1 10527 Tripwire Data Protection 2 0 WP

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9
At a glance
Powered by AI
The key takeaways are that organizations need to renew their focus on data protection given increasing data volumes, scope and threats. A focus on data protection should be the root objective for security programs.

The external forces of advanced threats and compliance obligations combined with internal forces of new business initiatives lead to complex data protection requirements. An explosion in data volume and locations adds to the challenge.

Organizations must protect increasing data volumes across various locations including customer, internal and system data. They must also address evolving compliance obligations and threats.

Jim Maloney

President and CEO, CyberRisk Securities, and


Mark Evertz
Security Solutions Manager, Tripwire

Data Protection 2.0: It’s Not Just


Names and Numbers Anymore

WHITE PAPER
Introduction

CISOs and their security programs face nearly overwhelm- somewhat diluted. Certainly computer, application and net-
ing pressure to take a renewed focus on data protection. work security are key contributors to information security,
The external forces of advanced threats and a multitude of but businesses should not lose sight of the fact that one of
compliance obligations, combined with the internal forces of the main reasons computers, applications and networks are
new business initiatives, lead to a complex set of data protec- protected is to safeguard the data that is being stored and
tion requirements. These requirements are then overlaid on processed.
an explosion in the volume of data generated and a variety Corporate security teams who build a security program
of locations where that data may reside. And if that’s not around a clear objective such as data protection will tend
enough, the scope of data to be protected includes not only to have better focus, clearer direction and a faster path
customer data, but internal data and system data as well. to identifying threats and vulnerabilities before data is
A vigorous focus on data protection by the information compromised. Just as in problem solving, where root-cause
security industry and a migration of organizational CISOs analysis provides better focus, a root objective such as data
toward an information-centric approach can be traced back protection can be useful in driving security initiatives and
to early 2007. At the February 2007 RSA Conference, lead- providing improved focus for a security program.
ers of two of the largest security vendors began to bang Even if a particular security initiative is specific to one
the drum for a data protection mandate in their keynote particular aspect of information security, such as protecting
presentations. Both speakers highlighted the need for a a network, the justification and objectives for that initiative
deliberate focus on protecting data—as opposed to a focus can always be traced back to data protection. Recognizing
on protecting systems—to address a rapidly disappearing data protection as the underlying objective for informa-
perimeter. Their views reverberated then, and can still be tion security programs and initiatives allows IT Security,
felt today. Compliance and Operations teams to better align with a
Driven by expanding compliance obligations, increasingly bridge-building end goal—protecting the business and its
sophisticated external threats and ever-changing business customers.
requirements, organizations are rediscovering the founda- The remainder of this paper provides an overview of the
tional concepts of information security—objectives that many data protection challenges CISOs face and suggests a
focus on the protection of data. By its most literal defini- sequence of five actions to take to address these challenges.
tion “information security” means the protection of data.
But today both the volume and scope of the data to be pro-
tected is much greater.
In terms of the sheer volumes of data to be protected,
from 2009 to 2020 the amount of data in the ‘Digital
Universe’ is expected to grow by a factor of 44 times to 35
trillion gigabytes.1 And although identity, financial account
and credit card data are the most sought after—even sur-
passing illicit drugs as organized crime’s most desirable
commodity—the compromise of system data (configura-
tions, settings and log files) can be the gateway for access
to this data. In terms of data scope, clearly system data
needs to be on the radar for protection.
From the beginning of the modern era of information
security in the late 1960s, information security has evolved
to include protection of computing platforms, applications
and networks, with the focus on data protection becoming

2 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
The Evolution of Information Security

The first comprehensive information security presentation


was part of a session chaired by Willis H. Ware of RAND
Data Protection Objectives
Corporation at the Spring Joint Computer Conference of A useful working definition and set of objectives for infor-
1967.2 It could therefore be said that the modern era of mation security is provided in the ISO/IEC 27001 standard:
information security is about four decades old. Information the preservation of confidentiality, integrity and availability
security rapidly evolved as both a discipline and an industry of information. This is sometimes referred to as the CIA
in parallel with the broad-based adoption of computers for Triad. Although debate about including other information
government, business and then personal use. protection attributes such as accountability, authenticity,
In the early days of information security, when there was non-repudiation and reliability has been almost continuous,
limited networking and no Internet, there was some reason- the security community generally agrees on the original
able correlation between the more established concepts of three attributes as key objectives.
physical security and the emerging ideas around information Information security is a moving target; declaring victory
security. Early implementations of information security put after meeting these CIA objectives a single time is inad-
controls around data and systems in a manner similar to equate. Data and the systems that store and process it live
protecting a physical perimeter. in an ever-changing environment. Threats and threat agents
Within two years of the first information security pre- constantly try to exploit new vulnerabilities, surfacing when
sentation, the first ARPANET link (the predecessor to the changes in both technology and business operations intro-
Internet) was established. The link connected the University duce potential new vulnerabilities. As thought leaders in the
of California, Los Angeles, and the Stanford Research security industry have said many times, information secu-
Institute and occurred at 22:30 hours on October 29, 1969.3 rity is a journey, not a destination.
The omnipresence of data and data processing, along with
the notion of a disappearing perimeter as demands for
data sharing increased, marked the beginning of the end
for perimeter-centric security models for information secu-
rity. In some sense, the level of protection that might be
directed at the data itself can be thought of as the new
“micro-perimeter,” in contrast to a traditional perimeter
focused on protecting the data’s environment.
As time went on, the scope of information security pro-
gressed through the core elements of a computing system,
beginning with mainframes and internal networks, and
eventually encompassing external networks, servers, desk-
tops, system services, applications, and even the end user.
Along the way, the focus shifted more toward protecting
systems and farther away from the original objective of pro-
tecting data.

Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 3
The Pervasiveness of Data

How much data is out there? Lots. How fast is it growing?


Very fast. Where is it coming from? Everywhere. Here are
Increased Scope of Data
some eye-opening statistics and projections recently pub- Not only is the volume of data increasing, the scope in
lished in the Digital Universe report by IDC.4 terms of types of data that need to be protected is increas-
ing as well. Customer data and sensitive internal data are
• In 2009 the amount of data in the “Digital Universe” grew
the first to come to mind, but system data, comprised of
by 62% to nearly 800,000 petabytes (a petabyte is a mil-
system configuration, settings, and log files, must also be in
lion gigabytes).
scope for data protection. The importance of system data,
• By 2020, the Digital Universe will be 35 trillion giga- and the impact on security is driving the development of
bytes—44 times larger than it was in 2009. “The Common Configuration Scoring System (CCSS): Metrics
• Nearly 75% of the Digital Universe is a copy—only 25% is for Software Security Configuration Vulnerabilities” by NIST.
unique. In the introduction of the document, this sobering comment
• While enterprise-generated data accounts for 20% of the is made:
Digital Universe, enterprises are liable for 80% of the data “Because of the number of vulnerabilities inherent in
that is created (the majority created by end-users). security configuration settings and software feature misuse
possibilities, plus the number of software flaw vulnerabili-
• By 2020, more than one third of all the information in
ties on a system at any given time, there may be dozens or
the Digital Universe will either live in or pass through the
hundreds of vulnerabilities on a single system.”
“cloud.”
The 2010 Verizon Data Breach Investigations Report also
From this research, clearly an extremely large and growing
noted that hackers are increasingly exploiting configuration
body of data resides in many locations, making the achieve-
weaknesses and programming errors rather than software
ment of data protection objectives even more challenging
vulnerabilities in order to steal information from computer
tomorrow than it already is today.
systems. This same report noted a trend towards “anti-
forensics” with respect to log files, consists of the criminal
tampering with or deleting logs to hamper detection and
investigations.5
Some examples of data within the categories of customer,
internal and system data include:
Customer Data Internal Data System Data
Firewall
Personal data Business plans configurations
Intellectual Router
Financial data property configurations
Platform
Health records Customer lists configurations
Accounts &
Cardholder details Employee lists Permissions
Criminal records Contracts Event logs

4 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
Compliance Obligations, Another facet of compliance is the body of laws related
to breach notification. The first breach notification law was
External Threats and Internal passed in 2003 (California SB 1386) in response to con-
Change—A Data Protection cerns about the rise in identity theft. Following California’s
lead, forty-six states, the District of Columbia, Puerto Rico
Mandate and the Virgin Islands have enacted legislation requiring
Protecting data has always been the right thing to do. But notification of security breaches involving personal informa-
various government and industry entities, prompted by tion (as of April 12, 2010).6 A US federal law is also being
instances of large data breaches and growing user privacy considered.
concerns, have decided to further motivate business and Breach notification is indirectly focused on data protec-
government in this area via laws, regulations and industry tion by requiring disclosure of data breaches—or in some
standards. The majority of these compliance obligations cases, simply the suspicion of a data breach—to those
focus on protecting data related to individuals (maintaining impacted individuals. Trying to avoid the potential impact
privacy, protecting identities) and businesses (prevent- on brand and reputation provides additional motivation for
ing industrial espionage, maintaining continuity of critical a business to prevent the breaches from happening in the
services). In some cases the compliance obligations are first place by utilizing various data protection techniques.
directed at the computing systems themselves, placing Two additional elements of the mandate for data protec-
emphasis on maintaining system availability and protecting tion are external threats and internal change. External
system data. threats continue to evolve into increasingly sophisticated
Examples of compliance obligations

Compliance Item Primary Locale Industry Data Focus


UK Data Protection Act United Kingdom All Customer Data
Data Protection Directive European Union All Customer Data
Privacy and Electronic
Communications European Union All Customer Data
Federal Information
Security Management Act United States US Federal Agencies System Data
Privacy Act of 1974 United States US Federal Agencies Customer Data
Health Insurance
Portability Act United States Health Customer data (Health Care)
HITECH Act United States Health Customer Data (Health Care)
Customer Data (Identity
Identity Theft Red Flags Rule United States Financial Information)
Customer Data (Financial
Gramm-Leach-Bliley Act United States Financial Information)
Customer Data
Payment Card Industry Firms that are part of the (Cardholder and Sensitive
Data Security Standard All credit card processing cycle Authentication Data)

Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 5
forms including advanced persistent threats, new forms of Improved data protection can also enable better and
phishing and social engineering via new messaging chan- faster internal decision making when data such as process
nels, and targeted, adaptive malware. Internally, business metrics, internal trends and external trends is shared with
needs that include the continued demands for sharing data confidence across an organization. Competitive positioning
with partners and leveraging the financial benefits of cloud can also be enhanced via improved trust relationships with
computing drive the further erosion of the organization’s customers, employees, partners and suppliers.
network perimeter. The combination of compliance, external Finally, improved data protection as it applies to system
threats and internal change create an extremely challenging data can improve the overall security and operational pos-
environment for data protection. ture of an organization. As noted in Visible Ops Security7,
by protecting configuration data and settings via restricted

More Than a Mandate—Data system access and more rigorous change control, systems
become more secure and more stable.
Protection as a Business
Enabler Tripwire VIA Applied to Data
Compliance with laws and regulations forces businesses and
Protection
their information security programs to implement specific
Although people and process are critical elements of any
aspects of data protection following some level of prescribed
security solution, technology is often the key to making a
guidance. As the number of compliance obligations grows,
solution more timely, more accurate and scalable. How can
security programs find themselves being driven into a reac-
technology help? While some technologies aim to protect
tive mode by a nearly continuous stream of internal and
customer and internal data (encryption-based tools and
external audits related to compliance and the corresponding
data loss prevention systems) and many protect systems
audit findings. This compliance-driven approach to security
(firewalls, IDS, IPS, anti-virus), fewer address the problems
is typically a piecemeal, bottom-up approach that is rarely
specifically associated with protecting system data. And in
efficient or effective.
a world with a rapidly disappearing perimeter, a focus on
What if data protection was used as an overall objective
protecting system data provides a needed, critical layer of
for a security program and driven top down in a proac-
defense.
tive manner? The first effect might actually be improved
A good example of technology to deal with protection
compliance with less pain. A security program driven by
of system data is the Tripwire® VIA™ suite. The emphasis
maintaining the confidentiality, integrity and availability
of this suite is to provide the visibility, intelligence and
of data at the appropriate levels will meet most of its com-
automation that IT security and IT operations need to
pliance obligations, leaving only occasional exceptions to
detect and analyze system changes—both malicious and
address.
accidental—that could ultimately impact data protection
It is intriguing to also consider that improved data
objectives. The Tripwire VIA suite combines information
protection can add value as a business enabler, unlike com-
from Tripwire® Enterprise and Tripwire® Log Center in a way
pliance-related activities that generally add no value to the
that rapidly identifies vulnerabilities from non-secure or
business. From a customer-facing perspective, improved data
non-compliant configurations as well as any resulting data
protection can lead to the development of new products
breaches. By automatically correlating change and configu-
and services. A great example is online banking, a service
ration data from Tripwire Enterprise with the log and event
that many banking customers use and greatly appreciate,
data from Tripwire Log Center, the Tripwire VIA suite pro-
but that is only feasible with the appropriate levels of data
vides visibility across these silos of system data.
protection.

6 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
Specifically, the Tripwire VIA suite: or she can immediately remediate the problem using the
• Assures system integrity at all times; Tripwire Remediation Manager module.

• Assesses configurations against policies, best practices • Advanced persistent threat—One of the characteristics
and regulatory mandates; of an advanced persistent threat is the use of a “low and
slow” technique to breach a system. A typical example of
• Remediates any configuration errors, patch vulnerabilities,
an attempt to access a database of sensitive data might
and security policy shortfalls on demand;
be as follows. First, the attacker scans the system look-
• Combines log and event data with real-time change data
ing for a vulnerability related to an unpatched system.
to immediately reveal events of interest that impact poli-
Finding an opening, the attacker uploads a small text
cy or threaten data protection;
file to see if this is detected. If not, a tool to assist in
• Supports data breach investigation by providing access the upload of software is installed. Following this, a
from a Tripwire console to log and event data related to a database upload tool is installed and a small amount of
file or configuration change; data is extracted and transferred to an external server
• Offers global search capabilities to identify patterns of controlled by the attacker. Finally, the entire targeted
activity and threats to data that might relate to specific data set is copied to the external server. All of this
system changes; occurs over a period of several months with gaps of a few
• Provides visibility to downstream impacts of a given weeks between steps. Using the combination of Tripwire
change, such as all changes or events associated with the Enterprise to detect the upload of the text file, with fire-
addition of unauthorized users; and wall log and system event data from Tripwire Log Center,
the organization detects the attack early, before any sen-
• Enables instant audit logging across Tripwire Enterprise-
sitive data is compromised.
monitored infrastructure without installing additional
code on individual systems. This ability to correlate change and configuration data with
log and event data ensures data protection by identifying
and helping to remediate vulnerabilities before they are
The Tripwire VIA Suite in exploited. And by detecting breaches much sooner, organi-
Action zations are able to minimize the time from detection of a
vulnerability to exploitation, potentially eliminating com-
Noted here are two examples of how the Tripwire VIA
promises of sensitive data.
suite contributes to the protection of data in a complex IT
environment.
• Accidental configuration change—If an alert is generated The Future of Data Protection
that a server has failed a PCI DSS compliance policy test So far the past and present of data protection have been
due to an FTP port being opened, the following actions discussed with just a glimpse into the future by acknowl-
can be taken. First, Tripwire Enterprise is used to test the edging the exponential increase in the volume and types of
failure against the policy. Then using Tripwire Log Center, data. What might the future of data protection look like?
the investigator can toggle back and forth between a Here are a few thoughts:
complete history of versions and changes in Tripwire Log • It is clear that the future will include more customer,
Center, revealing potential attack footprints and aligning internal and system data, in more locations, with more
them with any actual permission changes in the system. replication (as noted in the previously referenced IDC
If the investigator sees something that resembles an report.) Having visibility of the current status, locations
attack or a configuration error that puts data at risk, he and change activity related to data will help make the
Digital Universe more manageable and secure.

Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 7
• Protecting data irrespective of its location will enable the noted that only 4 percent of the breaches in their caseload
distribution of data while maintaining the required level required preventative measures that were “difficult and
of protection. In other words, intelligent controls for data expensive.”8 So even as some attacks become more complex,
protection should follow the data instead of being depen- the basics of data protection are still relevant.
dent upon the data’s current environment to provide the • Integrated requirements—Identify and consolidate all
controls. This approach becomes even more important as relevant obligations for data protection compliance.
data is transferred through and stored in clouds that may
• Situational awareness—Establish a situational aware-
have inadequate security controls relative to a particular
ness process for monitoring external threats and internal
type of data.
changes to the business that could have an impact on
• More emphasis on recognizing patterns of acceptable and data protection.
unacceptable user and system behavior will be necessary.
• Critical data inventory—Inventory and track the locations
Instead of implementing exponentially increasing volumes
of critical data, how it is being used and by whom.
of specific signatures, a behavioral-based approach can
• Risk assessment—Assess data protection controls (peo-
make monitoring, detection and response more scalable,
ple, process and technology) against compliance obliga-
further enhancing data protection. Some behavioral-
tions, external threats and internal business needs.
based solutions are in place already, but expanding this
approach to data protection will become increasingly • Mitigation and measurement—Update controls as needed
important. and use metrics to determine the efficiency and effective-
ness of data protection controls. Treat system data with
• With security professionals and hackers in a constantly
the same care as customer and internal data.
escalating battle, it seems that development of data
protection controls that can automatically adapt to new If data protection is once again used as a primary objec-
situations would make systems self-healing and more tive for information security programs, IT organizations will
resilient. This is an area of research that deserves more increase their ability to reduce compliance burdens, improve
attention. customer relationships, and introduce new products and
services.
In other words, pushing the concepts of the Tripwire VIA
suite—visibility, intelligence and automation—even further 1 2010 Digital Universe Study, Version: 4-26-2010, page 1, IDC
could lead to some very interesting and effective improve- http://gigaom.files.wordpress.com/2010/05/2010-
ments in data protection. digital-universe-iview_5-4-10.pdf
2 Computer Security Basics, Deborah Russell and G. T. Gangemi
Sr., page 28 (Sebastopol, CA: O’Reilly & Associates) 1992.

Final thoughts 3 http://en.wikipedia.org/wiki/History_of_the_Internet


4 2010 Digital Universe Study, Version: 4-26-2010, pages 1, 4, 10, 11, IDC
A renewed focus on data protection is really a trip back to
http://gigaom.files.wordpress.com/2010/05/2010-
the roots of information security and a reasonable approach digital-universe-iview_5-4-10.pdf
for the future. This statement is especially true for a 5 2010 Data Breach Investigations Report, pages 29 and 52.

future that includes clouds of storage and processing where http://www.verizonbusiness.com/resources/reports/


rp_2010-data-breach-report_en_xg.pdf
networks, platforms and applications are combined into
6 <http://www.ncsl.org/Default.aspx?TabId=13489>
remote services that may not be owned or controlled by the 7 Visible Ops Security, Gene Kim, et al, pages 26-38,
enterprise. (Eugene, OR, IT Process Institute 2008.

As a takeaway, the following five elements, or “Data 8 2010 Data Breach Investigations Report, page 56.
http://www.verizonbusiness.com/resources/reports/
Protection 101,” should be applied with new vigor to the
rp_2010-data-breach-report_en_xg.pdf
“data protection 2.0” world. Although these are fairly
simple and intuitive actions to take, the Verizon report

8 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
ABOUT TRIPWIRE
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and
government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated
solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive
suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way
organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through
Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.

©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPDP1a

You might also like