I promised myself I would post more often to the site…but it looks like that didn’t work out so well. Since I have some time while I’m rebuilding my test lab at home I thought I’d quickly write something about the state of information security. I’ve had some time recently to attend conferences and CISO roundtables where various topics were discussed. That fact and based on some recent strategy project work I’ve noticed the same emerging theme…IT IS ALL ABOUT THE DATA.
Starting with the most recent event, I attended the local FBI Infragard meeting in Chicago where one of the presentations discussed a new Senate bill (SB 1490) being introduced that would preempt the state laws around security controls and breach notification. While the bill apparently needs some work I found the requirements around the “minimum” security controls that need to be in place most interesting. While I think the requirements are quite vague and wording such as “A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards” doesn’t exactly tell us anything we didn’t already know, the bill heads in the right direction. Paraphrasing, it states we as a business must design a system to protect the DATA based on risk.
The reason I bring this topic up is that we, as information security professionals, often get caught up in protecting the network layer as opposed to the data layer. Why? Because the data layer is messy, hard to control, and contains structured data (pulled from applications) and unstructured data (think random file shares). Who owns it may be a mystery and even if we identify an owner sometimes we don’t know how sensitive or critical the data may be (i.e. lack of data classification).
So if I posed the question, what are the most mature controls of your information security program what would you say? I almost can’t stop from answering firewalls, AV, IPS, and vulnerability management. Vary rarely can an organization answer data loss prevention, data classification, encryption controls around sensitive data, and even incident response or forensics. Why? Because it is messy.
Going back to meetings, the meeting prior was a CISO round table event at Washington University in St. Louis. The topic was about unstructured data and how various organizations were dealing with the issue. The overriding theme of course…it is messy. Unstructured data lives in file shares, both one’s you know about and those you do not, and contains everything from benign information to your organizations most critical information assets. One of the presentations was a vendor, Varonis, who has a tool to identify and detail who has access to unstructured data. While I can’t speak for the tool the concept is interesting and shows that some organizations get it, but need some technology to assist their data classification and access control needs. Again, the topic of data is messy. We’d like to talk about the cool new SIEM appliance we just put in, or how our IPS is blocking the advances of organized cybercrime…not so much when it comes to the actual data we are charged with protecting.
Please don’t read too much into my statements and think I’m against the commodity security controls at the network layer. It would be foolish to ignore these controls as they do serve a purpose in protecting our systems and networks. However, if you haven’t’ started then I’d urge you to examine the data you’re attempting to protect and see if you could answer these simple questions: Where is your most sensitive data? Who has what level of access to that data? And the last time it was accessed what did the person do with it?
Comments