Nowadays, it seems like barely a day goes by before another company announces some big data breach or leak involving a large number of users. Only over the last couple of month companies like Oracle, DropBox and Yahoo! admitted data breaches involving millions of accounts and, in case of Oracle, a hundred thousand cash registers that where compromised.
Corporate data is constantly under threat – from hacking attacks, malware, corporate spies and malicious insiders. Companies both small and large are scrambling to get their defenses going using resources at hand, but the reality of a situation is that a proper enterprise data protection is both a very complex, time consuming, and expensive endeavor.
Rather than a single answer to all troubles, a so-called data protection stack should be covered by many enterprise data protection solutions, deployed in combination with one another as part of a unified layered strategy designed specifically to answer particular risks that the company faces.
Data protection stack or what we need to protect
The first step to solving any problem is to identify it. Sadly, not many companies realize just how much valuable data they have and how prone it is to both insider and outsider attacks. Not only your enterprise management solution database or your IPs are at risk – your financial information, marketing documents, information about future products and plans about future marketing campaigns are all very valuable and if they end up in the hands of your competition or in the wild of the internet, your company can sustain a lot of damage. Even the simple enterprise documents, such as tests for new applicants have some value, because in case of a loss, company will need to invest in reproducing them.
All of the data, mentioned above, needs to be adequately protected. But identifying all valuable data in your company is only the part of ‘identifying the problem’. The other part is to conduct a thorough risk assessment in order to realize how vulnerable the data is, what are the most likely vectors of attack and how you should go about protecting it.
Many companies, especially smaller ones who work with sensitive information like small hospitals or banks, often use compliance based approach to data protection. As in, they take the list of compliance requirements and simply check all the boxes out. While it is necessary to follow compliance requirements, it is worth noting that they are not the endpoint by itself. Instead, enterprise cybersecurity compliance serves as a guideline, helping companies better protect their data. Instead of only looking for compliance, they should conduct a risk assessment and implement enterprise IT compliance in the context of unique risks that company is facing.
In modern connected environment sensitive data is vulnerable on many levels. It is vulnerable to malware, hacking attacks or theft by malicious insiders. Another big risk factor is the human error. Data can often be uploaded to personal storage accounts of employees that do not have a sufficient level of security, or it can be mistakenly shared via e-mail or instant messaging system. All of these risks comprise a data protection stack – a stack of levels, on which data should be protected:
- Storage protection – data should be protected while at rest on the device or in the cloud storage.
- Data separation – sensitive data should be identified and separated. Work-related data should be separated from a personal data of employees.
- Leak protection – measures should be taken to prevent or eliminate enterprise data leaks, that can be caused by malicious and inadvertent insiders, as well as security breaches.
- Sharing protection – data should be protected while shared, from both man-in-the-middle attacks and from accidentally sending it e.g. by email.
In order to truly protect your data, it is not enough to simply install an anti-virus or encrypt it. Data needs to be protected via a set of complex measures, integrated together to form a seamless monolith security. There are many solutions out there addressing each part of the stack and by using a combination of them, you will be able to thoroughly secure your data even in the face of growing frequency of leaks and breaches.
Protection of your perimeter
First step in data protection may seem obvious to anyone, but it’s still worth mentioning. It is important to protect enterprise apps and data from malware and hacking attacks. This includes two steps – ensuring physical data protection by secure your data center and use employee tracking software in order to track who and when worked with the hardware, and, secondly, creating a secure digital perimeter around your sensitive data.
Secure perimeter starts with the right network architecture involving several isolated zones separated by firewalls. It is also important to protect your workstations with anti-viruses that should be kept up to date. It is also paramount to protect the enterprise network with passwords, which is especially true for publically available web access on location, such as Wi-Fi.
Another important aspect is to educate your employees on basic security practices. For example, an outsider may leave infected USB stick in the hallway, where employees would find it, and use it in order to determine its origin and content. As soon as such USB stick is used, your network will be infected with malware. Rising awareness of your employees on security issues like that and many others, such as the danger of physically writing down passwords and sharing passwords between each other is a great step in protecting your data from breaches.
Another great data protection tool is backup software. Regular backups are effective way of ensuring that even if data at rest is compromised it can be easily restored. Importance of regular backups becomes painfully apparent when looking back at the advent of ransomware earlier this year and the damages it caused to many affected organizations.
However, even when it comes to backup, it is necessary to remember the danger insider threats pose. Enterprise admin in charge of a backup can easily compromise your sensitive data. One way to avoid this, apart from monitoring the process, is to separate backup duties between two or more people. It is much harder to conduct malicious actions when working in a group, and by simply having one person perform a backup while the other restores the data, you will greatly reduce the risk of data being compromised during the backup process.
A great way to protect data at rest is to use encryption solutions. By encrypting the data, you ensure that it is inaccessible to anyone without proper authorization. However, there are two problems with simple encryption – separation of data, which becomes a concern when a person uses their personal device for work, and the fact that encrypted data cannot be easily shared without compromising the security of encryption.
Many modern enterprise encryption solutions strive to save the second problem, by effectively using infrastructure of private and public keys with agent architecture. Such solutions allow to easily share encrypted data as long as an agent is present, allowing to secure data within the enterprise. However, such solutions have their own limitations, as data cannot be securely shared outside of an organization. Moreover, such solutions are still not protected from insider threats, as malicious insider will be able to easily decrypt data and copy it to external storage or upload it online.
DLP solutions are a step above the simple encryption and an attempt to stop any acts of sharing enterprise data without authorization, or misusing it. DLP solutions are configured to automatically identify sensitive data that should not be shared, such as financial and healthcare information. They then use a set of rules for data misuse and check every instances of data usage in the network to find the match for those rules. If the data misuse has been identified, DLP system will try to prevent it, usually by simply blocking malicious actions.
DLP systems sound great in theory, but in practice, have many limitations. In order for DLP to be effective, it should be integrated on a company level and encompass all ways of sharing data including e-mail, cloud storage, file transfer over the internet, copying data on external storages, etc. Such integration is very long and costly, resulting in a very complex system. One of the major disadvantages of DLP is the fact that it tends to produce false positives, often interrupting people who are doing legitimate work. In certain cases, DLP systems can even interrupt the workflow of a whole department or even the whole company. Therefore, while this may be a good solution for a large company who can afford to invest the necessary time and money, it is obviously not a panacea. For many companies, the pains of integration, costs of maintenance and dealing with false positives are simply making it not worth it to use a DLP solution.
User monitoring solutions
Another layer of data protection is user monitoring solutions, which in many ways serve as a counterpart to thoroughly protected perimeter. While firewalls and antiviruses protect your data from the threats coming from outside an organization, user monitoring solutions protect from threats from within, such as malicious and inadvertent insiders.
Modern user monitoring solutions record every user actions, with many of them providing additional authentication options in order to distinguish between users. This provides security department with the clear insight into actions of any particular user, allowing to determine whether they are malicious or not.
One of the biggest problems with malicious insiders is that their malicious actions are almost indistinguishable from the regular work routine. It is very easy for privileged user to decrypt and copy data without authorization and then cover their tracks, or infect the system with malware, or create a backdoor. User monitoring provides a way to easily detect such actions.
User monitoring solutions are widely differ from one another. They use different technical approaches and record various types of data. However, one common characteristic of almost all user monitoring solutions is their high price. While such solutions would undoubtedly be useful for organization of any size, only large companies will be able to easily afford the steep entry fees. However, there are also few affordable solutions present on the market. One of them, Ekran System, boasts a great price with a nice set of features, providing insider threats protection and prevention for companies of any size.
Ekran System – user monitoring solution for protection and audit
Ekran System is a user monitoring solution aimed at insider threat prevention and protection and targeted at companies of any size. Ekran System features flexible pricing model that makes deployment very cost effective for small and medium businesses, and provides a special enterprise version that delivers extended functionality to large companies.
Ekran System can record terminal server sessions, as well as desktops and Linux SSH/Telnet sessions, providing full audit of user. It records everything that users see on their screens, including mouse movement, coupling it with relevant metadata, such as names of active windows and launched applications, visited URLs, keystrokes, etc. All records are indexed and easily searchable, allowing to quickly located and review any incident. Ekran System is completely agnostic to any network protocols or applications used and allows to record actions of any user regardless of the level of privilege they have, allowing for effective privilege user monitoring and third party monitoring. Additional authentication system allows to clearly distinguish between several users using the same account.
Ekran System also provides a heavily customizable alerting feature with a pre-installed list of predefined alerts already included, and allows security personnel to watch sessions live and block them if malicious actions are detected. This allows to proactively protect company data from any damages, changes, or leaks.
Enterprise version of Ekran System provides such additional features as high availability, ability to initiate session by requesting a one time password from a system administrator, database maintenance features, and extensive integration with SIEM systems.
Overall, Ekran System is a powerful and affordable tool to monitor employees, that allows companies to detect and react on time to any malicious activities, and also serving as a powerful deterrent to any insider threats.
While Ekran System is a great solution to protect company data from insider threats and a powerful tool that allows to prevent enterprise data from leaking, it is not enough to provide a full protection. It is most effective when combined with other measures, such as using firewalls, antiviruses and a smart network architecture to secure a perimeter and protect data at rest, encrypting and making timely backups of your data. When all of this measures are integrated into a single systematic approach, you will be able to provide a truly holistic reliable threat protection infrastructure for your enterprise data.
Read also about the enterprise cyber security practices to follow.