Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Resource Center View Mantra
Resource Center Overview
Data Sheets
Whitepapers
On-Demand Events
Compliance Resources
Data Security Resources
Security Publications
Data Auditing for Security
Data Breach Protection
Data Security and Database Protection
Data Breach Resources
Podcast
Bylines
Data Auditing for Security

A New Approach to Data Breach Protection

Remember when data breaches at major corporations and government agencies were front-page news? Today, breaches of sensitive personal and financial information are becoming so common, most barely rate a mention in the mainstream media. In fact, while everyone heard of the more than 45 million credit card and debit card records stolen by “unauthorized intrusion” into the computer systems of TJX Corporation in January of 2007, this was just one of the dozens of data breaches reported in the first few months of 2007 alone, impacting millions of personal records. According to the informal Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization, the number of reported compromised data records exceeded the 100 million mark way back in February, 2005 (for an up-to-date list, visit the Privacy Rights Clearinghouse at www.privacyrights.org ).

These are just the data breaches that are reported. Unfortunately, they may only be the tip of the iceberg. Because data leaks are almost certainly under-detected and under-reported, the actual figure is likely far higher. In fact, despite the tireless efforts of data managers, leaky data stores and data breaches have become so common, they have spawned an entire community of leak reporters, researchers, trackers, and bloggers.

The Data Breach Challenge

In general, a data breach, or unauthorized disclosure, occurs when private or restricted data entrusted to a private or public entity escapes to an unintended audience—either intentionally or by accident. Some regulations, guidelines, and best practice standards may include more specific definitions of what constitutes a data breach and what is required in the way of breach notification.

In virtually all cases, data theft is a multi-victim crime. The company or organization entrusted with the exposed data suffers in a variety of ways: through eroded trust, damage to its brand, loss of business, and in some cases, civil and criminal penalties. Privacy compliance standards and regulations—such as SOX, PCI, CA 1386, HIPAA, Basel II, and PDPSA—often call for penalties ranging from contract termination to fines or even jail terms for senior executives.

In some cases, the unauthorized disclosure is confined to the storing entity's intellectual property. But more often, the lost data also "belongs to" other entities, including customers, employees, or business partners—from personal banking and health records to credit card and social security numbers to sensitive corporate information. And the damage is not limited to those whose data was stolen. Each and every breach chips away at the faith and trust in the institutions and organizations entrusted with sensitive data. More and more consumers recognize the value of their data assets and their data property rights. The public is rapidly losing patience with any entity that appears to treat these rights lightly.

Data breaches can occur in countless ways—from accidental email exposure, computer glitches and stolen laptops to compromised passwords, insider theft and global hackers. No matter how the data leaves the premises, the greatest vulnerability lies at the source: in the data center, where data is stored and accessed.

As long as information is valuable, it will be targeted by data thieves, who are getting more sophisticated all the time. Organizations can erect barriers to help protect from external attack, but internal breaches present a far more thorny challenge. The most effective strategy to address that challenge is to detect unauthorized activity—whether intentional or inadvertent, by authorized users or by "masqueraders"—as soon as it occurs, understand its potential severity, and act quickly to minimize its magnitude and mitigate the effects.

Rapid action is crucial to contain a breach and prevent damage, but you must know exactly who did what and how. This information is also critical for compliance with a growing number of privacy regulations, which require notification to all parties who might be affected by the breach.

Data Breach Examples

To better understand the threat and the challenge posed by data breaches, consider the following three real-life examples:

  • A former employee was charged with stealing one Internet provider's entire subscriber list—more than 30 million consumers and their 90 million screen names—and selling it to a spammer. The accused did not have access to the data warehouse, but he impersonated another employee who did.
  • A hacker broke into a database at a credit card processor and gained access to 10 million credit card numbers. The processor was fined and placed on probation.
  • In separate incidents, one company exposed nearly 300,000 records due to compromised passwords. Fours institutions combined coughed up close to 700,000 records to dishonest insiders, and one government office lost 465,000 records to rogue users.

These breaches all share some common themes:

  • The attack was directly on the data source—the databases or file servers containing sensitive information.
  • The breach was not discovered at the source, or in real time, making it impossible to contain the magnitude of the disclosure, or to quickly assess its scope.
  • Damage to the data handler’s reputation and brand equity were significant, even though the actual damage caused by the theft itself was not readily quantifiable.
Traditional Data Defenses

Many organizations have attempted to address their data protection needs by strengthening perimeter defenses, tightening access controls, and adding encryption. Layered defenses commonly deployed to protect sensitive data, include:

  • Fiirewalls
  • Identity and access management (IAM) systems
  • Vulnerability assessment tools
  • Network behavior anomaly detection (NBAD) utilities
  • Intrusion detection and prevention systems
  • Log aggregation and management tools (SIM/SEM)

Content filtering tools can help stop mischievous outbound email, IM and web traffic. Host activity monitoring products offer some localized host-specific defenses—USB drive protection, for example.

Perimeter protection and network anomaly detection systems can be effective against worms, viruses, and programmed application attacks. However, while providing visibility into network-level issues, network-level traffic anomaly systems remain blind to application-level traffic against critical data stores.

Identity and Access Management (IAM) solutions provide basic user account management, authentication, access control (to servers, network resources, and applications), and identity logging. Like network-level anomaly detection systems, however, IAM subsystems have zero visibility into an authenticated user's application-level data activity.

Security Information Management (SIM) products can be deployed to aggregate security-related event logs generated by various external security tools—firewall, VPN, IPS, and so on. However, these products cannot track internal data server access, and when applied against core data servers, they rely on notoriously incomplete server logs.

There are shortcoming associated tools with all of these tools, including: lack of intelligence at the application and business process levels; little or no protection for core, server-resident data assets; and the inability to address authenticated user access to critical data servers. This is a critical gap that can leave valuable data assets vulnerable

Filling the Gap: Data Auditing

To fill gap left by these traditional approaches to data protection, a new approach called data auditing has emerged. Historically, auditing data access behavior by authenticated users was considered impossible, due to the magnitude of the resulting logs and audit trail data. This view is now obsolete due to the rise of data protection regulations that require auditing of "who looked at this?" information—as well as the introduction of data auditing and protection appliances designed to address this need.

To effectively meet today's data protection challenge, particularly the challenge of privileged user monitoring (PUM), a data auditing system must provide all of the following:

  • Passive, non-intrusive network deployment
  • Centralized monitoring of multiple data servers and server types (DB server, file server—structured and unstructured data)
  • Built-in behavioral analytics and forensic tools
  • Built-in policy definition tools to focus attention on specific anomalous or non-compliant activities
  • Content scanning that allows for identification, tracking and reporting on specific data—such as credit card and social security numbers, etc.
  • Comprehensive record keeping and reporting options

Because of their passive position in the network, data auditing and protection systems co-exist with other security-related policies, tools and controls. Auditing systems presume, but do not require, the conscientious deployment of firewalls, anti-virus products, VPNs, access controls, and intrusion prevention systems—systems implemented by most data-reliant entities as part of their standard security practices.

In each of the breach examples described earlier, an intelligent data auditing system could have detected anomalous access activity as it happened and alerted security officers, empowering them to act quickly to contain the breach. Furthermore, appropriate audit trail granularity could have provided timely and irrefutable proof of the breach's scope and severity.

Traditionally, the processes of monitoring, investigating and confirming a breach and then building a case against a perpetrator have been manual and performed long after the fact. In contrast, by enabling automatic detection and notification, followed by quick action to understand the breach and contain its effects, data auditing provides true "risk mitigation."

When a data auditing system encounters an apparent case of unauthorized access—an attempt to download 300,000 social security numbers from a previously un-encountered IP address at 4:00 a.m. , for example—automated risk mitigation strategies can include connection termination, TCP reset operations, user deactivation, or other access control adjustments. In order to correctly raise alerts and apply appropriate risk mitigation measures, the data auditing system must be able to identify an unexpected IP address, a suspicious time of day, or an excessive download size with statistical certainty.

Confirming breaches and preparing informed notification is nearly impossible without first-rate forensic tools. The ability to summarize and "drill down" through a variety of access dimensions—time, user, location, data asset—for one or multiple data servers and server types is essential. Content scanning capabilities to detect and monitor specific critical data content types—such as Social Security, account and credit card numbers—is also important. Knowing this information is crucial for compliance with PCI and other standards and regulations that require notification of what has occurred and what information may have been compromised. As with all risk mitigation strategies, a key goal of forensic tools is to minimize liability, which includes minimizing the required audience for informed notification in the event of a breach.

Data auditing and protection must not hinder normal business processes; it must be accomplished with the least possible impact on the business. This means a data auditing solution should be easy to deploy, cost-effective to manage, and have no impact on application or network performance. Change is a constant in business and in the data center, so the ability to modify policies quickly is critical. Obviously, it must be completely transparent to users—including privileged users.

A New Best Practice

To combat data theft, the traditional best practices are no longer enough. While the classic layered defenses built on rigorous user authentication, server-level access control, encryption, and content inspection for information in transit remain important, read-only activity is not logged or audited in any useful way. Furthermore, these tools cannot distinguish among authorized users conducting legitimate business, incompetent insiders bypassing corporate security policies, or intruders hijacking user identities to steal information. In short, none are well suited to the task of reliably detecting and containing breach events in real time.

Fortunately, there is a new best practice that complements traditional defenses and fills critical data protection gaps. The best defense against illegitimate access by authenticated users is a data auditing and protection system that statistically profiles each user's access behavior on a dynamic or "rolling" basis, automatically detects anomalous activity, records forensic details about each action, and raises real-time alerts. Realizing these capabilities with a transparent, passive and pervasive system that monitors data assets across the enterprise constitutes the new standard for data breach risk mitigation and informed notification.