In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?
Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual. But I think that is an overly optimistic stance. To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”
Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.
”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”
We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis. We’ve written extensively on the Everyone Problem. Trust us, this is actual risk. So what do we do about it?
The Sniff → Scan Approach
Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:
“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!” Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”
The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own. There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business. Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?
The only way to answer these questions is to combine other metadata streams with the classification information. If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already. Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.
“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc. And, yes, you need a process, not just a tool!”
For an in-depth look at the Varonis process for preventing internal data loss, check out ouroperational plan blog series (which starts with data classification). And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!