Gaining Network Visibility and Understanding

A critical capability in effectively managing information risks for an enterprise is the ability to see and understand normal vs. nefarious activity. Information Security practitioners typically call this "Network Visibility". Without this visibility, organizations simply do not have the information they need to understand their information risks. In addition, in the event the firm learns of a major compromise, this lack of visibility negatively impacts their ability to make business decisions and take action, especially when those actions need to be taken in the midst of managing an incident.

Information security practitioners can use many tools and security technologies to help them see network activity. These technologies serve as critical element of understanding normal vs. nefarious activity. Tools such as network monitoring, SIEM, IDS, and DLP are just a few that come to mind. These should be viewed as basic blocking and tackling tools for most large organizations that have sensitive or high value data.

Gaining this visibility and understanding it is often a monumental undertaking for organizations, especially for large enterprises than span geographies and leverage the use of 3rd parties to conduct business. The heavy lifting lands almost squarely in the “understanding” of what is seen and captured by a firm’s security technology. This is particularly true as it relates to Advanced Persistent Threats (APTs), as often these attacks make use of authorized credentials of the target firm to covertly extract a firm's sensitive or high value data (e.g. product designs, industrial designs, intellectual property or other trade secrets).  Unfortunately, truly understanding network activity and being able to glean from large amounts of network activity what is nefarious, is where most network visibility efforts fall short.

I assist large enterprises in developing security strategies and programs, and often assist companies and organizations that are dealing with known compromises or expect they have been compromised. For organizations that are compromised there are three common themes I see:

Theme #1) There is no comprehensive information security strategy or their security strategy was not adequately funded, and thus the basic blocking and tackling leveraging security technologies for visibility has not been implemented.

Theme #2) IT Infrastructure has been managed in a decentralized and inconsistent manner and lacks maturity.

Theme #3) Business Intelligence and Analytics are non-existent or are not applied to information risks.

An IT Infrastructure that is managed inconsistently and lacks maturity typically results in a weak and unclear understanding of a firm’s information assets.  This coupled with a lack of business intelligence to effectively analyze and provide business context to the data that is collected by security technologies, commonly results in firms merely gaining “visibility to activity”, but not fully understanding what the activity means.

Do keep in mind, many industry leading security technologies do provide sound analytics for the data those tools capture.  However, if not complemented by both mature IT Infrastructure management practices and Business Intelligence, the understanding of network activity will often not be at the level necessary to minimize more sophisticated Advanced Persistent Threats (APTs).

I’ll outline some of the key elements of IT Infrastructure Management practices and Business Intelligence in an upcoming post and further explain why these three areas are necessary to be move to “Information Risk Visibility”.

Your comments are welcome...

 

Mark Brooks

Fake Apple Stores Found In China

First off, thanks to BirdAbroad for what appears to be, single-handedly breaking this story and enabling it to go viral!

Chinese officials are investigating five fake Apple stores in the southwestern city of Kunming.  The investigation follows a blog post with pictures last week by BirdAbraod who lives in Kunming in the Yunnan province.  The blatant and flagrate use of Apple's designs, branding, and products, demonstrates the complete disregard intellectual property rights and how far suspected thieves will go.

Here's one of the photos of the stores under suspicion:

 

This of course is an illustration of what most American companies have come to accept now about China - intellectual property and product designs are at high risk of being stolen or counterfeited.  This is quite frankly the case, whether a company is outsourcing operations to China or not.  In fact, many of the recent attacks of US companies are suspected to have originated in China.  However, extending a company's footprint abroad by establishing business operations on the ground in China, certainly further increases the risks.

For most large companies and smaller companies that are growing, it's not a matter of if your moving into China with your business operations or product, it's a matter of when.  This elevates the importance of implementing effective information risk strategies, both for operations that will be on the ground in China, as well as outside of China.

 

I've blogged about Intellectual Property Theft Alleged in China in the past here > CYBERsitter Theft, as well as the importance of targeting High Value Data for Information Governance here > Information Governance.  A company's intellectual property clearly should be viewed as High Value.

Most importantly, companies need to ensure that they have effective strategies and governance in place for layered defense.  They need to know how, where, and who will be accessing their intellectual property here and aboard, and through their strategies and governance, make informed risk based decisions for their business.  Protections will come in the form of people, process, and technology.

There's no silver bullet.

Mark Brooks

---------------------------

Here are some key links on this story:

BirdAbroad Blog

Washington Post

BBC News

News of the World - Mobile Phone Hacking Allegations

Recently reported by the BBC News of the World - Hacking of mobile phones. 

It is shame to see such allegations.  Let's hope we don't see a wave of other "investigative" type news outlets exposed in the coming months, that have employed similiar hacking techniques.

The editor of the News of the World is quoted as saying "nothing should diminish everything this great newspaper has achieved".  Mmmm, I'm thinking that something just has...

Targeting High Value Data for Information Governance

Targeting High Value Data for Information Governance

High Value Data comes in variety of shapes, sizes and forms in industry.  Often it’s intellectual property like designs or research information, it can be data that requires extra attention and control because of its sensitivity, it can be data that is specifically regulated by law or statute, or it might be information that is critical in cases of litigation.  Despite their different purposes and uses, all this High Value Data can benefit from applying common and integrated Information Governance.

 

The life cycle of High Value Data domains is very consistent and the decision making and controls around the data are very common.   If you look at the life cycle of information, it’s easy to identify some key steps in the life cycle.  See below:

 
 

For High Value Data like I have described above, often companies will miss an opportunity to align and integrate efforts, and will end up initiating more costly individual investments to govern their High Value Data.  Often you will see these investments referred to as e-Discovery, Records Management, Security, Privacy, or other compliance specific agendas.  Let’s look at a couple of examples of why it makes sense to govern High Value Data in a common and integrated fashion.   Once you see these, I think you will gain an appreciation for how viewing Information Governance from an integrated standpoint can make your efforts more effective and less costly.

1. PLANNING data governance for compliance oriented data, e-Discovery, Records Management or Privacy often require the same subject matter experts (SMEs) in laws, regulations, and policy.   Having these SMEs look at planning holistically for High Value Data, can help eliminate redundant decision making efforts and help them identify complimentary controls that can help address needs across multiple domains.  In addition, these High Value Data domains often require enterprise wide interventions in order to create change (or in this case, drive new Information Governance).   Enterprise initiatives are often difficult to move forward due their breadth and stakeholders that span multiple areas.   By bringing these enterprise needs and initiatives together during planning, you are more likely to have success in mobilizing sponsorship of investments vs. having each High Value Data area make its own individual investment case.
2. Governance for what you CREATE and ACQUIRE can be critically important to the overall life cycle of High Value Data and can help minimize risks.  As an example, both Privacy and Security are interwoven when it comes to this step.  If an organization chooses to ACQUIRE and make use of personal data then there will be a resulting set of risks and costs associated with securing that data.  
3. Most High Value Data requires limiting how it is USED and ACCESSED, specifying who can use it, determining where it can reside, and making use of audit trails to substantiate who did what, to what data.  The decision making processes and how you limit access are often common across these different High Value Data domains.  In addition, the types of technology solutions one can deploy to enable the right access controls, such as Identity and Access Management, Encryption, or Data Loss Prevention are very similar and often are the same solution.
4. DISPOSITION is a step that has an extreme amount of interdependence across decisions, controls and approaches for each of these High Value Data domains.  As an example, the disposition of records and adherence to a retention schedule can have direct impact, good or bad, on e-Discovery efforts.  Often, companies end up storing unnecessary volumes of data because of their lack of governance/compliance to record retention procedures.  This results in sky rocketing storage costs and greater exposure to companies having to process data for legal requests that they weren’t legally bound to keep in the first place. 

------------------------------

Here's a quick summary of the common themes and benefits of integrating High Value Data Governance:

• Decision makers are often common across High Value Data Governance.  In particular, in the area of Legal and Compliance.
• By bringing the enterprise needs and initiatives for each High Value Data domain together during planning, you are more likely to have success in mobilizing sponsorship of investments vs. have each High Value Data area make its case on its own.
• Decisions made on High Value Data type in a step in the information life cycle, can have significant impact on the risks and costs of managing High Value Data elsewhere in the life cycle.
• The technologies available that help enable limited access, appropriate use, and Security are often the same across the High Value Data domains.

Here are some additional resources for you to assist with High Value Data Governance:

ARMA International Maturity Model for Information Governance

Association of Information and Image Management

 

Mark Brooks

Privacy Compliance

I recently attended an IAPP Practical Privacy Series.  If you are interested in or work in the Privacy Compliance arena, I would encourage you to attend one of these and/or join IAPP.  They have a variety of programs, conferences, and professional certifications available.

The series was held in Washington DC and was focused on the recent guidance issued by the FTC on privacy compliance, as well as the creation of the CFPB (Consumer Financial Protection Bureau) and its expected plans for oversight of the financial industry.

I've summarized some of the key themes and take aways that I noted from the conference.  Please post any questions or comments.

_______________________

FTC Commissioner Brill was the keynote speaker and took Q&A.  I was pretty impressed with the FTC's knowledge and understanding of industry practices and challenges.  Commissioner Brill also actively participated throughout the day conference, along with several of her colleagues from the FTC.

The FTC recently issued a proposed privacy framework, Privacy Report, for public comment that includes these themes:

a) DO NOT TRACK EXPECTATION. Consumers should have the ability to easily know what information is being tracked on them when using the internet.  They should also have the choice to easily turn off tracking, when and where they want.  There is an increasing expectation among consumers that they fully understand and have the option to control what information is tracked about them when they are making use of the internet.  The big internet browser platforms are being eyed as key piece of the solution to enable choice for consumers.  Microsoft, Apple, Google are all taking a look at what changes they can make in their solutions to enable more capability and choices for consumer to control and understand what is being tracked when they surf the internet.  Individual websites will also likely have to make changes to ensure they are adhering to changes in FTC guidance, once they are finalized.

b) ACCESS.  Consumers should have the ability to request and receive timely information about what personal information a company has on them and how it is being used.  Safe Harbor already includes this provision, but it is not considered a clear and consistent mandate across US Privacy Regulations.  This is an acute challenge for US banks, as they are not well positioned to respond to such requests today.  Most banks are not Safe Harbor certified.  Some even see the potential of consumers leveraging this like law firms do with over burdensome e-discovery requests.

c) SHIFT TO “General Sensitive Data Protection” from just protection of PII (Personally Identifiable Information).  INFOSEC standards being viewed as helpful with this shift.  This makes sense.  From my perspective companies should look to common INFOSEC controls to help enable compliance.  Then regulatory bodies should take a risk based approach to enforcement by focusing their enforcement efforts on the most sensitive information of consumers and the data that create the greatest impact/damages from breach or inappropriate exposure.

d) There were a number of active discussions regarding concerns with the CFPB (Consumer Financial Protection Bureau) having too much power.  The CFPB was recently created by the Dodd-Frank Act, as an outcome of predatory lending “causing the housing market collapse.”  The CFPB has the ability to make rules, oversee, and enforce consumer lending practices.  Big banks will be impacted heavily as this bureau solidifies its role.  Of course, those following the bank bailout and the housing market, shouldn't be surprised with the creation of even more regulation.  Ironically, this legislation and the new bureau was created by two of the key legislators that oversaw the old regulations prior to collaspe...

By the way, the deadline for public comment for the proposed privacy framework is January 31st, 2011. Here is the link for public comments Privacy Framework Comments.

Again, let me know if you have questions or comments.

 

Mark Brooks

Benefits of Data Classification

 

Data Classification has been around for many years.  As companies increasingly open their information networks to external collaborators, move to collaborative environments like SharePoint, and face increased legal exposure, Data Classification is increasingly being deployed as an effective means to help address risks and enable compliance.

  Quite often when the subject of Data Classification comes up, what comes to mind to most practitioners in information management is “You must classify all your information so that each piece of data that you use in the company is labeled – (e.g.  Red, Yellow, Green) based upon the sensitivity of the data.”  This of course feels like an overwhelming amount of effort and Data Classification falters due to fear of failure or because it becomes too difficult to gain approval for the business case. 

In most cases, this isn’t how Data Classification is implemented and often it isn’t how an organization gains the most benefit to Data Classification.  I believe that one of the greatest business benefits of having Data Classification implemented are realized when organization understands and focuses on Data Classification at a strategic level.  By strategic level, I mean at the Policy, People, and Governance level vs. the technology/tool level.

Here are what I see as the Top 5 Benefits of Implementing Data Classification at a strategic level:

· #5    The ability to make more effective management decisions on the level of controls necessary for data protection.  Having a Data Classification program in place that includes the appropriate levels of controls for the various classification levels, helps leadership make more effective investment decisions to meet internal and external control expectations.

· #4    The ability for the rationalization of controls by mapping control requirements to grouped “classes” of information vs. data element by data element.

· #3    The ability to use Data Classification as commonly accepted guidance across the enterprise for the controls that should be implemented to protect data, thus aligning resources and energy of the organization.

· #2    It can be used to reduce efforts and costs associated with controls of less sensitive data.  Often when Data Classification is developed, organizations come to the realization that they are not only UNDER controlling their most sensitive data, but they are wasting money and resources OVER controlling less sensitive data. (CISOs – Here is a great way to gain traction with your business partners by articulating cost savings and productivity gains via your Information Security initiatives!)

· #1  And the # 1 Strategic Benefit for Data Classification, is the Socialization of Data Governance concepts with the business enterprise.

 

Socialization of Data Governance?  If embarked upon from a truly enterprise and cross-functional perspective, Data Classification is also a great way to socialize data governance with senior leadership because the process and experience of defining the data classes and their expected controls is Data Governance.  Once this socialization process begins to gain traction, then organizations begin to realize a number of other strategic benefits.  These can range from:  stronger business sponsorship on specific IT investments to protect the information, better risk based decisions made by the organization, stronger ties of security requirements to business objectives, as well as decreased legal risks by being able to demonstrate due diligence through active leadership engagement in data governance.

Ironically, it is actually when these strategic benefits begin to be realized, that organizations can more effectively drive data classification into processes, procedures, and deploy technology solutions.  I say ironically, because most organization jump to finding a tool to classify data and then they find that once implemented, the organization resists adoption and data classification fails.  The resistance occurs because of lack of understanding, alignment, and buy-in to the need across the business.   Then organizations find themselves right back where they should have started – focusing on Data Classification at a strategic level or unfortunately altogether abandoning Data Classification.

Your comments and thoughts are welcome.

 

Mark Brooks