Just like all things security, yet another new concept has taken the market by storm, being repeated over and over again. The perimeter is dead. We are living in a world without walls where criminals, employees and devices exist on the inside and outside. Firewalls may or may not stop external bad actors from breaking in, yet in many cases, those bad actors are already inside using stolen credentials to masquerade as legitimate employees. Then there are malicious and non-malicious employees and third-party vendors, people who either want to steal data for financial gain, hurt their employer or simply do not understand nor practice good cyber hygiene. Threats are everywhere - in, out, behind, in front, above and below.
I recently had an interesting discussion about this topic with Symantec Senior Vice President of Information Protection, Nico Popp. Being on the front lines with enterprises, Nico sees firsthand the challenges they are facing navigating this new world. Enterprises want to support collaboration, cloud adoption, remote connectivity, and mobile computing. However, they also want to make sure they are secure and compliant at all times. I captured my conversation with Nico in a Q&A.
Steven: Nico, thanks for taking the time to chat with me. As we are hearing time and time again, the perimeter has vanished. Is this what you are seeing across the enterprises you meet with?
Nico: Not exactly, Steven. The perimeter is not dead, it just needs to evolve. When data is in the cloud, in unmanaged/BYOD devices and shared with external users, the network as the perimeter is no longer enough. So, ask yourself the question, “In a world where you no longer control the application (SaaS), the data-center (iaaS), the device (BYOD) and the user (external collaboration), where is the perimeter? The answer is simple. The only thing you control in that brave new world, the only thing that really belongs to you is…the data. So, the data MUST become the perimeter because there is NOTHING else.
Steven: In the past when data was primarily on premise, within the confines of the four walls of the organization, it was much easier to make sure bad actors didn’t get in and valuable data didn’t get out. In this new world, how can enterprises take the reins and regain that control?
Nico: To regain control of their data, cyber leaders should focus on three controls, although each one has their shortcomings. Data loss prevention is the brain of protection. It understands which data is personally identifiable information, source code and other types that make it valuable. However, while data loss prevention is intelligent, it does not actually protect the data. It simply blocks the user. Don’t send that email. Don’t share that file. Data loss prevention is Captain “No.” Encryption is good at protecting the data, however it’s far from intelligent. It cannot decipher what kind of data needs and does not need to be encrypted. So, we encrypt everything, whether it’s a picture of our kids or a highly confidential document. Identity and access management is the third control. It protects access to the data by only allowing certain users to gain access, however once it grants access, it steps out of the way. It doesn’t protect anything anymore. These three controls – data loss prevention, encryption and identity and access management – need to come together. Data loss prevention should be the brain of encryption. It should tell the tool which documents must be encrypted. Encryption should be identity aware. It would only unencrypt data after the user authenticated.
Steven: What about user and entity behavior analytics (UEBA)? We are seeing a transformation in the UEBA space where the technology is being integrated into existing security tools, like data loss prevention, to optimize their effectiveness. Where does UEBA come into the picture with the scenario you described?
Nico: UEBA is the “eye in the sky” monitoring the telemetry aspect that’s missing today in the enterprise environment. Here’s an example. Let’s say “Tom” who works at Symantec, sent an email to “Amy” who works at a public relations agency, a set of press releases that have not been made public yet. Data loss prevention drives encryption so since the file was confidential, its contents would be encrypted automatically. When Amy receives the email, she is required to authenticate, which she does, and the file is unencrypted. The UEBA technology is consuming all of the telemetry data so that it understands what’s normal behavior for Tom and Amy, what’s abnormal but okay (i.e Tom sending the file to Amy, which may not be something Tom would typically do), and what’s abnormal but dangerous (i.e. Tom sent not only the press release file but also documents containing sensitive customer information which is not something he would typically send outside Symantec). If the UEBA tool detected abnormal but dangerous activity, it would prioritize the alert and send it to analysts for immediate investigation.
The best way for enterprises to embrace BYOD, the cloud and collaboration while also remaining compliant and secure is to enable data to be the perimeter. By automating controls that follow the data, security leaders will have visibility into the security posture of that data no matter where it resides or who’s accessing it. And what’s even more exciting is that they no longer need to be a “CIS-no.”
Steven: Nico, thank you for your time today. These are certainly exciting times that also come with added responsibility to protect our employer’s and client’s data. I look forward to speaking in the future about topics in information protection.