Enterprise Data Security Breaches: Experts on How Companies Can Protect Themselves From Big Data Breaches
Most businesses today are well aware of the need to have a comprehensive data security strategy to protect themselves, their employees and their customers from various security threats. And fortunately for many small to medium sized businesses, due to their size and simpler business structures, a standard data security plan will be enough to accomplish their data security needs.
However, the same cannot necessarily be said about enterprise-level organizations, which tend to have much more complex business structures. Enterprise-level organizations often have structural challenges that other smaller businesses usually do not encounter, such as widely diverse clientele, multiple products and services offered across geographical locations, discrete internal departments or organizational units, and most importantly, significantly more business data.
Since Digital Guardian provides data security solutions for organizations with complex business needs, we wanted to focus this post on big data security for enterprise-level businesses. We wanted to hear what data security experts from across the industry consider to be the best big data security breach protection strategy for enterprise-level organizations. To do this, we asked 24 data security experts to answer this question:
"What's the #1 way an enterprise level-organization can protect itself from a big data security breach?"
We've collected and compiled their expert advice into this comprehensive guide on enterprise-level big data security protection. See what our experts said below:
Meet Our Panel of Data Security Experts:
Gunter Ollman is the CTO of NCC Group's Domain Services and has almost three decades of experience in information security. During that time, Gunter has worked for a number of companies including IBM Internet Security Systems and IOActive, in a variety of cyber security consultancy and research roles in areas such as semiconductor security, hardware reverse engineering and hacking devices in the Internet of Things.
Unfortunately there is no single thing an organization can do to protect themselves and their customers data from a breach. There are, however, a number of things that when combined, work together in limiting the value of the data that could be stolen:
- Trace each step and process within the organization that collects, views, and manipulates personal and confidential data, and ensure that it is encrypted at each point (preferably at the source).
- Any sensitive data that must be stored or is "at rest" needs to be encrypted and the keys can't be stored at the same location as the data.
- All access and manipulation of data must be logged. These logs must be audited regularly (on a weekly or less period), and ideally the logs should be automatically monitored by anomaly detection systems for inappropriate usage and unexpected patterns.
- Use automated scanning technology to constantly monitor the network and applications for vulnerabilities and malware.
- Monitor network egress for anomalies in traffic (in particular large files going to poor reputation or unverified IP addresses).
- Create a number of "false flag" data repositories or seed your data storage systems with records that will automatically alert your security team if they are accessed by anyone or any system within the organization, and utilize web search engines to frequently query the unique seed data to identify public leaks.
Russell Glass is the Head of Marketing Products for LinkedIn. A seasoned technology entrepreneur, Russ founded and then served as president and CEO of Bizo, a B2B audience marketing and data platform, which was acquired for $175 million by LinkedIn in 2014. Russ has also founded or held senior positions at four venture-backed technology companies. He is a big believer that great cultures equal great companies, and has integrated this philosophy into all of his roles.
Despite data security breaches potentially costing tens of millions of dollars - not to mention the public relations cost - far too many businesses are lackadaisical in their data security practices. The number one way that corporations can protect themselves from data security breaches is to...
Acknowledge the seriousness of the issue and to redouble their commitment to protecting the consumer information in their databases.
Corporations have sensitive data on consumers: credit card numbers, Social Security numbers, healthcare histories. There is a social contract between consumers and the companies they do business with that this personal data will be secure. Too often, this is not the case. A study by Verizon and the U.S. Secret Service Agency found that almost 90 percent of the companies that experienced a data breach in 2010 were not in compliance with the Payment Card Industry Data Security Standard.
Companies need to commit to mastering the basics to protect the data consumers have entrusted them with: businesses must patch and secure the databases, give only select employees access, and place the databases behind firewalls. They also need to encrypt and tokenize the individual data behind the firewall. Corporations must commit to constantly improving and refining security efforts, because the cybercriminals are constantly honing their skills in this computer security arms race.
As part of their elevated commitment to security, businesses should also join together to ask for legislation to help ensure improved data security. This legislation should make the penalties tougher for companies that don't meet data security standards. It should also raise the penalties for cybercriminals.
As Todd Davis, CEO of Lifelock, has pointed out, cybercriminals receive mild sentences compared with bank robbers, for committing essentially the same crime. "That's crazy," Davis said. "We don't have the right deterrents in place."
Steve Durbin is the Managing Director of the Information Security Forum. Mr. Durbin's main areas of focus include the emerging security threat landscape, cyber security, BYOD, big data, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
The massive volume of data that businesses are collecting, including financial transactions, location-based data and customer interactions, is growing exponentially. Problems addressed by big data analytics are those for which insights and answers arise from analysis of vast, complex or disparate data sources. This is my advice for how enterprise level organizations can protect themselves from a big data security breach...
Executives tasked with managing company data must find the delicate balance between everyday data management tasks and effectively leveraging data through both analytics and analysis.
The promise of actionable insight from data isn't new - business intelligence and other analysis capabilities have long been present in many organizations. What is new is the rate at which data is growing, the way the data is changing and the demands being placed upon it. With the capability to properly analyze threats, risks and incidents from a wide array of data sources, the insight from big data analytics helps executives and boards better manage the risk/reward balance in cyberspace.
As big data continues to be a game-changer for businesses, the security risks have become even greater. Users are becoming alarmed about how much data is being collected, with whom the data is being shared and how it is being used. There is a clear need for better engagement among key stakeholders and joined-up thinking throughout organizations with the adoption of clear guidelines and best practice on the usage, storage and transfer of data both inside and outside the business.
Executives and boards want to balance the risks and rewards of operating in cyberspace by ensuring that their investment in information security and cyber security is appropriate to manage and mitigate the risks. As the use of big data analytics increases, the range of data sources will spread. One of the key messages that I would like to get across is that big data analytics is not just about log analysis; it is about seeing a wider picture.
Organizations need to approach the data differently, looking for connections between different data sources and regularly questioning whether there is another data source that could add further value. This activity requires the intervention of skilled individuals who understand both the data available and the objectives of the analysis.
One of the major issues with big data is the volume of data that is being added to the data set each day. While organizations are benefiting from the reduced cost of storage the benefit may be outweighed by the rapid expansion in the volume of data. In order to balance the business benefits of big data analytics with the cost of storage, organizations need to regularly review the data that they are collecting, why and for how long they need it, and where and how they store it.
Mark Shelhart is the Senior Manager of Forensics and Incident Response on Sikich LLP's security and compliance team. Mark has more than 15 years of experience in consulting, information technology, e-discovery and incident response. He is a Core Forensic Investigator (CFI), Certified Information Systems Security Professional (CISSP) and a Payment Card Industry Qualified Security Assessor (QSA).
It's easy to get caught up in trying to purchase all of the best IT security technology solutions money can buy. However, what makes a bigger difference in big data security protection than purchasing the newest and best technology is...
Correctly implementing and protecting the technology you have.
Rather than purchasing the most expensive security incident and event management (SIEM) software, focus on attainable yet important goals, like deploying anti-virus software on devices, including those employees bring into your environment.
If it's not possible to implement your organizational security controls on all devices, your best bet is to deny or segment those devices from your network. By removing potentially insecure devices from the scope of your network, you limit your risk surface for a breach.
Recent breach reports illustrate what's long been known in the security industry (and most certainly by attackers) – the human element is often the weakest link in the security chain. Because of this, it's important to focus on providing thorough and periodic security awareness training for your entire staff, and not just those working in IT or handling sensitive data. Whether it's phishing emails or phone calls, unidentified individuals circumventing physical security or just the mishandling of sensitive data, employees can't know how to address security issues if they haven't received appropriate training on how to identify them. Investing in security awareness training can provide a greater return on investment than purchasing automated monitoring solutions, as you're focusing on strengthening the weakest link.
By focusing first on the lowest hanging fruit (e.g., anti-virus deployment), properly segmenting your network to reduce scope and enhancing security awareness training programs, you better position your organization to defend against potential attacks. If you have the budget to purchase bigger and better security solutions, your solid security foundation should augment the protection that properly implementing these solutions could bring.
Darren Guccione is the CEO and Co-Founder of Keeper Security, a secure, simple way to store and access passwords and private information. Keeper is a zero knowledge, security platform and is the most secure (256-bit AES, PBKDF2, SOC-2 certified), ease-to-use, password manager and digital vault that uses military-grade encryption technology to securely store your website logins, passwords, financial information, documents, photos and videos. Currently, Keeper has 6 million users in 80 countries, offering Keeper in 17 different languages and, 5,000 businesses use Keeper including Chipotle and Nike. Keeper is the only password management company selected to be preloaded onto all AT&T android and windows devices.
The #1 way for an enterprise-level organization to protect itself from a data breach is to...
Ensure that a data-protection strategy is in place to guarantee that all sensitive data is encrypted, proper controls are in place to permit access to that data, and that the policy is consistently tested and audited for effectiveness in preventing data-loss from both external and internal threats.
Centralized management of enterprise-wide access, threat-detection systems, external and internal security auditing systems, and the ability to securely share sensitive information and credentials are all key components of an effective data-protection strategy for the enterprise.
Rick Moy is the VP Sales & Marketing at PacketSled and is a seasoned information security executive and entrepreneurial business leader with a proven track record in building successful organizations. He has over 18 years experience in product management, business development, and sales & marketing spanning security technologies including vulnerability and risk management, intrusion prevention, anti-malware, content filtering and SIEM. Mr. Moy is a respected authority in the field and has spoken and appeared in hundreds of print, online and television media. As Co-Founder & CEO of NSS Labs, Mr. Moy created the industry's leading test-based security research and analyst firm, serving as a trusted advisor to large enterprises. Mr. Moy has served in key roles at Websense (Vista), ESET, Protego Networks (Cisco), Preventsys (McAfee), Lucid Security (Trustwave), and HighTower (netForensics).
The #1 way for an enterprise-level organization to protect itself from a data breach is to...
Maintain proper organization of large amounts of data, and give proper access to their security analysts.
Most large enterprises have dozens of point products generating security alerts and logs feeding into a SIEM. However, analysts are not able to process these alerts quickly with enough context to determine what to act on. Too much data, not enough intelligence and relevant context.
A great example of this is the analysts at Target passed over the FireEye alerts about the malware because they were inundated. Analysts need access to full-context network data for the past 3 months. This will help them better identify, scope and remediate a growing threat before it spreads.
Mark Bower is Vice President of Product Management & Solution Architecture for Voltage Security and is a noted expert in data protection solutions.
The #1 way enterprises can protect themselves from big data breaches is...
By neutralizing their enterprise data to mitigate the effects of an inevitable data breach.
Organizations need to assume they are going to be breached at some point and take a different approach to breach risk. Attackers can run automated scans for weaknesses and known vulnerable software, quickly establishing virtual blue-prints of systems to define where to focus to steal the most valuable sensitive data. Attackers will conduct virtual raids through botnets or command and control centers, and their partners-in-crime will look to monetize the stolen information through fraud. It's a lucrative criminal business, and unfortunately, firewalls and traditional data-at-rest encryption won't do anything once the attackers or malware is inside live systems like databases as in this case.
The only way to mitigate this threat is to neutralize the data in the first place. Enterprises today must have a complete data protection strategy, using proven data encryption, tokenization and data de-identification approaches that protect the data itself, not just the data containers and network perimeters.
Fatih Karatash is the Co-Founder & Co-Ceo of SAASPASS, the world's easiest to use 2FA (Two Factor Authentication), and the Managing Director of AIS Advisors.
The single biggest thing most enterprises are not doing yet, which they can to protect against Data Breaches (Big Data or otherwise), is to...
Move to stronger authentication for access to those resources.
Everyone knows and has heard that two-step verification is a best practice, yet it's shocking how few actually employ it. There are numerous reasons for it, ranging from complexity, to cost, to a lack of understanding.
Many organizations fail to grasp its importance. They don't realize that more than 80% of breaches originate from breaches of static user credentials, and that simply deploying stronger authentication for Identity Management and Access Control can make them the higher hanging fruit, and less likely to be breached, or at least more difficult, and possibly give time to realize an attack is underway, and allow for proactive protective measures.
Additionally, many think that because they've bought some sophisticated firewalls, and have SSL, that they're safe. This is a fallacy, security is ever changing and dynamic. A setup that is safe today, may be rendered unsafe tomorrow as a result of new attack vectors. As such, it's critical to either have IT departments that try to stay on top of everything and react to them, or to have vendors that are value additive and do so for you.
David Lewison is Co-Leader of the AmWINS Financial Services National Practice, which includes cyber liability and other types of management and professional liability.
As cybercrimes happen more frequently, it's important for businesses to work with their insurance companies and safeguard against cyber risks. The level of preparation before a breach will impact the size of a regulatory fine and potentially help an insured avoid a fine altogether. When an organization can show the proactive steps it's taken, regulators have not necessarily handed out large fines for large breaches. Without effective preparation and documentation, it can mean that a smaller breach may spark a bigger punishment. Here are 6 tips for how companies can work with their insurance companies to lower their risk:
- Conduct training sessions - These can highlight best practices for handling sensitive information and minimize the risk of data breaches. They can also show employees how to monitor and respond to any red flags.
- Share guidebooks - These can be customized for an organization's size and risk, but they help companies develop and install theft-prevention programs that comply with the Red Flags Rule.
- Unleash professional hackers - This can expose your vulnerabilities and help bolster your security.
- Provide access to immediate triage - This list should include pre-approved attorneys, IT security staffers and experts in topics ranging from computer forensics and credit monitoring to public relations and law enforcement.
- Share news and best practices - This helps companies stay current on risks, security and compliance.
- Establish a hotline - Giving organizations a way to speak to an attorney who specializes in data breaches can be invaluable in determining whether there's a breach and the level of concern it warrants. This helps companies focus on both incident response and business continuity.
Chris Rouland is the Founder of Bastille Networks, which he founded in 2014 after more than 25 years in the information security industry. Most recently, Chris founded Endgame Systems, which provides cyber security solutions to the defense, civilian and national security communities. As founder and CEO of Endgame, in just three years, he grew the company from his basement to nearly 100 employees with offices in Washington, Atlanta and San Antonio and from revenues of $0 to more than $10 million. His innovation and leadership combined with Endgame's rapid growth, earned Chris the Metro Atlanta Chamber's Business Person of the Year in 2011. Prior to founding Endgame, Chris served as chief technology officer at Internet Security Systems Inc. (ISS) where he was responsible for the overall technical direction of its product and services portfolio. In 2006, IBM Corp. purchased ISS, where Chris remained CTO and was appointed an IBM Distinguished Engineer. A noted information security expert, Chris is a sought after speaker and has been featured in national publications, including Forbes and Wall Street Journal.
The #1 way enterprises can protect themselves from big data breaches is through...
The development of an Internet of Things (IoT) policy that balances individual privacy with the right of corporations to guard themselves from the threats that are increasing in frequency and sophistication.
As the proliferation of IoT reaches critical mass, tens of thousands of connected devices will come in and out of corporate airspace each and every day, without the enterprise knowing the totality of vulnerabilities, corruptions and exposures that are capable of breaching their critical data and infrastructure.
And while most corporate WiFi is well protected, many new IoT devices connect on more vulnerable wireless protocols, such as Zigbee and Bluetooth, allowing persistent aggressors and deviant hackers to invade networks with minimal risk of being caught until its too late. Most enterprises can use their Bring Your Own Device (BYOD) policy as a baseline to create an IoT policy that will protect their data and the data of their employees from breach.
Michael Ricotta is the Head of Development at Blue Fountain Media. An alumnus of The College of The Holy Cross, Michael began his career in BioPharmaceutical software while a student. Nine years later, he manages more than 30 people across more than 5 countries.
Perhaps the #1 way that an enterprise level organization can protect its data is to...
Eliminate the notion that there can be a #1 way to do so.
From a technical standpoint, a well-managed firewall might be an effective measure towards reducing brute force exploits and aimless malware but that doesn't necessarily protect a system from intelligent reconnaissance. A targeted attack needs only to prod a system for one of the infinite number of potential vulnerabilities, to succeed. Unfortunately targeted attacks are our primary concern. Simplistically, I could protect the system just by taking it offline but that defeats the purpose. Realistically, we should have a reactive effort with intrusion detection and an arduous proactive effort to cover vulnerabilities.
Assume the #1 way to secure a house is to lock the front door. A thief targets your home for invasion, finds all your other doors and windows open, no alarm system present, and your front door key publicly visible. Said thief hosts a Darwin award robbery party in honor of your negligence. Assuming that there's a specific action to address a generalized need for security was your biggest flaw. Everything is contextual, especially in a high-profile environment, and maintenance is crucial.
Arguably the greatest contributor to innovation is the necessity to adapt an object in response to its subjects' needs. This is at the core of a merchant's ability to convert. So when exploring how we adapt security to its subjects, the lack of attention is alarming. In recent cases of large data breaches, active negligence in maintaining IT practices were a causal factor. So if merchants are able to rapidly adapt their sales and marketing processes, to keep up with trends, one would expect they would put forth a similar effort with their customers' data.
Patrick Oliver Graf
Patrick Oliver Graf is CEO of NCP Engineering, and an industry veteran with more than 19 years of experience in technology product management. His company sells its remote-access VPNs to government agencies and other organizations, providing technology for fast, secure access to their network resources and communication of sensitive data.
An enterprise's best bet for fending off big data security breaches is...
A defense-in-depth strategy.
With a wealth of personally identifiable information, ever-growing corporate data stores are becoming an incredibly valuable target for hackers, which incentivizes them to exploit every possible flaw in an enterprise's network security. Taking multi-layered precautionary measures to mitigate the risks associated with corporate data is a must, because as cyberthreats become increasingly sophisticated, organizations can't rely on one security control method alone. Breaches are an inevitability, and a defense-in-depth approach is essential to ensuring redundancy if a security control fails or a vulnerability is exploited. Though breaches are not always easily detectible, planning for redundancy, will likely lessen the negative impact of the breach on the overall information technology system.
Greg Kleiman is the Director of Business Strategy at Red Hat. With more than 25 years as a technology innovator, he is responsible for the overall direction of big data across Red Hat's open source product portfolio with a focus on storage, middleware, and clouds architectures for enterprises. With a broad technology background in hardware, software, and services, Greg has led key company initiatives across product management, product marketing, business development, and sales organizations. He is a frequent speaker at IT conferences worldwide and covers topics such as storage, big data, and cloud.
The cost of cyber crime across the globe has already grown to $100 billion annually, not counting the intangible damage to enterprise and government security. In addition to the data loss and security breach, there is immeasurable, and sometimes irrevocable, damage to the brand. The only defense for most institutions is...
Analyzing machine data from firewalls and perimeter devices in real time to frequency and thwart - and predict - threats.
However, the amount of data to be stored and analyzed results in prohibitive cost when near real time, highly constrained by the rigidity of proprietary storage platforms. In addition, the lack of granularity in the machine data analytics available to IT and security administrators results in too much data and not enough information. This puts enterprises at great risk especially considering the regulatory compliance mandates on security.
Relevant data from across IT systems - routers, switches, firewalls, IPS, web proxy – have a story to tell about the confidentiality, integrity and the availability of your environments and is critical to investigations and continuous monitoring for situation awareness. However, the real ROI for security solutions lies in making them work together to provide a comprehensive view of the enterprise security posture. This combined, chronological view of all security-relevant data enables the security team to prioritize events and responses and effectively engage with IT operations and other areas of the business.
Michael Fimin is the CEO and Co-Founder of Netwrix, the #1 provider of change and configuration auditing solutions. Netwrix delivers complete visibility into who did what, when and where across the entire IT infrastructure.
The first thing I would recommend as a preventive measure against data breaches is...
Deploying a change auditing solution, allowing to analyze who did what, when and where across your IT infrastructure.
It will provide you with complete visibility across the entire IT infrastructure and notify you of any malicious changes. This will not save you from security violations, but will ensure complete visibility into what is going on across the entire IT infrastructure, helping to detect a breach at early stages, assisting during root-cause analysis, and therefore indicating weaknesses that you can fix to strengthen security of your IT infrastructure.
Robert W. Twitchell, Jr.
Robert W. Twitchell, Jr. is the Inventor of Dispersive Virtual Networking (DVN), the President and CEO of Dispersive Technologies, and Chair of the Board of Directors of Dispersive Networks. Bob has an extensive background in the wireless industry. He holds 94 granted patents with numerous others pending in wireless, GPS, networking and location technology. Bob is also a subject matter expert for the Department of Defense on mobile phones and cyber warfare.
I think there are three major things that enterprises can do to protect their big data from security breaches:
- They need to begin to consider security as a service rather than a cost. What do I mean by this? Well, a recent ZDNet survey showed that over 30% of the respondents disabled some firewall features and removed security features because they couldn't get the network performance their users needed with these features turned on. That's a problem - organizations are just asking to be hacked when they do this - but it's also a problem that their users can't do business with the security features enabled. So, it's time to find a different way, one that defines security as a service that actually enables users to conduct business in the timelines today's hyper-connect world mandates.
- Secondly, enterprises need to recognize that protecting data-in-motion is paramount; encryption is easily broken today, so enterprises need to look to additional measures that go beyond this.
- This brings me to point #3. Namely, enterprises need to treat the cyber domain as one that coexists with the radio frequency domain in what experts call the electromagnetic spectrum. If one thinks of the Internet this way, it becomes fairly obvious that techniques that have traditionally secured military RF communications are directly relevant to securing big data. Some of these technologies are commercially available and can make a big difference in whether a company's big data can be hacked or not. I'd encourage anyone seriously interested in protecting their data to implement some of these solutions; they will radically alter the playing field in favor of the good guys and spare some of the angst enterprises are experiencing today.
Jeff Frankel is the Executive Vice President and Principal at docSTAR, a B2B software firm specializing in cloud document management solutions. He has more than two decades experience in corporate business development, working with industry-leading firms including Authentidate Holding Corp, Med-Flash, Health Focus of NY, and Ernst & Young. Jeff offers innovative perspectives on streamlining business for improved efficiency and productivity.
As we've seen in the past few years, any company is vulnerable to cyber attacks. The time to develop your security plan is before an attack occurs. Start by...
Developing an in-depth security strategy.
Identify your organization's unique security requirements, processes and technology standards. Part of your security strategy should be a careful study of your security vulnerabilities so you can work to eliminate them. Vulnerabilities could include: security updates on individual devices as well as line of business applications. Once you understand your vulnerabilities, work to mitigate any existing threats, such as those caused by Malware which are invisible and allow hackers to gain access to your business critical information.
Once you have your security policy in place, it's important to fully test your policies and technologies to ensure their effectiveness - and make adjustments as necessary. This is not only a good policy – it is essential for protecting your organization and corporate officers from legal and compliance nightmares.
Your policy is only as good as the people and technology that are responsible for implementing it. Accountability and ownership across multiple business units ensure that "everyone" is adhering to the same policies and procedures. Security intelligence and analytics tools help further identify weaknesses and warn off potential threats. They can also assist your technical team with time and cost savings.
Jeff Harvey, Of Counsel at Klemchuk Kubasta LLP, is a business attorney and counselor with broad expertise in developing and supporting client-specific strategies that balance business, technical, and legal concerns to the maximum benefit of the firm's clients. Jeff understands the role and purpose of legal services to clients and provides comprehensive advice and tailored technical services in a value-added manner. Today, Jeff serves as legal and strategic advisor to clients of all sizes across many industries. Jeff teaches Business Law and Professional Responsibility in Utah State University's Masters of Accounting Program, assists and advises start-up companies and business incubators, moderates panel discussions of business and intellectual property experts and lectures on business formation and planning, entrepreneurship, intellectual property strategy, privacy and data preservation, and emerging topics such as the "internet of things" and "wirelessly connected assets".
The #1 way enterprises can protect themselves from big data breaches is...
To have and implement a comprehensive data security plan that aligns IT, HR, legal and compliance, among other functional areas.
The plan should begin with clear and detailed policies and practices for internal personnel and external contractors and vendors, which are communicated regularly and supported by appropriate training, audit and enforcement procedures.
Policies should include password protected access, limited to only relevant personnel for the specific function or activity. On and off site storage facilities, whether first or third-party, should include tier-one security, redundancy, back-up and fail-over systems with regular audits for compliance with domestic and international standards. Data should be encrypted and accessed only by strong password protocols combining letters, numbers and symbols with regular requirements to materially change passwords. All personnel, as a condition to hiring or engagement, should be required to execute acknowledgements of data security policies and procedures that include non-disclosure, non-solicitation and, under appropriate circumstances, non-competition covenants, as well as work-for-hire provisions and assignments of IP rights in favor of the enterprise.
Also, take special care with mobile devices to provide secure, exclusive areas for maintaining enterprise data, encrypted and password secured, separate and apart from any personal data, that can be unilaterally and remotely wiped in the event the relationship terminates. Bring-you-own-device is becoming more popular, but presents additional data security concerns where control and access can be limited.
Dr. Engin Kirda
Engin Kirda, PhD is Co-Founder and Chief Architect at Lastline, a global breach detection platform provider. He is also a computer science professor at the Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute. He previously held faculty positions at Institute Eurecom and the Technical University of Vienna where he co-founded the Secure Systems Lab. Dr. Kirda has served as programming chair for several security conferences including RAID, Eurosec and USENIX. He has counseled the European Commission on emerging threats, and gave a Congressional Briefing in Washington D.C. on advanced malware attacks and cyber-security.
There are many important steps enterprises can take to prevent big data security breaches. Arguably, the most crucial step is to...
Develop and deploy security tools that effectively detect and defend against the targeted attacks and zero-day exploits that often lead to the most damaging breaches.
Traditional signature-based anti-virus technologies and first-generation sandboxing aren't effective in detecting evasive malware because the malware is purpose-built to circumvent them. Enterprises must evaluate and adopt new breach detection platforms that integrate with their existing security systems and IT architecture while surfacing the most critical threats among the often hundreds or thousands of potential security incidents they face each day. Only then can enterprises effectively protect their big data and that of their partners and customers.
William C. Klusovsky
William C. Klusovsky is the Manager of Pre-Sales North America for NTT Com Security, a global pure play information security & risk management firm. He is responsible for the training of Account Managers and Pre-Sales Consultants, management of the team, process, contracts and solution development for clients. This unique position requires him to master multiple skills across the breadth of the information security & risk landscape. Influencing nearly all engagements NTT Com Security conducts, he is able to provide an invaluable and unique perspective gained through experiences working with organizations of varying sizes, verticals and needs. William's success in this demanding environment is due to his detail oriented, analytical approach combined with more than 15 years of industry experience.
The truth of the matter is the #1 thing to do to protect an enterprise level-organization is to...
Create a "Risk Aware Organization", meaning train your people to understand risk and security, understand how they can be manipulated into giving away information, and understand that sometimes our best intentions are our biggest fault. Here's the issue, this is the hardest, longest and one of the most expensive endeavors.
The development of a full scale IA Program requires a lot of work. Starting with ensuring the executive team understands the risks, need and is in full support of the program, then committing… Investment will need to be made not just in assessing the current state, but also in identifying the right training for your own company culture. Everyone is quick to "buy a box" to solve a problem without understanding the business and personal ramifications. People, processes and *then *technology. As an example, you can't implement a DLP tool to stop leakage of SSN if you haven't first identified why those numbers are leaving and what process *should* be in place. You may find that you don't have the right HRIS system in place and that's why it's happening, yes you need to fix it, but it's not a simple as "turn on DLP" - you need new processes to keep doing business.
With that said, taking Training/IA Program off the table (if that's not what you want to hear, as many don't)… My other option would be to have a data protection program. This involves several key things that make up a "priority task" for an enterprise including Data Criticality, Data Classification, Data Ownership and overall Risk Management Frameworks need to be understood, defined, implemented and managed.
Many organizations assume IT owns the data, rather than the business lines owning the data. Organizations need to understand that defining what data is important, why and at what cost is a business decision. As risk leaders, our job is to say "you have told me "this" data is "this" important, here is what we are doing, here are the risks, here is what can be done to mitigate it… Mr/Mrs Business what do *you* want to do?"
Organizations need to recognize that risk management and information security is a business issue, and part of everyone's roles and responsibilities. Those roles and responsibilities should be defined, understood, accepted and managed. This goes so far to rethink how we test areas like DR/BCP/Incident Response. Does your company involve the business, PR, etc., do you tabletop a breach or just say "these systems are down, bring them up over hear." A solid data protection program will take those points I mentioned above, and put the company in position to understand their position around risk better and be able to manage with real reasoning and not just guessing. If you don't know what you are protecting, why, and the risks you are gambling with your budget.
Matt Carbonara is Investment Director at Comcast Ventures, where he focuses on investment opportunities in the IT infrastructure space. Specifically he's interested in opportunities that capture the remaking of the application infrastructure delivery stack - from compute, storage and networking to databases, management and orchestration. Previously, Matt worked in Corporate Development at Cisco Systems where he focused on strategy, acquisitions and investments in the data center segment. Prior to joining Cisco he was at another venture capital firm. His transaction experience includes Virident, Desktone, Whiptail, Jungo Software and Matrix Semiconductor. Early in his career, Matt was a ASIC design engineer and a product marketing manager at Terayon Communications Systems where as an early employee he architected and designed some of the world's first cable modem chips. Matt graduated Summa Cum Laude with his B.S. and M.S. in Electrical Engineering from The Ohio State University.
The key to protecting against big data security breaches for enterprise level organizations is to...
Design the big data infrastructure with security in mind from the beginning.
Big Data security presents extraordinary challenges as enterprises want to place as much of their customer facing and operational data in one location, a "data lake" if you will, in order to draw insights from a wide variety of data. This "data lake" will be accessed by folks from many parts of the organization with different roles and commensurate levels of access. Therefore, security must be designed in a very granular way - both by application (use case) and by role within the organization. It is difficult to bolt on such a security solution once the overall infrastructure is designed, thus granular security capabilities must be built in from the ground up with these needs in mind.
Adam Roth is the Security Expert at Dynamic Solutions International, a leading international provider of data storage solutions and comprehensive professional services for mid to large sized organizations. With more than 39 years of expertise and significant engineering resources, DSI is committed to expanding its family of solutions to provide the industry's most complete solution for protecting critical enterprise data and preserving our customers' technology investments.
The best thing an organization can do to protect itself from a large security breach is to...
Hire professional penetration testers to attack the network. It is rare to find an organization that is perfectly patched and impenetrable. Penetration testing identifies system weak points that an attacker will likely use to exploit systems. You must know your weaknesses before you can fix them.
Many companies purchase equipment and never know if it's working properly. Penetration tests can prove to be extremely valuable because it will show you exactly what an attacker does to get into your network, as well as give you real data to tune and verify the tools you may already have in place. No matter how strong or weak an organizations security protocol may be, a penetration test is a must. Hackers often times look for low hanging fruit that can be easily detected through penetration testing.
Benjamin Caudill is the Founder and Principle Consultant at Rhino Security Labs. An expert in cybersecurity and hacking, Benjamin has worked as a penetration testing (ethical hacker) and digital forensic examiner, with clients ranging from defense contractors and governments to financial institutions and more. He has presented research at conferences such as Defcon and has been featured on CNN, Wired, Washington Post, CNET, and others.
Enterprise organizations face a unique and difficult set of cybersecurity challenges, and those organizations who've invested heavily in big data, with stupendous amounts of information being kept on-hand and easily accessible, have more to lose than most. These enterprises must face the very real danger that if their security measures fail, these next-generation business intelligence assets and data warehouses will become a next-generation liability. You wouldn't think that there would be a single, easy answer to enterprise cybersecurity. Yet, as it turns out, there is...
A strategy termed "defense-in-depth" is perfectly suited to protecting enterprise organizations from the multitude of advanced persistent threats they face.
Defense-in-depth provides multiple layers of protection across the entire attack cycle, meaning that even if a few layers a defeated (such as a firewall or anti-virus), the remaining array of protective measures can halt or slow attackers long enough for the cybersecurity team to lock things down.
At the end of the day, because enterprises with big data stores are such high-value targets, they absolutely need to invest in a deep-layer defense-in-depth security. With the scale and nature of the threats such organizations must contend with, defense-in-depth is simply the only viable option.
John Ottman is Executive Chairman of Solix Technologies, Inc. and brings over 25 years of industry experience. Mr. Ottman is also Chairman and Co-Founder of Minds.com a leader in open source social media. Previously, Mr. Ottman was President and CEO of Application Security, Inc., President of Princeton Softech, Inc., and Executive Vice President, Worldwide Markets at Corio, Inc.. He also has held key senior management roles at Oracle and IBM. He is the author of the database security book, "Save the Database, Save the World!"
The #1 way enterprises can protect themselves from big data breaches is simple and it is...
Mask or encrypt sensitive data before it is loaded into Big Data.
Michael Pesochinsky is the VP and Co-Founder of GovernmentAuctions.org, a website that provides information about government auctions of seized and surplus merchandise from all over the country.
When it comes to protecting sensitive data from a data breach, there are several ways an enterprise level-organization can protect itself. One of the best practices would be to...
Change their passwords every 30-90 days. This would drastically lower password-based security breaches.
A common oversight that I'll see is that many enterprise level-organizations will have executables sitting bare instead of in Stored Procedures. Stored Procedures are very important to protect against SQL injection attacks, and many in fact do. But stored procedures do not by themselves necessarily protect against SQL injections. How useful a stored procedure is has everything to do with how it's written, so make sure you write it correctly by including an execution plan on any query which dictates what query will and will not be executed, and excluding Parameter values, thereby treating any inputs as user input and not as SQL code.
And finally, it's important for enterprise level-organization to use custom filters to immediately disable any access to their sites from the attacking IP address or range of addresses. Filters also prevent SQL injections and other forms of hacks and cyber attacks.