Existing DLP most fails, ransomware detection can fail, but access is the holy grail.
In previous entries I've written about protection (defend in particular) and detection. It was mostly about detecting malware when defense in depth has failed, but access is the holy grail.
Lets face it, we want to keep threats out, if we can't do that with 100% success, then we want to detect their presence (via command and control or "phone home" activity) and if we can't do that then we want to detect the leakage or loss of data.
While there is an entire industry based upon DLP (Data Leakage Protection, Data Loss Prevention), it's a flawed approach. The term itself is misleading. It stands for data loss prevention, yet most of them attempt to detect loss already in progress via data in transit / motion. It makes as much sense as creating a no flight protection by trying to finding and stopping fugitives in flight (on planes, trains, boats, cars, busses, bicycles and walking). Yet, that is exactly how DLP works today. There are so many many that data be in transit, it's a losing proposition. Worse, encryption comes into play and while we can decrypt, that's also flawed as you can easily use a primitive technique like even ROT13 before data gets encrypted. It doesn't take much to defeat these systems.
The better way and frankly easier and less expensive is to detect on data access. Combine that along with noting things like where, by whom, when and how much and now we've got a good detection system in place. Leaps and bounds better than the state of the art DLP solutions that fail while slowing down IT systems and creating numerous alerts to chase down.
If we look at the largest data breaches (think Snowden) it's done using approved credentials by others. It could have been stopped or noticed earlier with so many techniques like: compartmentalization, multi-factor authentication and the exciting solutions now dealing with data science. I digress, lets get back to data access.
Before a file can be transmitted, it has to be accessed. Typically from a database, file server, WebDAV, document management, SharePoint, wiki or other kind of system (structured or unstructured data). It's important to tackle security breach detection at the initial access layer. Simultaneously, tackle the problem of credentials and then combine it with data science. If someone is accessing a document(s) from two separate places at the same time, it's a problem. If someone is suddenly accessing numerous documents beyond normal patterns, it's a problem. If someone is using approved credentials on an unknown or not registered device, it's a problem. The list goes on, but this is one of the easiest ways to detect a breach early on.
At the same time, wonderful solutions exist using data science with cloud based solutions too.
Bottom line, focus on:
- Source data access
- Credentials (authentication)
- Multi-factor authentication (clumsy, but I like device finger printing or digital DNA techniques)
- Continuous monitoring (another subject to discuss)
- Data science based solutions to find the things that look unusual and don't belong