normal behavior. With a baseline, you can then identify unusual or suspicious activities that deviates from the norm.

Real-time Closed Loop Remediation

When anomalous activities or violations are detected, remediation actions need to be taken to further review and investigate the incidents, resolve them or remediate the problem. The detection system should trigger an automated workflow for review by the security team and resolution or remediation activities to be taken by down stream owners.

Discovery, detection, orchestration, remediation, and continuous risk monitoring and management are critical capabilities for a data security solution that provides enterprise wide visibility and control of sensitive data. The timely detection of insider threats and prioritization of remediation are key challenges that few solutions do well with high accuracy and reduce the alert fatigue experienced by security analysts.

To learn more ways to reduce the risk of data breach while improving compliance and governance, we invite you to join us at Informatica World 2017, May 15-18 in San Francisco.

Protecting Sensitive Data