Persistent, information-centric protection, PCI and the Network Solutions breach

The more news I see regarding various breaches, the more I am convinced of the superiority of persistent and information-centric security. For example, take the latest breach at Network Solutions - a PCI compliant organization. Over half a million cards stolen.

Comments galore:
Here is what they say "The company determined that the unauthorized code may have been used by cybercriminals to capture transaction data, including customer names, addresses, and credit card numbers, and transfer it to servers outside of the company...."

Now look at the statements below from industry experts:

"...many enterprises are behind in security protection efforts such as anti-virus updates due to shrinking IT budgets, which results in unpatched vulnerabilities that are easily exploited"
Seems like anti-virus and unpatched systems are the main culprit - long live infrastructure protection!

"...the incident illustrates the risks of cloud computing."
A broad general statement - not clear what the implication is :)

The point:
My point is that the industry is so wrapped around protecting the infrastructure - i.e. protecting dat aby proxy, that they forget what it is they are really trying to protect. With an information-centric security solution, the credit card data would be protected persistently. Even if the data were to be "..transferred over to servers outside the company..", it would still remain encrypted thus making it much harder for criminal organizations to obtain any value from the data.

The last and best line of defense is the data - this is how layered security should be.

Where does a £3M fine hurt?

Not sure, but we will know. Regulatory bodies are becoming increasingly tough on lax organizations for not protecting sensitive data - HSBC was recently fined £3M for not adequately protecting customer records.

The interesting part to notice is the fine was applied even though no customer had an unfortunate incident after the breach - I presume like a lost identity, stolen money from their bank etc.

And even more interesting was that HSBC got a 30% discount for cooperating :). Good boy!

It's the Vision Thing, Stupid!

Let's face it: "It's the software, stupid!" gets almost a million hits

on Google.

And I don't want to belittle software. Software is important.

Software is what processes your data, and unfortunately, software

is horribly badly designed and rushed to marked long before it is

ready. Your data is at risk? Blame software. It's easy, and you

can be 99% sure you are right. Those are pretty good odds.

But think about where you were when "ILOVEYOU" hit. When

I wrote "JustBeFriends", we assumed that Microsoft would blame

the victim, as they had every previous time. Instead, Microsoft

changed direction and started caring about security. Bad news for

me, good news for Microsoft.

This is a blog post. It will not answer all your questions. But it

will make the following points:

(1) virtualization is important,

(2) your data is what matters,

(3) the world is changing,

(4) there are no time machines or magic wands.

We now return you to your regularly scheduled blog.

-Tim

Virtualization security - presentation at the OpenGroup Security Conference

Just presented on virtualization security and some of my thoughts on how an information-centric security approach will be absolutely essential - this is at the OpenGroup Security Conference in Toronto. I am putting up the slides I presented in this post.

This is my first attempt at sharing slides via Slideshare - lets see how it works:

Open Group Virtualization Security Final

View more presentations from mnamboodiri.

The new Missouri breach law

Looks like we have state number 45 - Missouri passed a new breach law recently and will be applicable by the end of August. Nothing earth shattering in the new law - follows pretty much the standard ones.

the interesting part is they decided not to go the Nevada and Massachusetts way and look at prescribing a solution - i.e. encryption. Does this mean there is less perceived value in what MA law is? Or are legislators are unwilling to go the extra step to enforce protection for fear of pushback?

The UCSD and Kaiser breaches

Have not talked much about any specific breach in a while, but this one caught my eye. Apparently the hotline for a hospital that had a breach was swamped with folks trying to understand what happened and whether they were at risk. UCSD had a breach of about 30,000 records, when an external attacker was able to pry through the defenses.

I was beginning to get concerned that folks were not in the least (concerned that is)! Apparently they still do care when their personal information gets out there - but, as is the case all the time, it has to get personal. In fact they were concerned enough to swamp the hospital with calls!

Which brings me to the benefits of small amounts of money, spent judiciously on the right security programs. Even if the cost of losing 30K records was a minimal of $30 bucks per record (including the costs of notification, credit monitoring, legal fees etc), its still nearly a whopping million dollars! A lot of moolah to be sure..

Which brings me to the Kaiser breach - the judge saw it prudent to smack the hospital on its wrists with a fine of $187K. Not a large fine in the context of a hospital, but something to say it is serious about preventing lax management of records.

New Ponemon report - little change

It is interesting to note that the more things change, the more they remain the same! the new Ponemon report is out and the numbers are interesting (but no shocking new revelations). Check out the article from Dark Reading.

• 74% of organizations had a breach in the last 12 months (the PGP release says 85%)
• 22% had five or more breaches (and they did not have any encryption)
• Compliance is a big driver (64% say this is why they do what they do)

One interesting nugget is the idea that encryption is becoming more strategic and folks are moving away from point solutions. I am not sure how people view the difference between point solutions and a suite of solutions :) (the latter is just a bunch of point products slapped together into an interface).

I strongly believe that this device-centric approach will not get us out of this funk. Every year we have more breaches, even though adoption of encryption is getting better. Why? Poor strategies, poor management of encryption and multiple device centric solutions not really doing the job.

The only way to truly protect data is with an information-centric security approach - and not focus on multiple devices, apps, file shares and now mobile devices as seen in this article.

The Soprano breach

I guess this is what we have been seeing the trend - breaches and hacking are not for brownie points and bragging rights. Real, solid criminal enterprises are behind it; as seen by this story about the mafia being busted for hacking into Lexis Nexis databases.

Staggering, the amount of money out there from breaches - else why would enterprises leave the opportunity costs and gross margins of other endeavors (drugs, etc) and flock to this? Or maybe it is the "white-collar"ness of the crime? And maybe less violence?

Enhancing DLP

What exactly is DLP? The general consensus is that DLP technologies worth their salt should include some form of content awareness. Was recently at the Gartner Security Summit and Eric Ouellet made a strong case for it - if you get a chance to see the presentation, it is very well worth it and provides a great overview.

Also, just read a good article in CSO Magazine by Bill Brenner on technologies that can extend the value of DLP. Am glad that folks are seeing the value of encryption within a data leakage context and am encouraged by the comment by William Pfeifer about the requirement to protect the data at all times and not just at rest. This, I believe, is the right information-centric approach.

One point I think Bill might have missed is the value of Identitiy technologies (IAM) to enhance DLP as well. I strongly believe that the combination of IAM+content-aware DLP+persistent encryption can solve (from a technology perspective) many of the challenges we face. This gives control over roles, the content itself as well as completing the action of protecting the data by enforcing specific access control triggers within the data itself.

Aha - true "discover once, protect forever" :)

The Sharepoint security connundrum

Sometimes going to security conferences can be not as useful. However, I just got back from the Gartner Security Summit - some very interesting presentations and conversations. I like the in-depth analysis that they do - and this time I was intrigued by the Sharepoint security presentation by Neil MacDonald.

A few points I learnt:

• Sharepoint is the fastest growing product in Microsoft's history! Taking over and replacing many file shares and other collaboration products.
• Security is a big concern due to the rapid growth - especially when collaborating with external parties.
• Data is usually not encrypted within Sharepoint - makes it hard to search and index.

Sharepoint is an example of an information-centric approach in an organization - and I think most optimal for a similar information-centric approach for data security. You cannot protect the data by protecting the boxes, encrypting hard drives etc. The protection policies should be with the data and/or enforced by authntication and the right authorization within Sharepoint.

Will be interesting to see how this shakes out - I am excited about the information-centric security approach that Sharepoint will force organizations and vendors to adopt!