Data security is a constant topic of conversation in the ARM space. At this point though, most people are familiar with the threats and common countermeasures such as firewalls, anti-virus and malware, encryption, phishing awareness, training programs, and incident response plans. But what about more complex elements? There are numerous explanatory articles out there, but it is important to consider the source of the information and how data security elements need to be implemented within an organization to be effective.
For example, though ChatGPT can be a good source of basic information, after feeding it several different prompts related to data security, I was taken aback by this single statement in the results it returned: “After a breach, closely monitor systems and accounts for unusual activities. Implement fraud detection systems that can alert you to irregular transactions or access attempts.” After a breach do these things? “After a breach” is too late. The damage is done. Consumers have been harmed, clients lost, and the business may well be in jeopardy. Before a breach is the time to monitor and implement.
Prevention, early detection, and lightning-quick remediation are key, and time is of the essence. With that in mind, this brief article moves beyond the basics listed above and introduces several key elements and concepts organizations should consider when building out a truly proactive data security program. It is an amalgamation of continued forays into what is out there to make our pre-breach efforts more effective and, heaven forbid, what is out there to help determine the impact and scope of a breach should one occur. Seasoned CISOs may not find much new here, but for the rest of us, here presented are tools that go beyond the usual discussions of firewalls, anti-virus, malware detection, phishing training, etc.
Elements of a Proactive Data Security Strategy
Utilizing at least some of the following elements are key to implementing an effective and proactive data security plan. In combination, these elements protect against current threats and provide a framework for defending against future threats
- Security Operations Center (SOC): SOCs provide a continuous, real-time defense against threats by monitoring an organization’s network traffic, endpoints, servers, and systems. Leveraging up to date threat intelligence, SOCs are capable of detecting issues and suspicious activity, enabling SOC teams to rapidly coordinate across departments and respond to events as they occur instead of after the fact. In turn, affected systems may be isolated and remediations implemented quickly. SOCs play an important role in maintaining regulatory compliance by maintaining reporting. This reporting may be shared interdepartmentally, with stakeholders, and may also be provided to auditors and regulators.
- Security Information and Event Management (SIEM): SIEM provides a foundation for analysis of security data, and detection of threats, in real-time. It is utilized within a SOC and gathers log and event data from all types of devices and applications for centralized analysis. Correlation rules (see below) and machine learning algorithms assist in detecting potentially malicious patterns. Correlation is key in that patterns may become apparent that could not be found by looking at individual source material. SIEM systems may also be used with threat intelligence feeds, further training the system on threat and vulnerability detection. Reporting and forensic analysis are also components of a SIEM, providing status information, incident review, and trend analysis.
- Extended Detection and Response (XDR): XDR integrates security layers into a combined solution, and can leverage SIEM, endpoint detection and response (EDR) (see below), and network traffic analysis (NTA) tools. XDR leverages security data from this integration, applying advanced analytics, behavioral analysis, and machine learning to build increased threat visibility and robust threat detection. Responses to threats may be automated, allowing for immediate remediation steps to be taken such as isolating affected endpoints or blocking malicious traffic. Since XDR combines tools into one combined solution, security teams become more efficient and are better enabled to address threats effectively and are better able to assess incident scope and effects across systems.
- Endpoint Detection and Response (EDR): EDR tools continuously monitor and analyze activities on endpoints (computers, mobile devices, and servers) in real time. Activities monitored may include process execution, network connections, file changes, and logins. EDR tools are able to identify suspicious activities including unauthorized access, movement across systems and command-and-control communications. Monitoring and identification in real time enables real-time response, which may be automated.
- User and Entity Behavior Analytics (UEBA): Similar to the aforementioned, UEBA utilizes machine learning, statistical analysis, and advanced analytics to detect unusual or risky behavior by users, devices, and applications within a network. UEBA is useful for identifying possible insider threats, compromised accounts, malware, data exfiltration and other advanced threats, and is able to detect harder to find threats that may be missed by rule-based solutions. By learning baseline behaviors within systems as opposed to following rule sets, UEBA monitors against learned behaviors and looks for deviations and anomalies. Actions which do not follow the established baselines can be flagged as security risks. UEBA has the ability to consider context to reduce the occurrence of false positives, considering factors such as roles, usage, and other patterns. Scores are applied to findings, enabling SOC teams to respond appropriately and efficiently to higher level threats. UEBA solutions may be integrated with SIEM solutions.
- Data Loss Prevention (DLP) Tools: DLP tools prevent the unauthorized access, transfer, or sharing of data, and are used to identify, monitor, and protect data in use, in transit, or at rest. They may also be used to determine what data may have been affected by a security incident. Data is scanned and cataloged by type, for example personally identifiable information (PII), intellectual property, and financial information. Policies within the DLP tools outline data handling, sharing, and access based on sensitivity, and immediate action may be taken if policy is broken. Similar to UEBA, behavior analytics may be leveraged to detect anomalous activity. Types of DLP include network, endpoint, cloud, and storage.
- Data correlation techniques: In the SIEM description above, data correlation analysis is mentioned as a tool in detecting security incidents. These techniques may be used to connect apparently unrelated events, compare event logs across multiple devices to detect anomalous behavior and threats. Statistics reviewed in correlation analyses can include failed logins, network access, file transfers, CPU usage, memory consumption, and network traffic. These analyses enable quicker detection, improved prioritization and decision making, and more effective response and remediation. High quality data is a must for these techniques to be effective. Below are brief descriptions of various data correlation techniques that may be used as part of an effective data security strategy.
- Statistical Correlation measures relationships between variables. Types of statistical correlations include Pearson Correlation which measures the linear relationship between two continuous variables, Spearman Rank Correlation which measures the relationship between variables where one increases or decreases as the other one does, and Kendall Tau Correlation which measures the similarity in the ordering of data.
- Cross-Correlation measures the similarity of two time series as they shift over time, such as traffic patterns over multiple networks.
- Temporal Correlation analyzes the relationship between data points over time to detect patterns and trends and is useful in log analysis and determining how a threat actor carried out an action.
- Pattern Matching and Signature-Based Correlation analyzes for known patterns or signatures within data streams, which can then be compared to known malicious patterns.
- Event-Based Correlation correlates events across systems, which can be used to string together actions across them into a footprint of a breach. This correlation method is used in Security Information and Event Management (SIEM).
- Machine Learning-Based Correlation utilizes machine learning models to identify unknown patterns and relationships within datasets to detect anomalies.
- Contextual Correlation analyzes data alongside other relevant information to detect anomalies and can leverage information to reduce false positives.
- Statistical Correlation measures relationships between variables. Types of statistical correlations include Pearson Correlation which measures the linear relationship between two continuous variables, Spearman Rank Correlation which measures the relationship between variables where one increases or decreases as the other one does, and Kendall Tau Correlation which measures the similarity in the ordering of data.
Wrapping Up
The data security elements described above should not be intended to replace existing measures being taken by organizations to prevent, mitigate, and remediate security incidents. Nor should organizations look to implement all of them. There is a lot here, and there is even more out there, not touched by this article. Not every organization has the resources to implement some of the more complex solutions, but taking from this and other sources ideas of what can be leveraged to migrate the specter of dealing with a breach from post-breach clean up and remediation to the prospect of earlier detection and, perhaps, more effective prevention is certainly worth some investment, and definitely less expensive than the cost of an incident.
By the time many organizations become aware of a breach, the threat actors have already been in their system for weeks, perhaps months, poking around and wreaking havoc. Reducing that timeframe to days or hours or eliminating the breach altogether through the adoption and implementation of advanced techniques could save countless hours, alleviate heartache beyond measure, allow companies to focus on their core business, and may well prove to be priceless.