Defending Your Castle from the Inside: Data Breaches and How to Minimise Their Impact

Author: James Billingsley, Senior Solutions Consultant, Nuix

Every business holds at least some sensitive data. This may be sensitive personal information belonging to clients or employees, or confidential data relating to business operations. Keeping this secret information secret should be a concern to every business, no matter what industry or size.

Verizon's 2013 Data Breach Investigations Report shows that hackers target businesses from every sector and of any size. This report, which combined the expertise of 19 global organisations that study and combat data breaches, found that attackers used many different methods to compromise business systems. As the technology evolves, hackers change their targets and attack methods - becoming more and more tailored to the type of business or even the individual organisation.

Expect Attacks from Every Angle

The majority of attacks originate from outside the business, often from overseas, the report found. Against these attacks, companies try to build higher and more impenetrable walls around their networks and data. This is a never-ending arms race, as even the most advanced systems may, before long, present weaknesses that malicious technology can exploit.

However, this is not the only risk that keeps information security professionals awake at night. Attacks originating from inside the business are typically harder to detect and prevent, and have more potential to significantly damage the business. In other words, it is not the outsiders charging at the walls but the people with the keys to the castle who present the greatest threats.

The Ponemon Institute's 2012 Cost of Cyber Crime Study found 'malicious insider' attacks were one of the most costly cybercrimes to a business. Other studies have reported a spike in the number of cases involving the theft of confidential information over recent years. A major catalyst for this increase is the availability of cloud-based storage services such as Dropbox. Bodies such as Wikileaks and recent, high-profile instances of whistleblowing are also making disclosures seem acceptable.

Of course, not all leaks are malicious. Flexible working arrangements that necessitate remote access also contribute to this rise, as does the increasing use of 'bring your own device' policies. In some cases, lax or unclear human resources policies result in some employees not realising it's unacceptable to take intellectual property with them when they leave a business.

Whatever the underlying cause, it has never been easier for a worker to transfer huge amounts of data very rapidly outside the business.

Make Sure Your Castle is Tidy

Read more: Enterprise sync and share services

As a community, information security professionals have started to accept that data breaches are a clear and continual risk. We are instead working to minimise the potential damage if a breach were to occur.

The basic rules for defending your business still apply, and are repeated year after year by security professionals - Confidential Integrity and Availability. CIA means all data should be confidential & protected via encryption. Integrity of the data should be maintained through auditing of access and finally, there must be availability of backup and disaster recovery plans if data is lost. This translates into a handful of practical action points such as:

  • Eliminating any copies of sensitive data that your business holds unnecessarily.
  • Maintaining a good level of logging which allows for regular review and audit of your business systems.

The key to eliminating unnecessarily held sensitive data is understanding where this data resides in your systems. However, this is not as simple as it sounds. Businesses produce huge volumes of unstructured data which are stored in unstructured repositories such as email, file shares, collaboration systems and on individual hard drives. Understanding which data presents risk and where it is stored requires a powerful indexing software that can automatically identify sensitive information based on pre-defined parameters such as credit card numbers, references to companies, social security numbers and monetary values.

Fast Response is Enabled by a High-Level View

The Verizon survey found the majority of breaches in large businesses were detected by someone outside the company. The proposed EU General Data Protection Regulation (GDPR), if adopted in 2014, would give businesses in Europe only a single day after a data breach to figure out what went wrong, who could be hurt by it, and how to prevent it from happening again. This stands in stark contrast to current practices, which often involve months-long investigations before admitting fault.

I would argue that your incident response plan is the most import element of your defence. Clearly a practical way to minimise the business impact of a breach is to detect and contain the incident as soon as possible. Yet in this area there is considerable room for improvement.

An attacker will rarely leave an obvious trail to follow. Following a system compromise, investigators need a broad window into the organisation's data, following a trail through potential evidence sources including email, documents, mobile phone images, server logs and cloud-based data. Techniques such as searching, date filtering, entity extraction and clustering similar documents can help investigators quickly identify the relevant compromised data.

After the Breach

Post-event autopsies are difficult because companies don’t know where their data is, and because hackers or rogue employees will cover their trail through a wide variety of data formats, repositories and devices. Most tools simply can't handle such large volumes of data and provide a big-picture overview.

Data quantities and sources are growing so rapidly that traditional data forensic tools and methodologies simply can't keep up. Security professionals must evolve and consider new techniques to effectively manage the data. The only effective solution is a toolset that can take vast data sets and quickly reduce it to a small, more relevant set of evidence by casting a wide net and culling with powerful and repeatable search technology with a full audit trail.

This crucial ability allows you to effectively respond to any incidents. It provides a robust first response for your security team, who can then focus their tools and analysis efforts on the most likely sources.

Join the CSO newsletter!

Error: Please check your email address.

Tags NuixData quantitiesdropboxattackswikileaksVerizon's 2013 Data Breachbusinesscybercrimessensitive dataCSO Australiadata breaches

More about DropboxEUVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Billingsley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place