Data Security grows increasingly complex, especially given the many types of information people collect and use today. This complexity means that organizations need a better, more data-first approach to security. But data security doesn’t have a one size fits all solution; rather, it requires organizations to take a contextual, multi-phase approach that places their data as the focus of their security.
Gartner ® recently mentioned Data Security Posture Management (DSPM) as a technology in its report Hype Cycle™ for Data Security, 2022. In this report Gartner defines DSPM as one that “provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data store or application is.”*
A data security program supports a robust data security posture, means a paradigm shift that identifies potential data risks, mitigates vulnerabilities in applications and data stores, and ensures data is protected, whether in use, transit, or at rest.
Securing data includes protecting against loss or theft of information; unauthorized disclosure of sensitive information; unauthorized use of information; and exposure of critical infrastructure components. A multi-phase data security approach includes identifying threats, proactively protecting structured and unstructured data, detecting potential attacks, and addressing incidents.
There are multiple ways to create a layered defense, including using the NIST Cybersecurity Framework (CSF) to guide your process. Regardless of whether you followed a framework or a specific methodology, the fact is that a layered defense is your best bet for building a robust data security posture. This article will review the crucial aspects of each layer needed for a well-rounded, holistic data security defense.
Layer 1: Identify Potential Threats
Identifying your data asset inventory, understanding your environment, and conducting vulnerability assessments, and the first layer in any well-designed data security program. Data asset inventories help organizations understand what data exists, where the data resides, and what type of access controls are required. A complete data asset inventory helps your organization determine whether confidential data is stored locally or remotely and whether sensitive data needs to be protected via encryption.
An understanding of your environment allows you to assess better how vulnerable you are to cyberattacks. As you perform your threat analysis, you’ll want to consider physical location, network architecture, and software applications used in your organization.
Layer 2: Be Proactive about Protection
Businesses are under constant pressure to protect data. Prevention is crucial to stopping bad things from happening and narrowing security gaps. Once you identify the risks and vulnerabilities in your environment and assess the current state, it’s vital to implement plans to prevent, detect and respond to potential threats.
The best prevention is proactive risk mitigation by implementing solutions and enforcing compliance. This is where the actual steps to prevent inappropriate access or utilization come into play. Having strong encryption controls and backup procedures are just parts of that plan. You can take some additional steps now to ensure you are prepared for the next breach because, as any security professional can tell you, it’s not if; it’s when.
- Plan ahead – Think about what could happen today. What information do you store that is sensitive? How much money does it represent? Are there people involved who might cause problems once the data becomes public? Make a list of everything.
- Implement access control policies – Once you know where the vulnerabilities lie, implement appropriate access control measures. For example, if you store credit card numbers, put up a firewall or password protection. Consider implementing a PIN on the file if you store personal information such as Social Security Numbers.
- Use encryption – Encrypting files prevents others from seeing the information unless they have the key. This makes it harder for hackers to gain access to the data. Consider encrypting backups and storing them offsite.
- Have a disaster recovery plan – Create a plan to recover from a natural disaster or cyber attack. Do you have enough storage space? Will you be able to restore data quickly? Can employees continue working without losing critical information?
- Test regularly – Testing your plans often helps identify potential issues early and allows you to correct mistakes.
- Train employees – Educate your employees on handling confidential information and ensure everyone knows what constitutes acceptable behavior.
The primary goal of cybersecurity is to ensure information availability and confidentiality while minimizing risk. You must constantly evaluate how well you protect your organization against cyberattacks, breaches, threats, and attacks. This helps you prioritize your resources where they’ll do the most good.
Layer 3: Detect Active Threats and Anomalies
Data security events are often difficult to detect because many data breaches occur without the attacker making them obvious. This is why businesses must be vigilant about detecting data security threats. Anomaly and threats detection solutions help identify when something inappropriate happens. For example, a breach might happen because an employee leaves the building and forgets his laptop or someone tries to login into a system they shouldn’t be allowed to use. In either case, monitoring or analytics should have detected the data security incident before it became a breach.
Detecting malware requires looking beyond traditional tools used to identify malicious software. As organizations increasingly rely on technology, behavior analytics, and threat detection solutions can help ensure that data isn’t being accessed inappropriately.
Identifying intrusions also requires knowing where to look in the organizational IT environment and understanding the business context of behaviors. The first step is knowing the “red flag” indicators of a potential breach. Then it’s vital to determine whether the activity or behavior is malicious within the organizational context. If so, the next step is to assess the extent and impact of the intruders’ activities. Finally, the security team will decide whether to notify the appropriate people or take immediate countermeasures.
In addition to detecting breaches, implementing some form of incident response capability is vital. Incident Response involves analyzing logs, monitoring alerts, and evaluating security policies. This type of analysis helps you understand the nature of the problem, evaluate options for remediation, and implement changes.
Layer 4: Know How to Respond to Incidents
Even the best proactive prevention isn’t 100% foolproof. For this reason, it’s essential to have a response process when you discover a breach or an incident during your detection process. That’s when organizations typically take more reactive steps in response to detected threats when dealing with cyberattacks. These include removing access, escalating alerts, and launching countermeasures.
Response controls focus on taking action against a threat once it is detected. These include actions taken by individuals, like changing passwords, and automated activities performed, such as blocking malicious URLs. An effective combination of manual and automatic controls can mitigate risks associated with a wide range of attacks, including spear phishing, malware infections, ransomware, distributed denial of service attacks, and more.
The goal is to respond to events, stop attacks, and reduce the damage.
Critical response actions often include:
- Removing access – If someone else is accessing sensitive information, the organization must figure out how to block them. This can involve removing access or restricting their ability to use the data.
- Escalating alerts – Organizations often rely on alerts to notify employees about potential threats. But alert fatigue makes people ignore them. To avoid alert fatigue, notifications must be targeted and timely.
- Launching countermeasures – Once you identify a threat, you must take action against it. You might change systems and processes to stop the attack. Or you could deploy tools like intrusion detection systems and firewalls.
Recovery functionality helps organizations return to normal operations after a threat has been mitigated. Using a multi-layered approach is never bulletproof, as ransomware is constantly evolving. There is always the possibility that advanced strains manage to slip past one or multiple layers and cause damage. Implementing recovery functionality accounts for this and allows data to be recovered after an incident.
Tools such as backups, forensic analysis, and audit log data help organizations determine the full scope of compromised resources, allowing for more accurate and efficient recovery. Other advanced recovery controls create temporary buffering, creating a window where data is prevented from destruction, allowing mitigation efforts time to kick in before information is damaged. Solutions like this reduce the need for traditional tape or disk backup strategies.
A Solution That Covers All the Bases
Sotero simplifies the process of creating layers of security and bundles it within its Data Security Platform, which includes controls spanning every aspect of the NIST CSF. Using Sotero, organizations can simplify their cybersecurity defense by utilizing a holistic data protection platform. Sotero’s encryption protects data no matter where it resides, at rest, in transit, and while in use. With Sotero, augments this with advanced anomaly detection to detect and stop threats in real-time, stopping cybercriminals and ransomware in your organization.
Contact Sotero today to learn more about how their Data Security Platform can bring all the necessary layers to defend your organization from ransomware.
*Gartner, “Hype Cycle for Data Security, 2022”, Brian Lowans, August 4, 2022.
GARTNER is registered trademark and service mark of Gartner, Inc. and HYPE CYCLE is a registered trademark of Gartner and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.