Cyber security professionals at Daily FT-CICRA Cyber Security Summit 2018 insist board room discussions need to closely evaluate the crux of data leakages and its implications

By Hiyal Biyagamage

According to the Global Data Leakage Report 2017 prepared by InfoWatch, the global information security watchdog, the number of compromised data records worldwide, including social security numbers, bank card details, and other critical information, grew more than four-fold year-over-year, from 3.1 billion to 13.3 billion. A total of 2,131 data leaks from enterprises were reported by mass media, which is 37% more than in 2016.

Interestingly, the share of insider-driven mega leaks grew from 2016’s 13% to 54% in 2017, with internal offenders being responsible for some 60% of all leak incidents. The majority (53%) of cases were caused by rank-and-file employees, higher than in 2016, while some 3% were triggered by privileged users such as top managers, heads of business units, and system administrators.

During the third session of Daily FT-CICRA Cyber Security Summit 2018, which was titled ‘Prevention of Data Leakage’, cybersecurity experts discussed how the global data leakage image has changed drastically over the last few years, mainly due to the digitalisation of economic, political, social, and other sectors of life. They touched upon the importance of data loss prevention (DLP) frameworks and tools that help organisations to detect critical data breaches and prevent them from dire financial and reputational outcomes.

What, why and how

of data breaches  

Delivering his speech, InfoWatch Russia Senior Manager Nikita Zaychikov brought up his perspective on data breaches. While taking real-world examples, he said organisations need to look at the importance of mitigating data breaches by asking three questions – what are data breaches, why should I care about data breaches and how am I going to protect my organisation from data breaches.

“Why should an organisation care about data breaches? Awareness levels are still not high in my opinion as it should be among organisations and less awareness about it will be problematic because you might have to face a number of risks if you do not possess the knowledge.”

For example, to mitigate the consequences of a huge data breach compromising personal data of over 145 million people, Equifax, a credit reporting agency, had to pay $ 87.5 million in Q3 2017. Thus, the company spent $ 55.5 million in direct costs, $ 17.1 million in incident response and professional fees, and $ 14.9 million more in customer compensations.

“When a leakage happens, regulators will come down on you and conduct investigations. These investigations will be long drawn processes; sometimes the regulator would come and take out the email server, for instance, take it out of the company and analyse it somewhere else. This will be a huge process problem. And think about all the financial and reputational risks you have to overcome; no company would like the public to know that their organisation had a data leakage,” said Nikita.

“It is sad to see that a majority of organisations across the globe do not understand the gravity of data leakages. Executives need to sit down and calculate exactly how much money they would lose if a leakage occurs. I implore organisations to do that because it is of utmost importance.”

He also explained about insider and external threats and the difference between accidental (negligent) and intentional (criminal) activities when it comes to insider threats.

“Insider threats can have a profound impact on an organisation. Beyond the lost value of the asset that was removed, disclosed or destroyed, organisations can suffer immediate losses of intrinsic value as well as lost revenue. Negligent threats happen often but they have fewer frights. However criminal threats are the real issue. People who want to steal your data know exactly where your data is, how protective they are and who will pay a big chunk of money for it.”

“Beyond the lost value of the asset that was removed, disclosed or destroyed, organisations can suffer immediate losses of intrinsic value as well as lost revenue from data leakages by insiders. An insider event may impact the culture of an organisation which can lead to increased turnover and distrust, further exacerbating the effects of the breach and increase security vulnerabilities,” explained Nikita.

How do you solve this issue? Nikita mentioned that it is a straightforward approach. “To protect something you need to know what you are protecting. You need to determine the data, understand what the protection layers around those data are and set rules and regulations if you feel they are not protective enough. Organisations need to monitor every minute detail when it comes protecting data.”

As the first step, Nikita said organisations need to understand the data flow and where the information is going and who and what devices are connected to these data streams.

“Secondly, you need to be able to work inside those data flows to understand every minute detail. When you talk about insider threats, one of the biggest issues is that you are working with people. On one hand, if people know that they are being monitored in one way or the other, that will help. But on the other hand, there will always be a focus group – a risk group –inside the organisation. They need to be controlled in more detail.”

Discussing data loss prevention tools and how organisations should approach them, Nikita said, “When it comes to leaks, one of the main concerns has always been that nobody could accurately quantify the damage and thus measure the effectiveness of protection tools. Today, we can see many cases when damage is assessed in terms of money, which means that enterprises can evaluate their financial losses caused by data leaks. Therefore, cybersecurity specialists can justify the return on investment in enterprise information security measures.”

“When talking about internal threats, the best thing you can do is employ a tool which actually understands what is inside your data,” he opined.

What DLP solutions are really designed for, is to prevent companies from data theft and/or industrial espionage. The solutions DLP providers offer can either be software or hardware based. Since data security has become a serious necessity for companies there is a lot of demand for these solutions. These solutions combine a miscellany of different IT security techniques and measures.

DLP suites can technically secure a company against all scenarios of data theft: Reading and writing on all possible storage media (USB-Sticks, HDDs, and SSDs, etc.) as well as data transfer via emails, file uploads or the internal network can be enabled or disabled.

“Every step that you take with a DLP system in place is unique from organisation to organisation. The channels and infrastructure used by organisations are different and the analysis will also vary. In the same industry, people use different terms for the exact same thing so organisation have to configure their system to suit their business ecosystem,” he said.

Nikita in detail explained about content analysis, which is an important characteristic of DLP.

“Content analysis is a three-part process. First, you need to capture data and then you identify the file format or reconstruct the traffic. Lastly, you perform analysis using one or more of a variety of techniques to identify policy violations.”

Discussing a few content analysis techniques, he provided below details:

  • Regular expressions – It uses textual analysis to find matching patterns, such as the structure of a credit card or Social Security number. Some of these rules and regular expressions can be quite complex to minimise false positives. We see this technique most commonly in lite DLP solutions.
  • Database fingerprinting – Pulls data from a database and looks only for matches of specified data. Database fingerprinting dramatically reduces false positives but works only when you have a good data source. Due to system requirements, it can’t usually run on endpoints, depending on the size of the data set.
  • Partial document matching – Takes a source file, parses out the text and then looks for subsets of that text. It usually creates a series of overlapping hashes that allow you to do things like identify a single paragraph cut out of a protected document and pasted into a Webmail session. 

Summing up his speech, Nikita said that DLP solutions are not the typical software that you tend to forget after installing. “If you really want to protect your data, I think it is very important to have all the services in order to understand the workflow. It needs to fit into your infrastructure and data streams and it is important to fit into your regulations as well to understand the level of protection your data needs.”

“Modern infrastructure, especially enterprise infrastructure, is very complex. That is why it is important to have a dedicated team and an extremely simple solution to be installed within your system seamlessly.”

Security in the cloud

Vishak Raman, Director, Cyber Security, India and SAARC for Cisco discussed about cloud security and what is happening in the cloud market.

“We have been traditionally looking at on-premise and we have built layers of security around it. However, there is a big wave of cloud adoption happening out there. How do you look at your data, user accounts and other elements when you move from on-premise to the cloud?”

“The big shift that is happening out there is the change of perimeters. They are moving away from businesses. Today, perimeter security is still there but your apps and data have actually moved out. It is said that 9% data traffic will come from the cloud. The way we looked at security 15 years back where on-premise solutions had layers of defence; all of that is moving out of the window today because we have a different nature of data traffic,” said Vishak.

The traditional corporate data centre is still the hub for most enterprises, but increasingly organisations are leveraging the benefits of the multi-cloud world to drive operational efficiencies, scale and expand growth. While the benefits are clear, Vishak said that securing multi-cloud environments like SaaS apps, public cloud infrastructure and hybrid cloud environments is complex. Users are increasingly self-selecting which apps to use anytime and anywhere. DevOps teams have more options than ever to deploy new services on Google Cloud, AWS and Azure.

He also mentioned that the nature of attacks has changed rapidly. “Today, we are talking about attacks which are self-propagating. There is no user intervention and the functions are reusable. Attackers are not interested in specifically targeting your coding. They want to distribute these attacks on a mass scale. The nature of implanting malware and other harmful viruses have changed significantly.”

According to him, cloud computing challenges can be put into three pillars – how do you secure your users, data and apps in a cloud environment. If you put a structure around these pillars, it would be easier to consolidate your strategy. He also talked about the missing fourth pillar.

“The fourth pillar which is missing in the cloud is the emergence of new devices. With IoT coming and more and more devices getting interconnected, you have to figure out your device strategy alongside your cloud strategy. That is where you see the rise of endpoints.”

“When you shift into the cloud, the responsibility cycle gets completely different. In on-premise, organisations had full control over what they are going to do in their data site but when you move into the cloud, the level of control will be different and ownership will be different. It will be important to draw a matrix around your application and setup and look at how you want to put out your control points,” Vishak explained to the audience.

“Companies are blind to most of the malicious traffic because the number of cloud applications is quite large. To top it all, there is nothing called user binding towards a specific geography. At CISCO, we use close to 150,000 cloud applications as a large enterprise. This is a complexity that any large enterprise would go through.”

How do you ensure the user security part of it? How do you think about user anomalies in a cloud environment? How do you find malicious activities happening in your cloud workflow?

Vishak was on the opinion that when an organisation migrates into the cloud, they need to have a clear cloud security strategy. “It is not just Office365 which is going in there but it is your data and user behaviour. You need to triage all these anomalies to find the actual truth. A document which gets violated and a DLP solution captures it on-premise; does that reflect in your cloud footprint? That detail will be very crucial.”

Concluding his speech, Vishak said, “Your users, your data and your apps and the fourth pillar, which CISCO firmly believes, your devices; when you migrate to the cloud, keep these four pillars intact. At CISCO, we think there is a better way to look at it. It is not the complete panacea but it will be a method to the madness in terms of where you want to start. The first place to start would be your email security and then it is the Domain Name System (DNS). Thirdly, organisations need to get more visibility, look at user behaviour analysis, look at your DLP policies and how would you build application-level firewalls in the cloud.”

Insights from

panel members on

DLP frameworks

Damith Pallewatta, Deputy General Manager – Risk/CRO/CISO of Hatton National Bank and Ashane Jayasekara, Partner – Risk, Forensic and IT Advisory Service of BDO Sri Lanka and the Maldives attended as panellists of the first session’s panel discussion.

Speaking about his experiences when it comes to implementing DLP solutions and frameworks, Damith Pallewatta said that it is not always a walk in the park.

“It is indeed a very difficult task. Technology will help to mitigate data loss but if you really go and see on implementing a data governance framework or DLP framework, people factor matters a lot. In the banking sector, we hold a lot of data. But do we know what type of data we hold or the severity of it? Companies rush to implement DLP solutions but many do not classify data properly before the implementation. Who has access to data is also critical.”

He mentioned that one of the challenges he faces most of the time is less awareness about the type of data users’ hold. “You can have systems in place but for systems to read the severity of data, people need to go and tell these systems that this is the type of data that I hold.”

Organisations need to be aware of different endpoints where data could be lost, said Damith. “If you go to work tomorrow, do you know how would your data get lost? We are hearing about ransomware, malware and cyber attacks but there can be simple ways. The culture of the organisation matters here. Data could be leaked not only in electronic form but in hard form as well. That is why organisations need to put correct people and processes along with proper technologies.”

Speaking about different feedbacks that board members provide on data loss prevention, Ashane Jayasekara said, “Board of directors of companies in different industries – especially banking and finance, telecommunication and healthcare – have seriously begun to talk about data loss prevention. Given the legal and reputational risks and in certain cases financial risks, data loss has become an important point on the agenda of many high-level boards and it is being taken very seriously.”

He further said, “The biggest problem I see is that directors are not sure of what questions that need to be asked from their senior management when it comes to DLP. Questions such as what critical data do we hold, where is it stored, who has access to it, do we need to invest in DLP tools and so forth need to be asked. They also feel that the amount of information that they get is sufficient enough to effectively discharge their governance role. Directors today need to discuss and approve DLP strategies for their companies.”

Board members also need to discuss in depth about DLP policies and get periodic feedback from their senior managers with regard to any breaches, fulfilment of goals and specifying strategies, Ashane alluded.

Pix by – Upul Abayasekara and Ruwan Walpola