Hackers and cyber criminals are after “the data.” CISOs and CIOs are charged with protecting “the data.” “The data” is always assumed to be important business data—subject to compliance regulations or absolutely essential to a company’s competitive survival. We all assume that we know what “data” means and that our security measures are protecting it. In our experience, it turns out that almost no one realizes the full extent of what protecting data looks like in today’s organizations.
What exactly is “the data?”
When we ask customers which data they must protect, answers usually include “credit card numbers,” “healthcare records,” “intellectual property,” and similar categories. Well, yes but there’s more. Different departments interact with—and are responsible for—different kinds of data. HR cares about employee PII, health insurance, and compensation data. DevOps teams rely on proprietary code, testing, and monitoring data. Sales lives and dies with CRM and order status metrics. Supervisory control and data acquisition (SCADA) and PLC data is the lifeblood of industrial environments. Retailers run on credit card numbers, tech companies innovate through IP, and healthcare organizations depend on medical records. When any of this data is compromised, the business feels the impact.
“The data” is complex. Its actual components often are generated in multiple places, aggregated to a repository/ies, accessed by different people for different purposes, and then proliferated across multiple groups in multiple forms. Healthcare records are one example. Patient intake data is often collected on paper forms, which might be scanned into a PDF, then the PDF goes through optical character recognition to be put into text, and alphanumeric information is entered into a database. Handwritten comments might be added. Diagnostic images might be captured at a third-party imaging facility, prescription data is sent to a local pharmacy, and insurance information accessed through an external portal. A specialist now needs notes from the doctor and the images. Pieces needed by the specialist are fed into that office’s systems. All uses are legitimate. But now this compliance-regulated data can be anywhere and everywhere at the same time.
“The data” is also often overlooked. Think, data captured in chat apps or customer support bots. Project communications, voicemails, backups, and the company’s social accounts. Biometric, images, video, and audio. Organizations generate terabytes of data every day—and to threat actors, it’s all valuable. Although it’s easy to assume that we know the status of our data, it’s also easy to see that maybe we don’t.
Let’s Go There
Those are the more obvious forms of data that companies need to protect. What happens when bad actors intervene higher up in the food chain to compromise IT, cloud, and security infrastructures? The growing number of supply-chain and third-party breaches are showing us. This year, an employee of 3CX, makers of a popular voice-over-IP (VoIP) system, used his credentials to download and install a financial trading application. The downloaded trading application was infected with a back-door malware that North Korean-affiliated attackers used to access 3CX’s software build environment and replace a DLL file in the 3CX app with a trojanized version. When customers load the 3CX VoIP app on their systems, they’re actually loading full-blown malware. The impact is global, affecting hundreds of large businesses, governments, and service providers. So far, according to Symantec Threat Hunters, two financial trading companies and two critical energy infrastructure companies in the U.S. and Europe were breached. Few, if any, of these 3CX customers scrutinized their updated VoIP software down to the binary level.
Uh, now what?
What does this mean for IT teams? Protecting “the data” means much more than building access controls around systems containing protected classes of data. They also need eyes on the binary data running their applications and networks. They need to know where it is, how it changes, and who’s accessing it:
- Which data is important to which teams?
- What is the specific data that needs protection in every area?
- How is it being created?
- How is it consumed?
- What happens to the data—how is it enhanced, edited, or otherwise transformed?
- Where does it go after that? Who else sees it?
- What about data that comes into your network?
Data is actually characterized as bits, bites, and BLOBs. These binary bits are involved in thousands of organic processes that are specific to each company. IT teams need to be able to see, track, control, and defend this data. They need an organic data surveillance solution that delivers visibility into data at the binary level and tracks all of the unique ways that your organization uses it. At the end of the day, the security team is responsible for all of the data—not just the pieces that they think they know—and must be able to account for it within the specific context of their organizations.
By Brian Christian, CEO, Flying Cloud
Brian is Chief Executive Officer of Flying Cloud, a data surveillance company. With more than 20 years of experience in the information technology industry, his roles have focused on enterprise security software development and security products. He founded Zettaset and served as Chief Technology Officer. Zettaset pioneered game-changing, large-scale data security products and platforms, based on big data. Prior to Zettaset, Brian co-founded SPI Dynamics, the leading expert and industry thought leader in Web application security assessment and testing. SPI was purchased by Hewlett-Packard.