Determining the Root Cause of a Data Breach With “The 5 Whys”

February 5, 2013

The jarring sound of an iPhone vibrating against a mahogany nightstand at 3:15am.  This can’t be good.  Server down?  Much worse: 50,000 sensitive files have been stolen from a poorly permissioned file server.  First, damage control.  Next, investigation.

Problem: 50,000 files were stolen.

Why?  The files were accessible to everyone in the company, even guests.

Why?  The folder’s access control list was configured incorrectly.

Why?  Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.

Why?  We don’t have a process to review file system permissions.

Why?  Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack…and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!

This fun little question-asking technique is called The 5 Whys.  It was developed by Sakichi Toyoda at Toyota to determine the root cause—and solution—to any given problem in the manufacturing process.  The technique has been borrowed by coders, sysadmins, and startup founders alike.

See, behind every technical problem is usually a human problem.

On the surface, it seems like the above fictional security incident was technical in nature – the ACL was configured incorrectly.  Deep down, however, the problem was the company’s non-existent entitlement review policy.

The 5 Whys technique encourages us to address the problem on multiple levels: fix the ACL, stop letting interns configure important systems by themselves, and institute a system for performing periodic entitlement reviews.

Sometimes it’s not feasible to immediately address every single problem uncovered, but 5 Whys suggests that if you make a proportional investment in the solution every time an incident occurs, you’ll eventually get to a point where you have an optimal level of protection against a given problem.  In our example, maybe you’d start by piloting entitlement reviews with a small business unit, or review just the super sensitive data sets.

The 5 Whys is an excellent technique for determining root cause so you can take reactive steps to ensure a problem doesn’t happen twice.  In my next post I’m going to talk about a new model for holistically evaluating your company’s risk profile so you can make proactive improvements.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

5 Step Guide to Reducing the #1 Data Security Risk

September 20, 2012

Last week I had the opportunity to attend an event on 3rd party data security and risk. Throughout the event, I talked with folks from many different industries and in many different roles. I spoke with auditors, general IT managers, storage administrators, CIOs, and of course, security professionals.

What is the Top Priority for Reducing Risk?

Everyone shared one common concern:

How can we reduce risk and protect our clients’ data?

One executive was asked, “Which area would you consider your number one priority for reducing risk?” His decisive answer was that, of all the areas of risk his massive enterprise faces, priority number one is unstructured data security.

This shocked me a bit at first, but when you think about it, it makes perfect sense. According to Gartner, unstructured data accounts for more than 80% of all organizational data, and it’s growing approximately 50% every year.

Even data that is normally stored in databases or apps is regularly being dumped into spreadsheets for analysis, PowerPoint slides for presentations, PDFs for reading, and email for sharing between teams.

When you think about it this way, it becomes very easy to see why unstructured data is the highest risk area for many IT departments.

Compliance and Regulations

In addition to the intrinsic motivation for securing unstructured data, external regulations such as SOX, HIPPA, and PCI are forcing organizations to put processes in place to ensure the protection of 3rd party data. Unfortunately, most organizations don’t have an efficient and affordable way to put these controls in place and prove that they’re being enforced.

An auditor I spoke with mentioned how difficult and time-consuming it is to perform attestations, and how, for most companies, entitlement reviews are manual and painful processes that don’t really accomplish the end goal of protecting data.

Where Do We Begin? A 5 Step Guide

If you are trying to start a risk management project in your organization, here are some actionable ideas on what to focus on:

1. Identify your most valuable assets

All 3rd Party data is valuable. Our clients trust us to manage and protect all of it. But it is critical to pick a starting point. To do this, talk with data owners and key stakeholders to find out which types of data are the most sensitive or most valuable.

2. Locate your most valuable assets

You can’t protect sensitive data if you don’t know where it resides. Is it in the CEO’s mailbox? Is it propagated across all your Windows file servers and NAS devices? In order to do this at scale, you’ll need a data classification framework that can scan files on your network for sensitive content indicators.

3. Identify where sensitive data is overexposed

 

You probably found a ton of high value data in step #2. Now you have to figure out who can access that data and prioritize data sets that are wide-open to everyone.

Many of us, when we move to a new home, we tend to change the locks. Why? Because we don’t know who has had a key in the past – the owners, realtors, past owners, builders? This represents a big risk for us and our families.

The same principle applies with 3rd party data. We need to identify who can access it, and what type of access they have. Then we can identify which data is overexposed, and where permissions need to be tightened up and assigned owners.

4. Monitor Data Access

As my good friend @rsobers says: Context is king. Part of reducing risk is monitoring who is actually accessing the data and what are they doing with it. If we’re constantly monitoring access, we can identify patterns in user behavior and alert when suspicious activity occurs. And if we store the audit data intelligently, we can use it for forensics, help desk, and stale data identification.

5. Use Automation

Are you ready to implement steps 1-4? Do you have an army of IT staff with nothing planned for the next 50 years? Luckily, that won’t be needed. You can use automation to identify the most critical data, understand who can access it, and monitor what they’re actually doing with.

By leveraging automation to provide your security intelligence dashboard, you can spot problems and then use automation (again) to simulate changes and automatically execute the remediation.

There you have it! Go forth and protect your customers’ data! Oh, and by the way, there’s a 6th step that doesn’t require IT involvement at all. Ask us about it.

Are you curious to see how your company measures up? Get a free data protection assessment. We’ll scan your infrastructure for holes and help you plug them with automated data protection and management software from Varonis.

1 Comment | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Great video for Varonis and Data-advantage for Microsoft Exchange

May 16, 2011

The Challenge

Microsoft Exchange installations containing huge amounts of semi-structured data can present immense protection and management challenges:

  • Permissions: Determining who has access to Exchange mailboxes and public folders, including shared and delegated mailbox permissions.
  • Access Auditing: IT can’t answer pressing questions like, “Who accessed my email or calendar?” or “Who sent email on my behalf?”
  • Data Ownership: IT can’t reliably identify business owners of public folder data, and even some mailboxes.
  • Operational: Manual permissions and group changes are untested and unreliable.
  • High Risk: Stale, excess permissions are rarely revoked. Data open to the Anonymous group can be difficult to identify and remediate. Critical data is exposed.

The Varonis Solution

Varonis® DatAdvantage® addresses these challenges by aggregating Active Directory user and group details, ACL information and all data access events—without requiring native OS auditing—to build a complete picture of who can and who is accessing data, and who should have their access revoked. It also leads IT to rightful data owners, so the right people can ensure appropriate access and usage.

“With Varonis® DatAdvantage® for Exchange, we have significantly reduced our Exchange access and data management workload for tasks that we do many times every day. We now have a single console with a complete map to our ever-growing Exchange environment that has enabled our staff to identify and proactively manage and protect Exchange data.” – Bernard Besohe
Publications Office of the European Union

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers