Imagine you are watching a Western movie. The bad guy walks into a bank, pulls out a gun, approaches the teller and says, “This is a holdup! Give me all your money!” At that point, you know who is playing which role — and that one is being robbed blind. But in the modern world of anonymity, it’s difficult to distinguish the robber from the teller, confirm that the teller isn’t the robber or even know you are being robbed.
Most organizations are unaware when their most valuable asset — sensitive data — is stolen. They also don’t know if the robber was inside or outside the organization. In these days of the silent holdup, where businesses are left scratching their heads wondering whether something bad just happened, data security is a key part of rewriting the script.
Insider data breaches can come from an annoyed or malicious employee or business partner, or from someone whose credentials have been compromised. Despite the fact that insider data breaches are as frequent as — and probably more damaging than — external attacks, the majority of the limelight and budget is focused on securing the perimeter.
This clearly represents an imbalance that leaves organizations exposed to greater risk — and an area that leaves your company open to devastating data losses.
A Streamlined Approach to Stopping Insider Threats
Securing data against insiders requires a streamlined and thoughtful approach that includes several key capabilities:
- Entitlement reporting provides the ability to tie into systems that manage privileged users, discern who should have access to different types of data and set up rules about who can see, touch, change or delete sensitive data.
- Real-time monitoring of sensitive data should exist wherever that data resides — in files, databases, big data platforms and more.
- Actionable advanced analytics and machine learning, running in real time, alert you to risky or unusual user activities. These analytics should be able to trigger actions such as blocking data access, masking data or quarantining users.
- Deep data protection is applied to data at rest and in motion, including encryption, masking and redaction.
- Adaptability is needed because the data environment is constantly changing and growing. The architecture must be able to adjust to changes in the IT environment (e.g., to automatically support larger data volumes and new technologies) to keep costs low and ensure a manageable environment.
The bad guys continue to evolve, however, and as a result, the key capabilities above are no longer enough: You need to be able to spot and stop data breaches before they get fully underway.
Read the white paper: Get smart to shut down insider threats
Could You Spot Data Breaches Before They Start?
The robbers and bad guys just keep getting smarter and sneakier. What’s an organization to do?
Start by figuring out who is a teller and who is a robber. Intelligent data forensics and interactive dashboards can help give you a leg up, providing new visibility and insight into who is doing what with your data. New capabilities are emerging to take this next step.
Threat Diagnostic Centers
Recently, organizations have been inquiring about the availability of threat diagnostic centers. These intelligent centers include specialized threat detection analytics that can scan and analyze data. The goal is to detect symptoms, such as SQL injections and malicious stored procedures, that may indicate a data repository attack is underway. When it comes to insider threats, malicious stored procedures might, for example, be left by a disgruntled database administrator (aka your bank teller) who wants to disguise activities related to an important table (aka gold bars).
Don’t be fooled! Some data security solutions rely on comparisons against a dictionary of attack signatures, which can change endlessly. Look for a solution that can analyze data activity for specific patterns of events or behavior that could indicate an SQL injection attack or malicious stored procedure. This approach is flexible and does not require the constant updating of signatures.
Data Protection Dashboards
A data protection dashboard should allow you to see and track your data and data repository risk and compliance posture from a central dashboard. This dashboard will be very useful for your security team as they assess risk. It would also provide insight so that everyone, including executive stakeholders, can see and understand the sensitive data environment.
Dashboards that show dynamic graphical and statistical views can help you clearly visualize the business’s overall security heartbeat. From there, you can plan and take the appropriate action, whether the risk is coming from the inside or the outside.
Collective Intelligence, or the Data Security Neighborhood Watch
It’s important not to forget about the rest of the environment while you’re securing your sensitive data. To that end, an integrated environment in which security components work in harmony can create greater combined intelligence and data protection.
What you want is an intelligent neighborhood watch for data security. When it comes to safeguarding sensitive data, data security, privileged identity management and security intelligence need to support each other with intelligence and analytics that proactively protect the business. For example, by tightly integrating your data security and privileged identity solutions, you can prevent internal threats from rogue shared IDs and from other suspicious users.
With this integration, and by closely monitoring behavior and establishing normal data usage patterns from shared IDs, you should be able to spot abnormal behavior and stop data loss before it happens. For example, you need to be able to block and/or quarantine compromised or disabled shared IDs and identify who was using that ID at the time of an incident.
Implementing a Cohesive Security Solution
But there’s still more you can do to take integration and intelligence further to stop threats. By integrating data security with both product information management (PIM) and security information and event management (SIEM) solutions, you gain another layer of protection.
The 360-degree integration between data and SIEM solutions allows you to detect and prioritize threats in real time before they reach the data source. The two solutions should support each other, automatically correlate events and detect anomalies. They also need to share that information to zone in on high-priority threats.
In this age of the silent holdup, don’t be left wondering whether something bad just happened. With the right data security solution, you’ll be able to leverage more intelligence, insight and agility to spot robbers before they strike — all while eliminating silos, supporting new technologies and reducing costs.
IBM Security Guardium v10.1 supports all these capabilities and can help you start rewriting the script to safeguard sensitive data and spot the robbers regardless of whether they’re impersonating your tellers or walking through the front door.
Read the white paper: Get smart to shut down insider threats
Program Director, IBM Security
Leslie Wiggins is a Program Director leading the IBM Data Security Product Management team within the IBM Security business unit. Leslie and her team are res...