Knowing what data we have, where it is located, how it is being accessed, and by who, is crucial to ensure that we are able to adequately protect it.
We need as much transparency as possible into the security controls that are in place, and whether or not those security controls are effective. Having visibility into all areas of our system, enables us to be more proactive, rather than reactive. It allows us to analyse and correlate events from a variety of devices, platforms, security tools, sensors, and so on.
Organizations need a complete overview of their security posture. All relevant events should be presented to them via a single, intuitive dashboard, which can be effortlessly searched and filtered based on a wide range of criteria.
Naturally, event logs will need to be kept for a sufficient length of time, so that organizations are able to provide evidence of how data was collected, stored and accessed, in the event of a data breach. They will also need to provide evidence of the controls there were in place to protect the data.
Organizations must have complete visibility into the following areas:
Devices That Connect to the Company Network
Organizations will need a comprehensive list of all devices that are connecting to their network, and as much information as possible about the type of device, the operating system, the physical location where they are connecting from, and how the devices are configured.
There are a few network monitoring solutions available that can give security teams the visibility they need to identify suspicious devices on their network. Smaller organizations can gain this visibility by logging into their router and reviewing a list of devices.
They can setup white lists and enable Media Access Control (MAC) filtering to block any device (IP address) that is not listed in the router configuration. However, they should still consider adopting a more advanced solution that provides advanced analytics and real-time alerts.
Suspicious Network Traffic
Not only do you need visibility into who what devices are accessing your network, you need to be able to identify anomalies in the network traffic and receive meaningful alerts in real-time.
You will need a solution that is capable to deep packet inspection and record the IP address of both the sender and receiver of data, especially if the traffic includes data which is sensitive.
You will need to be able to troubleshoot bandwidth anomalies, and easily collect and correlate event logs generated by routers, switches and other types of hardware.
You need to record the applications and operating systems that are being used to generate the traffic, and the domains/URLs that are being accessed.
However, it should be noted that network monitoring, and other perimeter defense solutions, such as firewalls and intrusion prevention systems, are not as effective as they once were. Cloud computing, IoT, and an increasingly mobile workforce, have significantly increased the number of entry points which can hackers can use to gain a foothold in the company network.
As a consequence, companies have been shifting to a more data-centric approach to security, which focuses on events relating to files, folders, mailbox accounts, and so on.
Data-Centric Audit & Protection (DCAP)
Security teams will need a detailed overview of all changes effecting their sensitive data, and the changes must be presented in real-time. They will need information about who is accessing what resources, and when.
As above, they will need to know the physical location from which their users are logging in from, and where the data they are accessing is located.
They will need complete visibility into the types of actions that are performed. For example, any time a file or folder containing sensitive data is created, read, updated, deleted, copied, moved, or shared, the security team will need to know about it.
They will also want to correlate these events with the time when the user logged in.
Using Automation to Achieve Greater Transparency
Naturally, there’s only so much visibility security teams can achieve without the right tools.
They will need to make use of the latest and greatest tools and technologies that allows them to automatically detect, alert and respond to events, as and when they occur.
For example, most sophisticated auditing tools use machine learning techniques to learn typical patterns of behavior, which can be checked against in order to identify anomalies.
Such techniques can be applied to both network traffic patterns, and user behaviour. Events could also be correlated with threat intelligence feeds from both internal and external sources, to provide a more complete diagnosis of the system’s state.
Automated tools can also help with other tasks, such as inactive user account management, detecting failed login attempts, bulk file encryption, data discovery and classification, and more. Automation can also help to generate reports that are tailored to meet the demands of the data privacy laws that apply to your organization.
Inactive User Account Management
Organizations often fail to detect and manage inactive (or “ghost”) user accounts in a timely manner. This can lead to previous employees gaining access to the network using the same set of credentials they were using before they left.
Inactive use accounts are also sometimes exploited by hackers, as doing so can provide them with an opportunity to snoop around the company network undetected. There are a number or commercial auditing solutions which can automatically detect and manage inactive user accounts.
Data Discovery and Classification
Another very useful role that automation can play in giving visibility and control to security teams over their critical assets is with data discovery and classification (DDC).
Having the ability to automatically discover and classify sensitive data will make it much easier for security teams to know where their most value data resides, and the controls that are in place to protect it.
Most data classification solutions can discover and classify a widget range of data types, including PII, PCI, PHI, and any other types of data that are covered by the applicable data protection regulations.