Audits, by nature, are rear-view facing. In many cases, that may be fine (i.e., income tax audit and process audits), but in the world of cybersecurity and data security, reliance on an external audit poses a significant business risk.
Data security and data governance, risk and compliance (GRC) goals have never aligned until GDPR. Data GRC focuses on demonstrating (reporting) the controls over who, what and when in-scope data was accessed and not primarily about securing it. Organizations need to demonstrate compliance and focus on passing an audit -- not preventing data breaches. Before GDPR, monetary fines for breaches were minor; it was more important to find ways to pass the audit so they could continue operating the business than reduce the risk of a data breach.
GDPR has shifted this paradigm by imposing substantial monetary fines in the case of a breach. As a result, organizations now focus on minimizing data loss risks rather than passing an audit. After all, there is no GDPR compliance audit like with International Organization for Standardization (ISO). The only mention of an audit within the GDPR regulation is for data processing. Compliance is self-imposed by the threat of a stiff fine that compels organizations to start thinking about compliance and security with a unified goal: to protect data.
Previous compliance standards and regulations such as ISO, Payment Card Industry (PCI), Sarbanes-Oxley (SOX), and Service Organization Control (SOC 2), to list a few, have focused on the audit.
For these regulations, organizations put in place the minimum processes and controls necessary to pass the audit. The controls may have little to no impact on data protection and privacy. The organization is solely attempting to gain compliance via a passing audit. The certificate acts as a get-out-of-jail card. If anything goes wrong, the organization says, "But we passed our audit. It's not our fault."
The New York law firm of Grubman Shire Meiselas and Sacks that serves some of the many well-known celebrities such as Lady Gaga, Madonna, Mariah Carey, and U2 appears to have fallen into a REvil ransomware attack. The REvil hackers are threatening to publish the stolen documents from the Grubman clients in nine staggered releases unless they fulfill the demand of $42 million in ransom.
The attack links to a domain the law firm used with an unpatched Pulse Secure VPN server. Vulnerability data confirmed that the law firm had a vulnerable server for almost two months. Unfortunately for them, during that time, many threat actors were actively scanning for unpatched VPN servers.
The vulnerability scan for open internet ports for vulnerable VPN servers cannot confirm that REvil hackers used it to plant ransomware and encrypt files. The REvil hackers are known for targeting unpatched VPN servers, which may have led them to Grubman. REvil is also known to use these servers to gain access to networks and steal their credentials, plant malware, and attack.
Ransomware has two main approaches. One is to encrypt all the data in place at the victim’s site and demand ransom for the decrypt key. The second is to transfer all the data to an alternative location and demand ransom for not releasing the data to the public.
SecureCircle Data Access Security Broker (DASB) customers who have faced similar attacks or malicious insiders only need to worry about the first ransomware approach. The case of releasing sensitive information to the public is not possible with SecureCircle. The hackers will have stolen protected data encrypted with AES-256. Even with a 100 petaFLOPS supercomputer, the hackers would need 3.67x1052 years to break a single key. With SecureCircle, each file uses a unique key.
The first type of attack which encrypts data in place is still possible with SecureCircle. The hacker would encrypt an already encrypted file. Recover from an encrypt-in-place attack by implementing a proper backup solution that isolates the backup data and keeps multiple revisions of files.
With SecureCircle, minimize ransomware attacks to annoyances similar to SPAM email. Annoying and not productive, but nothing making CNN and TMZ headlines.
Security that follows the data is the only solution. Companies need to enable their teams to work from any location across the world, including work from home. Remote distributed workforces have grown 44% over the last 5 years, enabling access to specialized talent, reduced office overhead, flexible freelance-based staff, and of course an increased ability to adapt to unforeseen world events.
Enabling remote work requires security diligence. The risk of a data breach within an enterprise is already high - add to this the potential of data leaking onto remote workers’ personal devices, cloud applications, and public shares, and your risk is amplified exponentially. Supporting remote work also requires additional layers of compliance, typically to show data is protected by default and tracked and audited at all times.
Search “securing remote workforce” on Google and you will find lots of articles preaching traditional security best practices: have remote workers log in via virtual private network (VPN), ship secure devices to remote workers, classify all your data and set up data loss prevention (DLP) to monitor and block data sharing, set up a cloud security access broker (CASB) to restrict access to non-sanctioned cloud applications, etc. Some of these measures are important, some offer partial protection, and some are a significant impediment to worker productivity.
Why are remote workforce security measures insufficient?
Most data protection tools focus on putting up walls around the data, rather than protecting the data itself. Unfortunately, each solution that puts up walls, such as a DLP, is very complex and error-prone. There are just too many possibilities where the security team can fail to configure some aspect of the technology appropriately and leave a gap, especially in today’s continually changing landscape where sharing and collaboration tools that focus on productivity are far ahead of legacy security tools. There are just too many possibilities of the data being misclassified, where DLP incorrectly allows the data to pass unfettered.
Traditional security measures can also be insufficient if they don’t scale. For example, in the case of a significant weather event or pandemic, a remote workforce may put too much strain on the corporate VPN.
Why does remote security reduce productivity?
Given all the potential protection gaps in data protection, as the remote workforce increases, the risks increase. The security team starts to add more heavy-handed DLP rules, forcing staff to use a very narrow set of applications and workflows and slows down from false positives. Many will attempt to lock down a remote workers’ experience entirely with virtual desktop infrastructure (VDI). VDI can be very secure, but it comes at considerable cost in the form of usability and productivity. As staff feels increasingly pressured to get their jobs done despite all of these blockers, they increasingly find workarounds, literally undoing the security team’s work. This leads to a vicious cycle, a downward spiral of security gaps and productivity drains.
The solution is data-centric protection.
The only way to break the vicious cycle of insufficient security and hampered productivity is to shift the data protection strategy from attempting to secure every possible endpoint to securing the data itself, by default.
The Data Access Security Broker (DASB) platform provides data-centric protection. With DASB, any data is automatically protected by default, and this protection is persistent no matter where the data goes or how it is accessed. Moreover, once DASB is implemented in the enterprise, it automatically protects any other similar data it comes in contact with, expansively extending DASB’s protection to any new and existing data in the enterprise automatically.
Most importantly, DASB requires no changes to the user experience. Employees, no matter where they are working from, use the applications they want, in the way they want, with no plug-ins, pop-ups or special viewers. Unlike other attempts at remote security such as VDI, DLP, orDigital Rights Management (DRM) that force constrained workflows and put unfair limits on file types, applications, and versions, end-users are not even aware that DASB is protecting data behind the scenes unless they attempt to violate business policy.
The organization has persistent access control even in the event that data leaks onto an unauthorized device or cloud, or into the wrong hands. DASB tracks every action taken on protected data and reports it to your Security Information and Event Management (SIEM), turning every action into an auditable event.
When data is protected by default and stays protected and audited wherever it goes, even if it leaks into the wrong hands, it stops the vicious cycle of insufficient security and reduced productivity. Companies can finally get off the hamster wheel of constantly trying to discover and classify new data, and constantly trying to find and plug vulnerabilities in your remote security infrastructure. And only then, when thousands of remote workers are accessing data daily from their personal devices and cloud applications, the CISO remains confident that data is airtight.
The future holds endless possibilities. The next great moment, widget or experience is just around the corner. In cybersecurity, we have heard promises for a better future for decades. Different product categories have come (and, in some cases, gone). Many products were merely features and not a solution to a fundamental problem.
Marketing campaigns paint a picture that one solution fixes all your problems. The reality is there is no magic solution. One product isn't going to protect against phishing, malware, ransomware, lost or stolen devices, accidental sharing, malicious insiders, misconfigured permissions and secure collaboration.
What the industry has been aiming for is a zero-trust solution. To implement zero trust, you need to have control over authentication, network, device and data. Today you can achieve control over authentication, device and network, but there is no control over data.
Once a user authenticates their identity, device and network, how do organizations protect data the user downloads from their SaaS solutions, like finance, human resources, sales or even software source code? Organizations need to add control over their data to achieve zero trust.
Authentication occurs over many protocols, but one of the most popular today is security assertion markup language (SAML). SAML centralizes identity and access management across cloud and endpoint. Identification must be managed centrally for all access control. Managing multiple authentication systems leads to data breaches, such as misconfigured authentication to cloud applications.
Achieve device control via mobile device management (MDM) and endpoint detection and response (EDR). MDM enforces that endpoints have a proper security posture, ensuring EDR and DASB installation. Administer the posture before the device gains access to cloud solutions such as Salesforce, Workday, GitHub or QuickBooks. Without a standard baseline security posture, a computer that downloads sensitive data may be at risk or may already be compromised. EDR will maintain security on the device and protects for malware, antivirus, key loggers and suspicious insider behavior. EDR can automatically monitor and disable suspicious devices and block the device and user from accessing any sensitive data based on historical usage profiles. An EDR is not looking for a specific risk signature but is looking for suspicious or unexpected behavior.
Transport layer security (TLS) ensures network control. TLS has replaced the secure sockets layer (SSL). The combination of MDM and SAML can ensure a device is connecting from a secure network location before accessing sensitive cloud data.
Read the full article here
Browse our blog to see what our experts are talking about, and for insights on the latest cyber security trends impacting your business.