1 10527 Tripwire Data Protection 2 0 WP
1 10527 Tripwire Data Protection 2 0 WP
1 10527 Tripwire Data Protection 2 0 WP
WHITE PAPER
Introduction
CISOs and their security programs face nearly overwhelm- somewhat diluted. Certainly computer, application and net-
ing pressure to take a renewed focus on data protection. work security are key contributors to information security,
The external forces of advanced threats and a multitude of but businesses should not lose sight of the fact that one of
compliance obligations, combined with the internal forces of the main reasons computers, applications and networks are
new business initiatives, lead to a complex set of data protec- protected is to safeguard the data that is being stored and
tion requirements. These requirements are then overlaid on processed.
an explosion in the volume of data generated and a variety Corporate security teams who build a security program
of locations where that data may reside. And if that’s not around a clear objective such as data protection will tend
enough, the scope of data to be protected includes not only to have better focus, clearer direction and a faster path
customer data, but internal data and system data as well. to identifying threats and vulnerabilities before data is
A vigorous focus on data protection by the information compromised. Just as in problem solving, where root-cause
security industry and a migration of organizational CISOs analysis provides better focus, a root objective such as data
toward an information-centric approach can be traced back protection can be useful in driving security initiatives and
to early 2007. At the February 2007 RSA Conference, lead- providing improved focus for a security program.
ers of two of the largest security vendors began to bang Even if a particular security initiative is specific to one
the drum for a data protection mandate in their keynote particular aspect of information security, such as protecting
presentations. Both speakers highlighted the need for a a network, the justification and objectives for that initiative
deliberate focus on protecting data—as opposed to a focus can always be traced back to data protection. Recognizing
on protecting systems—to address a rapidly disappearing data protection as the underlying objective for informa-
perimeter. Their views reverberated then, and can still be tion security programs and initiatives allows IT Security,
felt today. Compliance and Operations teams to better align with a
Driven by expanding compliance obligations, increasingly bridge-building end goal—protecting the business and its
sophisticated external threats and ever-changing business customers.
requirements, organizations are rediscovering the founda- The remainder of this paper provides an overview of the
tional concepts of information security—objectives that many data protection challenges CISOs face and suggests a
focus on the protection of data. By its most literal defini- sequence of five actions to take to address these challenges.
tion “information security” means the protection of data.
But today both the volume and scope of the data to be pro-
tected is much greater.
In terms of the sheer volumes of data to be protected,
from 2009 to 2020 the amount of data in the ‘Digital
Universe’ is expected to grow by a factor of 44 times to 35
trillion gigabytes.1 And although identity, financial account
and credit card data are the most sought after—even sur-
passing illicit drugs as organized crime’s most desirable
commodity—the compromise of system data (configura-
tions, settings and log files) can be the gateway for access
to this data. In terms of data scope, clearly system data
needs to be on the radar for protection.
From the beginning of the modern era of information
security in the late 1960s, information security has evolved
to include protection of computing platforms, applications
and networks, with the focus on data protection becoming
2 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
The Evolution of Information Security
Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 3
The Pervasiveness of Data
4 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
Compliance Obligations, Another facet of compliance is the body of laws related
to breach notification. The first breach notification law was
External Threats and Internal passed in 2003 (California SB 1386) in response to con-
Change—A Data Protection cerns about the rise in identity theft. Following California’s
lead, forty-six states, the District of Columbia, Puerto Rico
Mandate and the Virgin Islands have enacted legislation requiring
Protecting data has always been the right thing to do. But notification of security breaches involving personal informa-
various government and industry entities, prompted by tion (as of April 12, 2010).6 A US federal law is also being
instances of large data breaches and growing user privacy considered.
concerns, have decided to further motivate business and Breach notification is indirectly focused on data protec-
government in this area via laws, regulations and industry tion by requiring disclosure of data breaches—or in some
standards. The majority of these compliance obligations cases, simply the suspicion of a data breach—to those
focus on protecting data related to individuals (maintaining impacted individuals. Trying to avoid the potential impact
privacy, protecting identities) and businesses (prevent- on brand and reputation provides additional motivation for
ing industrial espionage, maintaining continuity of critical a business to prevent the breaches from happening in the
services). In some cases the compliance obligations are first place by utilizing various data protection techniques.
directed at the computing systems themselves, placing Two additional elements of the mandate for data protec-
emphasis on maintaining system availability and protecting tion are external threats and internal change. External
system data. threats continue to evolve into increasingly sophisticated
Examples of compliance obligations
Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 5
forms including advanced persistent threats, new forms of Improved data protection can also enable better and
phishing and social engineering via new messaging chan- faster internal decision making when data such as process
nels, and targeted, adaptive malware. Internally, business metrics, internal trends and external trends is shared with
needs that include the continued demands for sharing data confidence across an organization. Competitive positioning
with partners and leveraging the financial benefits of cloud can also be enhanced via improved trust relationships with
computing drive the further erosion of the organization’s customers, employees, partners and suppliers.
network perimeter. The combination of compliance, external Finally, improved data protection as it applies to system
threats and internal change create an extremely challenging data can improve the overall security and operational pos-
environment for data protection. ture of an organization. As noted in Visible Ops Security7,
by protecting configuration data and settings via restricted
More Than a Mandate—Data system access and more rigorous change control, systems
become more secure and more stable.
Protection as a Business
Enabler Tripwire VIA Applied to Data
Compliance with laws and regulations forces businesses and
Protection
their information security programs to implement specific
Although people and process are critical elements of any
aspects of data protection following some level of prescribed
security solution, technology is often the key to making a
guidance. As the number of compliance obligations grows,
solution more timely, more accurate and scalable. How can
security programs find themselves being driven into a reac-
technology help? While some technologies aim to protect
tive mode by a nearly continuous stream of internal and
customer and internal data (encryption-based tools and
external audits related to compliance and the corresponding
data loss prevention systems) and many protect systems
audit findings. This compliance-driven approach to security
(firewalls, IDS, IPS, anti-virus), fewer address the problems
is typically a piecemeal, bottom-up approach that is rarely
specifically associated with protecting system data. And in
efficient or effective.
a world with a rapidly disappearing perimeter, a focus on
What if data protection was used as an overall objective
protecting system data provides a needed, critical layer of
for a security program and driven top down in a proac-
defense.
tive manner? The first effect might actually be improved
A good example of technology to deal with protection
compliance with less pain. A security program driven by
of system data is the Tripwire® VIA™ suite. The emphasis
maintaining the confidentiality, integrity and availability
of this suite is to provide the visibility, intelligence and
of data at the appropriate levels will meet most of its com-
automation that IT security and IT operations need to
pliance obligations, leaving only occasional exceptions to
detect and analyze system changes—both malicious and
address.
accidental—that could ultimately impact data protection
It is intriguing to also consider that improved data
objectives. The Tripwire VIA suite combines information
protection can add value as a business enabler, unlike com-
from Tripwire® Enterprise and Tripwire® Log Center in a way
pliance-related activities that generally add no value to the
that rapidly identifies vulnerabilities from non-secure or
business. From a customer-facing perspective, improved data
non-compliant configurations as well as any resulting data
protection can lead to the development of new products
breaches. By automatically correlating change and configu-
and services. A great example is online banking, a service
ration data from Tripwire Enterprise with the log and event
that many banking customers use and greatly appreciate,
data from Tripwire Log Center, the Tripwire VIA suite pro-
but that is only feasible with the appropriate levels of data
vides visibility across these silos of system data.
protection.
6 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
Specifically, the Tripwire VIA suite: or she can immediately remediate the problem using the
• Assures system integrity at all times; Tripwire Remediation Manager module.
• Assesses configurations against policies, best practices • Advanced persistent threat—One of the characteristics
and regulatory mandates; of an advanced persistent threat is the use of a “low and
slow” technique to breach a system. A typical example of
• Remediates any configuration errors, patch vulnerabilities,
an attempt to access a database of sensitive data might
and security policy shortfalls on demand;
be as follows. First, the attacker scans the system look-
• Combines log and event data with real-time change data
ing for a vulnerability related to an unpatched system.
to immediately reveal events of interest that impact poli-
Finding an opening, the attacker uploads a small text
cy or threaten data protection;
file to see if this is detected. If not, a tool to assist in
• Supports data breach investigation by providing access the upload of software is installed. Following this, a
from a Tripwire console to log and event data related to a database upload tool is installed and a small amount of
file or configuration change; data is extracted and transferred to an external server
• Offers global search capabilities to identify patterns of controlled by the attacker. Finally, the entire targeted
activity and threats to data that might relate to specific data set is copied to the external server. All of this
system changes; occurs over a period of several months with gaps of a few
• Provides visibility to downstream impacts of a given weeks between steps. Using the combination of Tripwire
change, such as all changes or events associated with the Enterprise to detect the upload of the text file, with fire-
addition of unauthorized users; and wall log and system event data from Tripwire Log Center,
the organization detects the attack early, before any sen-
• Enables instant audit logging across Tripwire Enterprise-
sitive data is compromised.
monitored infrastructure without installing additional
code on individual systems. This ability to correlate change and configuration data with
log and event data ensures data protection by identifying
and helping to remediate vulnerabilities before they are
The Tripwire VIA Suite in exploited. And by detecting breaches much sooner, organi-
Action zations are able to minimize the time from detection of a
vulnerability to exploitation, potentially eliminating com-
Noted here are two examples of how the Tripwire VIA
promises of sensitive data.
suite contributes to the protection of data in a complex IT
environment.
• Accidental configuration change—If an alert is generated The Future of Data Protection
that a server has failed a PCI DSS compliance policy test So far the past and present of data protection have been
due to an FTP port being opened, the following actions discussed with just a glimpse into the future by acknowl-
can be taken. First, Tripwire Enterprise is used to test the edging the exponential increase in the volume and types of
failure against the policy. Then using Tripwire Log Center, data. What might the future of data protection look like?
the investigator can toggle back and forth between a Here are a few thoughts:
complete history of versions and changes in Tripwire Log • It is clear that the future will include more customer,
Center, revealing potential attack footprints and aligning internal and system data, in more locations, with more
them with any actual permission changes in the system. replication (as noted in the previously referenced IDC
If the investigator sees something that resembles an report.) Having visibility of the current status, locations
attack or a configuration error that puts data at risk, he and change activity related to data will help make the
Digital Universe more manageable and secure.
Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 7
• Protecting data irrespective of its location will enable the noted that only 4 percent of the breaches in their caseload
distribution of data while maintaining the required level required preventative measures that were “difficult and
of protection. In other words, intelligent controls for data expensive.”8 So even as some attacks become more complex,
protection should follow the data instead of being depen- the basics of data protection are still relevant.
dent upon the data’s current environment to provide the • Integrated requirements—Identify and consolidate all
controls. This approach becomes even more important as relevant obligations for data protection compliance.
data is transferred through and stored in clouds that may
• Situational awareness—Establish a situational aware-
have inadequate security controls relative to a particular
ness process for monitoring external threats and internal
type of data.
changes to the business that could have an impact on
• More emphasis on recognizing patterns of acceptable and data protection.
unacceptable user and system behavior will be necessary.
• Critical data inventory—Inventory and track the locations
Instead of implementing exponentially increasing volumes
of critical data, how it is being used and by whom.
of specific signatures, a behavioral-based approach can
• Risk assessment—Assess data protection controls (peo-
make monitoring, detection and response more scalable,
ple, process and technology) against compliance obliga-
further enhancing data protection. Some behavioral-
tions, external threats and internal business needs.
based solutions are in place already, but expanding this
approach to data protection will become increasingly • Mitigation and measurement—Update controls as needed
important. and use metrics to determine the efficiency and effective-
ness of data protection controls. Treat system data with
• With security professionals and hackers in a constantly
the same care as customer and internal data.
escalating battle, it seems that development of data
protection controls that can automatically adapt to new If data protection is once again used as a primary objec-
situations would make systems self-healing and more tive for information security programs, IT organizations will
resilient. This is an area of research that deserves more increase their ability to reduce compliance burdens, improve
attention. customer relationships, and introduce new products and
services.
In other words, pushing the concepts of the Tripwire VIA
suite—visibility, intelligence and automation—even further 1 2010 Digital Universe Study, Version: 4-26-2010, page 1, IDC
could lead to some very interesting and effective improve- http://gigaom.files.wordpress.com/2010/05/2010-
ments in data protection. digital-universe-iview_5-4-10.pdf
2 Computer Security Basics, Deborah Russell and G. T. Gangemi
Sr., page 28 (Sebastopol, CA: O’Reilly & Associates) 1992.
As a takeaway, the following five elements, or “Data 8 2010 Data Breach Investigations Report, page 56.
http://www.verizonbusiness.com/resources/reports/
Protection 101,” should be applied with new vigor to the
rp_2010-data-breach-report_en_xg.pdf
“data protection 2.0” world. Although these are fairly
simple and intuitive actions to take, the Verizon report
8 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
ABOUT TRIPWIRE
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and
government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated
solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive
suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way
organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through
Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.
©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPDP1a