Data theft, including personal data, affects more and more companies. To name just a few: Capital One, LifeLabs, Equifax, Uber, … you will find that no industry is spared. But beware, it’s not just personal information that can seek interest: your intellectual property and your billing or bank transfer procedures are also targets of a potential leak.
Data breach: a plague with no apparent symptoms
What is a data breach? A data breach is a security incident in which sensitive information is made, intentionally or not, public and / or accessible to unauthorized persons.
There are two types of data leaks: there are some from external attacks, ie from people who do not have (or should not have access to) your data and others from internal attacks, ie from people you trust and have authorized to access the data.
External attacks often come from criminal organizations who are developing techniques to infiltrate targeted organizations in order to take advantage of them. The techniques can vary form very simple to very complex. For example, the attacks can take place through phishing campaigns containing a Trojan horse like Emotet, or by compromising your supply chain. The final objective and the means used depend on the value of your data, the attacker’s abilities and his motivation.
In the last months of 2019, we saw a combination of attacks appearing used by certain groups behind ransomware attacks. In fact, since the objective of such an attack is to obtain a ransom, the new variants of this malware go as far as to exfiltrate large amounts of data before encrypting it. In this way, if you are able to restore your systems without paying, the criminals then threaten to disclose everything publicly. (see article on Maze).
The other threat, often underestimated, is the data leak committed by someone you trust. It can be voluntary or accidental. There are many cases and testimonies in the matter: an (ex) employee, manager or partner, or even a trusted individual of one of your suppliers are all people who can be the source of leaks. This threat is all the more facilitated since they have (or already had) access to your resources and that it is related to their work.
This said, these people can copy data using external devices such as USB keys, external hard drives or even memory cards.
Amongst other ways to extract information: cloud-based email, printing sensitive documents, as well as instant messaging …
The basic problem is that the balance between access to data, fluidity of data and the means to control what is happening is fragile. Ultimately, your organization’s performance hinges heavily on your ability to share your data, to the right people and at the right time, be able to protect it, not to mention the compliance rules imposed.
Finally, one of the biggest difficulties in protecting an organization against leaks is that unlike monetary theft, data theft does not remain very apparent, because the data does not disappear. Signs of a data breach are therefore barely visible, and symptoms are often not felt until months or even years later.
How can we protect ourselves ?
First, it is illusory to want to protect all of your data for every conceivable scenario. You need to know how to pick your fights.
For this, you must have a strategy that will focus on the value of your data, but also taking into account how you use it, the different scenarios of the most significant risk of leaks, the impacts and your regulatory obligations. Clearly: the beginning of your strategy will be based on a good understanding of your situation and your risks.
From a technological point of view, the solutions are diverse and you will therefore have to approach everything by a combination of approaches and control measures. For example, there are “Loss Prevention” solutions called Data Loss Prevention (DLP), but despite their name, these technologies should not be seen as a quick fix. These technologies must be used and deployed taking into account the global context of other technologies and basic safety or health measures, such as administrator access control (PAM), the configuration of your systems, the implementation of patches, code security, data anonymization, monitoring, etc.
A data leak prevention strategy will therefore be structured around data considered to be sensitive and of high value, and to apply a set of rules to it throughout its life cycle. The objective? Control the data flow in accordance with previously defined policies. These rules can apply at the terminal (workstation, server, etc.), internal or cloud application (Microsoft 365 for example), network (firewall, etc.) and your monitoring tools SIEM, for example.
- The first step is to define the priority scope of the data to be protected and the functional use cases to be processed.
- To avoid accidental leaks, you must classify your information. Besides, if you use Microsoft Azure, do you know its solution Microsoft Azure Information Protection (AIP)? Once your data has been classified, it will be easy to define policies for accessing and exchanging data with authorized people according to the classification of the document in question.
- It is important to identify the regulatory and legal constraints concerning sensitive data, such as personal data, its processing, storage location and transfer channels. For organizations operating in an international context, they will have to face local regulations, often creating a gap as to the rules they must respect regarding data processing. Therefore, companies will have to rely on the skills of their legal and compliance departments to validate the protection rules applied to data.
- The implementation of DLP solutions must absolutely:
– take into account the business needs that potentially involve the exchange of sensitive information with the outside
– preserve the experience of users who should not have their activities disrupted by protection mechanisms.
- It is then necessary to define the technological means and processes to be put in place for the detection of a data leak. Since a leak leaves few signs and symptoms, it is important to frame the abnormal situations that you wish to detect. In addition, we must make sure to integrate these scenarios into our incident management plan, these will have to adapt to the processes already planned:
– Who will receive alerts related to potential data leaks?
– What means should be put in place in the event of an investigation into the area affected? Is there a level of confidentiality that an investigation must respect?
– According to the degree of criticality, which hierarchical and operational level to contact?
- The implementation of technical solutions should:
– Take into account the diversity of your IT systems and your collaboration processes;
– Adapt to business environments (collaborative platforms, file servers, etc.);
– Integrate with SOC tools (SIEM, etc.) and other enterprise security solutions (PAM, access review, UEBA, firewall, encryption tools, MDR, etc.)
- In conclusion, raising awareness amongst your employees through internal campaigns, but also providing them with the right tools and the right training on them, remains one of the important points in the context of preventing data leaks. Special care must be taken if a user has access to privileged information.
However, deploying data leak prevention and detection tools is not an end in itself. The detection scenarios implemented must be reviewed regularly on the basis of the evolution of your organization, its systems, false-positives and escalations of alerts in order to improve the detection capacity of real data leaks.
This is why going through the “inventory” stage regularly will allow you to adjust your strategies and the means implemented according to the new risks and techniques used and new technologies available on the market.
In Fidem has experts who can assist you in implementing strategies, tools and methods to protect you against data leaks, whether from external or internal attacks. Please do not hesitate to contact us so that we can assess your situation.