New Internet Explorer Zero-Day Exploited in Watering Hole Attack Campaign

May 7, 2013

Attackers are targeting a zero-day vulnerability in Microsoft Internet Explorer in a campaign that has hit as many as 10 different websites, including the U.S. Department of Labor site.

Originally thought to be exploiting CVE-2012-4792, the attackers are now known to be targeting a previously unknown vulnerability in certain versions of IE. According to Microsoft, the vulnerability affects Internet Explorer 8, and IE 6, 7, 9 and 10 are not impacted.

“This is a remote code execution vulnerability,” Microsoft explained in an advisory. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” according to the advisory.

According to AlienVault, the list of affected sites spans from the Department of Labor site to sites belonging to several non-profit groups and institutes as well as a European company involved in the aerospace, defense and security industries.

Researchers from CrowdStrike said the attack campaign may have begun in mid-March. Their analysis of logs from the malicious infrastructure used in this campaign showed the IP addresses of the visitors to the compromised sites belonged to 37 different countries.

“The legitimate sites compromised to deliver malicious code in this campaign give an indication into targets of interest,” blogged Matt Dahl, senior threat researcher at CrowdStrike. “The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium. Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector.”

“Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector,” he blogged.

Microsoft urged anyone worried about the attack to upgrade to the most current versions of the browser, which are not vulnerable to the attack.

“We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders,” blogged Dustin Childs, group manager for response communications for trustworthy computing at Microsoft.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Personally Identifiable Information Hides in Dark Data

May 3, 2013

To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definition encompasses vanilla identifiers: social security and credit card numbers, and all the other usual suspects. With the additional words “reasonable basis to believe that the information can be used to identify the individual”, HIPAA’s definition takes in digital handles such as emails, IP addresses and even facial imagery. But there’s a little more to HIPAA’s PII definition, and it applies specifically to free form text (commonly found in word processing documents, spreadsheets, presentations, etc.)

The complete list of HIPAA’s PIIs is enumerated in the law’s Safe Harbor guidelines. In plain-speak, these guidelines tell health IT administrators what information is considered private, requiring special authorization to view or process. It includes the aforementioned identifiers, as well as medical record numbers, health insurance IDs, and some others. By the way, we’ve conveniently put this PII list in our omnibus data protection compliance whitepaper.

An unstated assumption made by many is that PII only lives in structured formats—in other words, fields in a database. Readers of this blog of course know that PIIs are often likely to be harvested from the massive amounts of human generated dark data found on corporate files servers.

The HIPAA regulators have understood this as well. In clarifying the rules for removing PII —“de-identifying”—data for publication and general usage, they explicitly cover the possibility that PII can also reside in free-form text. I’ve excerpted the key paragraph from their de-identification best practices below :

PHI [protected health information] may exist in different types of data in a multitude of forms and formats in a covered entity.  This data may reside in highly structured database tables, such as billing records. Yet, it may also be stored in a wide range of documents with less structure and written in natural language, such as discharge summaries, progress notes, and laboratory test interpretations … The de-identification standard makes no distinction between data entered into standardized fields and information entered as free text (i.e., structured and unstructured text)— an identifier listed in the Safe Harbor standard must be removed regardless of its location.

Got that? PHI, which is essentially PII along with other sensitive medical information, embedded in spreadsheets, docs, and presentations is just as worthy of HIPAA privacy protections as fields in databases.

So if we follow these ideas—PIIs can be anything that reasonably links to an individual, and this data can exist in text—to their logical conclusion, then we need to consider a new possibility. Suppose this sentence from a doctor’s notes were uploaded to a file server:

The patient, a technical content specialist at Varonis, a software company, has been complaining about tennis elbow.

The natural question to ask is whether “technical content specialist at Varonis” is a PII?

It’s not a PII in the sense of a uniquely coded key such as social security number or health insurance ID that links back to a person. But in another sense, it acts very much like PII. Don’t believe me? Try typing that phrase into Google and see what comes up.

We’re really talking more about the meaning of the text—or as experts would say, the semantic value—rather than actual letters, numbers, and other syntax. But HIPAA’s Safe Harbor rule even takes this into account: it specifically notes that the “knowledge” in free text can also be used to point back to a person.

As a practical matter, the HIPAA rules mean that any reference to a patient’s job title and company is a violation of the law’s privacy protections.

This leads to a broader discussion on what’s called the “semantic web”. In brief, Google and a few others are already doing leading edge work on extracting meaning and knowledge from web content. You can see for yourself how well Google does this by entering the keywords “height of the empire state building” in a search. You’ll get back an actual answer, 1454’, in addition to all the docs with that exact phrase.

The larger point is that along with stealing PIIs, hackers and cyber thieves are also getting better at mining and interpreting human generated text for personal details, and then building more convincing fake identities to be used in social attacks, such as phishing and pretexting.

Bottom line: these bits and pieces of personal information that are scattered across file servers in clear-text documents can be used to identify an individual with very high likelihood.

That’s important to keep in mind when someone in your company asks, “do we know what’s in our files and the risks involved if our servers are breached?”

Related articles

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Kinsa launches a smartphone-connected thermometer to create a real-time health map

April 29, 2013

SUMMARY:New York-based Kinsa is trying to create a real-time picture of the country’s health with a smartphone and a simplified digital thermometer.

If you want a real-time picture of the country’s health, you can check out Google Flu Trends or insights from social media. And if you want a more official perspective, you can turn to the Centers for Disease Control. But getting information that is both real-time and accurate is tricky business.

That’s where Kinsa comes in. Launched Wednesday at the Demo Mobile andTEDMED conferences, the New York-based startup wants to create a real-time picture of the country’s health by using smartphones and simplified digital thermometers.

“Today, I can know what my friend’s dog at for breakfast, but I have so little insight into the health situation around me,” said founder and CEO Inder Singh. “We’re creating… a real-time map of human health [to] keep families and neighborhoods healthy.”

Building on technology developed by entrepreneur and investor Edo Segal and others, Kinsa developed a thermometer that plugs directly into a smartphone’s earphone jack. (Singh said they focused on the thermometer because a fever is often the first sign of illness.) Because it connects with a smartphone, it doesn’t include batteries, processors or an LCD, which means the device is cheaper and lighter than other digital thermometers.

After downloading the Kinsa app, users can see their temperature on the smartphone screen, as well as log other symptoms and share the information with a doctor, family or a private group.

Over time, as the thermometer gains traction, the company’s hope is that it can provide individuals, doctors, public health officials and health companies with better data on where and when illnesses are spreading, as well as inform next steps. For example, it could let individuals and doctors know about possible illnesses in the area. Or, it could enable pharmaceutical companies understand where and when their products might be most in demand.

But even before the company amasses a critical volume of data, early adopters will already be able to use the app to track a child’s symptoms and then share them with the doctor or create a private group to share information and check the health status of others in the group. For example, Singh said, parents could create a group for a child’s class and anonymously view illnesses among classmates.

Users who don’t want to join a private group can consult a map to view the “health weather” in their area, which is a report that combines data from Kinsa with public health data from other sources.  The app also includes features for calling a nurse with one tap and forecasting when you’re likely to be contagious and when you’ll likely recover.

The startup, which has raised $2 million, expects the thermometer to become available later this year, after receiving FDA clearance.  Initially, the company plans to sell the thermometer at a price comparable to other digital thermometers ($15 – $20) but, as penetration grows, they plan to drop the price.

To build buzz around the product, Kinsa also launched an Indiegogo campaign on Wednesday, with a goal of raising $75,000.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

TRUST, Can You Put a Price On It?

April 29, 2013

The Ponemon Institute recently published the first-ever research on the cost of losing control of trust—that is, losing control of the cryptographic keys and digital certificates that underlie trust for all transactions in our digital age. How intertwined are these encryption assets and trust? Consider two major exploits of this year alone: the Bit9 certificate theft and the DigiCert compromise. In both cases, hackers managed to obtain legitimate certificates to sign their malware. Their malware perfectly masqueraded as legitimate software because to users’ systems, which rely on certificates to determine whether to throw up system warnings or automatically install software, the malware was legitimate. The financial impact of such an exploit can hardly be exaggerated.

The cyber-criminals behind these exploits understand that each cryptographic key and certificate deployed in an organization is a valuable asset ripe for exploitation. Yet according to the findings, 51 percent of organizations don’t know the most fundamental facts about their own keys and certificates: they don’t know how many keys and certificates the organization has, where they are deployed, what they are protecting, or who has access to them.

It’s not that IT security professionals are simply falling down on the job. In many organizations, policies quite properly require the deployment of keys and certificates for just about every service. As a result, the average enterprise has more than 17,000 of them. No IT staff can manage such a large volume of keys and certificates manually without errors and oversights that completely undermine the supposed value of the mission-critical security and authentication instruments. Yet more than 60 percent of global 2000 organizations do manage their encryption assets manually; we’re talking about spreadsheets that list whatever keys and certificates application admins happen to report and not much more. IT security professionals know things can’t go on like this. Like coal miners listening to the timbers creak and watching the ceilings bulge, they know disaster looms, but their reports to the surface often go unheeded by management.

Too many business executives, locked in yesterday’s security constructs of armed guards, gates and cameras, think of this issue—if they think of it at all—as an annoying management problem for IT security teams to handle. They think the organization is simply losing track of assets that remain intrinsically valuable. They fail to understand that the assets’ value is trust. Lose track of the certificates and keys, and you can no longer trust them. Their value—and the trust that makes all other IT assets valuable—simply evaporates. Worse, compromised assets become liabilities, weapons to be used against the organization.

McAfee recently learned this lesson the hard way. One of their digital certificates was revoked, trust broke down, and Mac users could no longer determine when an application could be trusted or not–to the detriment of the McAfee brand.

The average organization can expect to learn the hard way too:

• The threats are likely—One in five organizations expects failures in key and certificate management to lead to exploits and infiltrations.

• The costs will be high—The average global 2000 organization can expect an estimated $U.S. 124 million in cost exposure from a server cryptographic theft incident. And such an incident is just one of the many that could occur.

• It’s already happening—In the last 24 months, organizations have experienced at least one of these trust exploits due to their key and certificate management failures:

• IT security will continue to fall behind, especially in the cloud—The risks of manual key and certificate management will only multiply as businesses continue to seek the benefits of cloud computing.

Most cloud systems, including Amazon’s and Microsoft’s solutions, rely on SSH to establish secure channels through untrusted networks. SSH provides managers with remote root access to a server and its shell services. It also provides servers with such access to each other. This level of access lets the cloud solution do powerful things, but the more power you give admins and computer systems, the more you must trust them.

Yet SSH has no equivalent to a CA to tell systems which SSH keys to trust. IT staff must manage these trust relationships on their own. To ensure the integrity of the system, the staff should rotate keys often; Amazon Web Services recommends a 90-day period.

Already overburdened IT staff must rotate thousands of keys every 90 days. Is that going to happen? Not manually.

Trust is the foundation of all relationships: trust between admins and servers, between servers and users, between servers and other servers—and between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, CEOs, CIOs, CISOs and IT security managers must make it their top priority to maintain control over trust by managing keys and certificates. When trust is compromised, business stops.

Our hope is that the Ponemon Institute Cost of Failed Trust Report validates the many IT security professionals who already suspect the risks of losing control of trust and that the report better quantifies the costs for them. We also hope that the report motivates business and IT executives to look beyond the problem toward solutions. You can take action to guarantee the hundreds of millions of dollars at risk: make sure your organization has control over trust by implementing a full key and certificate lifecycle management solution.

Via SecurityWeek

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

IT Account Monitoring Control with C24

April 29, 2013

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Image credit: Paligari

Related articles

1 Comment | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Customer Decision & Big Data: A possible Journey

April 26, 2013

Customer is king. Always. Whether in B2B or B2C settings. With much writing this week on the importance of a Customer Centric approach where B2B organizations need to develop a much deeper understanding of the modern Customer Decision Journey.

Questions have been raised as per whether Multichannel Marketing Mix approaches have been based on the right models and research to measure results.

With the hype of a report to be issued by the Council for Researchcurrently investigating measurement issues related to digital video advertising, report that in turn will form the basis of an Advertising Research Foundation inquiry into the quality of the models.

We believe it’s important to bring a combination of modeling, information and expertise to decisions “a P&G spokesman said in a statement to AdAge “We have clear evidence that marketing-mix modeling, combined with other information and expertise, has helped to improve return on investment of our marketing spending and media buying.

Beside, measurements what remains key is to reach the customer with a message which will limit the risk of ad avoidance, a phenomenon which has been noticed to be on the increase lately.

Can big data really improve the customer experience with personalized ads, products and service offerings?

For certain big data can say a lot about preferences and even location. But with constantly increasing terabytes of data, in structured, semi structured and unstructured formats. To make sense of it all is to say the least challenging.

The more so for businesses, which do not have their own platform from which to gather this data, nor the technical tools or analyst expertise to navigate and make sense of data gathered from their websites, blogs and external social platforms.

Some even ask the question whether Big Data is in reality an opportunity only for big players of the likes of Google.

What do you think?

Thanks to http://moniagalardi.com/2013/04/25/customer-decision-big-data-a-possible-journey/

 

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

The State of the Breach

April 26, 2013

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Varonis Privacy and Trust Report

April 26, 2013

Even in an age of social media and voracious over-sharing, there are still times we need privacy online. When we engage in old-fashioned point-to-point communication, we expect the person or business at the other end to ensure that our interactions remain private. But it’s complicated.

In a new study conducted by Varonis, 91% of respondents say they trust businesses to keep their data safe despite a rise in breaches that now affects nine out of ten companies. In addition to expecting absolute security from service providers, the survey shows that 53% of consumers would be willing to pay a premium for organizations that reliably protect their data.

At the same time, consumer online habits have room for improvement. Though almost three out of four password protect their mobile phones, an alarmingly high 67% say they send unencrypted personal information in their emails.

Download the full report to learn how consumers deal with security and privacy challenges in their digital lives.

Download the Report

Enjoy, share, embed our infographic:

Varonis Privacy and Trust Report

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

EU to Google: We Really Mean it About Data Retention Limits

April 22, 2013

Are these data and privacy protection regulations serious or are they just for show?”  I’ve been hearing that question lately from the tech reporters and journalists who’ve been contacting me. Even after pointing out extensive case files and other documented incidents on government and legal sites, I’m still left with the feeling that it’s just not proof enough.

Fate has finally intervened.

With the EU Commission’s complaint against Google’s privacy policies reaching a conclusion, I now have a teachable moment to convince the naysayers that this stuff is serious business.

When Google changed its privacy terms in early 2012, the fine print was also being looked at by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently. The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed aletter to Mr. Page.

In so many words, the Article 29 folks said the search engine company had not done enough to follow DPD rules on consumer privacy.

Security experts, compliance gurus, CIOs, and other interested players would normally have to get the real story about this intersection of legal and tech in niche publications or in the back pages of certain business sections, or perhaps in a blog of a major data governance player. Since this is Google, and it appears that the EU is willing to go to the mat on this one—in other words, there will be fines—the story is now moving up in importance and appearing more prominently in business sections of main-stream publications.

You can read from the regulator’s report to learn about the long list of Google’s privacy shortcomings, which are conveniently bold-faced. I offer a few of their choice phrases: “no valid consent”, “incomplete or approximate information”, and “retention periods must be appropriate in regards to the purpose.”

Whoa! The EU—technically the individual national data protection authorities led by France’s CNIL— will fine a major American online service provider over their …  data retention policy?

Of course, having data retention policies and procedures —what to keep, what to archive—in place is just IT common sense. But you’re probably thinking that just because an organization doesn’t have explicit data retention or migration plans doesn’t mean it has broken the law.

Actually, it’s not only the EU that takes this IT procedure seriously. Data retention limits also show up in the US’s HIPAA rules for personal health data and in some financial data security regulations. But usually the limits—measured in years—are the amount of time an electronic document must be kept.

The EU, though, views data collection and retention with a goal of “data minimization” in mind: companies should store the minimum amount of personal data and limit the duration to what “must be appropriate in regards to the purpose”. That’s essentially the language of the DPD law. In other words, you just can’t keep personal consumer data unless there’s a legitimate business reason, you have to say what that reason is, and you have to say how long you’re going to keep it.

According to France’s CNIL, Google has to this date refused to provide any information about its data retention policies after being requested to do so.

And the EU Commission has been very clear that there will be consequences for not following its rules. How bad could the fines be violating, either willfully or negligently, the DPD? The head of the Commission is suggesting they could run as high as 2% of global sales.

Last year Google earned revenues of over $45 billion. You do the math on what it means for not taking data compliance regulations seriously.

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Internal Data Loss is Riskier Than You Think

April 19, 2013

In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?

Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual.  But I think that is an overly optimistic stance.  To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”

Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.

Chuvakin says:

 ”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”

We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis.  We’ve written extensively on the Everyone Problem.  Trust us, this is actual risk.  So what do we do about it?

The Sniff → Scan Approach

Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:

“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!”  Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”

The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own.  There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business.  Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?

The only way to answer these questions is to combine other metadata streams with the classification information.  If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already.  Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.

Anton concludes:

“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc.  And, yes, you need a process, not just a tool!”

For an in-depth look at the Varonis process for preventing internal data loss, check out ouroperational plan blog series (which starts with data classification).  And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!

Also, have a look at Anton Chuvakin’s blogs here and here.  He’s one of the most entertaining and prolific writers on data protection.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.

Join 745 other followers