Help Irongeek.com pay for bandwidth and research equipment:
Network Security? What about the Data? - Jack Hatwick BSides Detroit 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)
Network Security? What about the Data? Jack Hatwick
When working with customers, many times you find yourself being reduced to talking about the better attributes of one firewall vendor over another. Which IPS should we go with? Will this appliance protect us from ransomware? What sandbox is gonna stop all the malware? 0Days?
All of these conversations usually surround and involve a network-centric approach to security, but what about the data? Usually a consultant has to ask the question that has never been asked. “What data do you have?” “Where is your data stored?” “Are you sure?” “How do you control access to that data?” The data is the ultimate prize for threat actors. Bypassing the firewall is not their goal, but is rather a mere necessity. I am going to propose a possible different approach that better addresses data security than the network-centric model that is common place.
I. Data is the goal
A Data is worth something, firewalls are not
i. When is the last time you turned on the news and the headline read “hackers bypass firewall!”
ii. Firewalls represent a cost from day 1.
iii. Data represents a value from day 1
iv. Losing that Data represents an even greater cost!
B Resources can be worth something.
i. We also have to realize that resources (cpu, ram, storage) also represents a value to various threats. Botnets ,etc.
ii. for the purposes of this talk we will stick to talking about the data.
II. Data is an institutional asset, not an IT asset.
A. Companies generally dont deal with firewalls, IPS, WAFs, or other appliances on a daily basis. Their IT departments do.
B. All levels of a company come into contact with data on a daily basis.
i. Gathering, Storing, Editing, Processing, Transmitting, Accessing, and Destroying.
a. Many of these may not even involve technology (paper forms, word of mouth)
C. Some data is irreplaceable
i. Intellectual Property, Trade Secrets
a. This data is valuable because it is unique to the organization. If others had it, the org would no longer have competitive advantage or differentiation.
D. Some data is not about your organizations
i. Employee personal details, customer data, PII, HPII,
a. Once this information is taken, it cannot be untaken. Once it is released, it cannot be returned!
b. Vehicles, Equipment, furniture are all assets that can be replaced.
E. Organizations tend to only value the data AFTER a breach
i. When they finally have to pay for the data and it becomes a cost, rather than a value.
ii. This is generally what risk managers care about. But rarely does someone consider the value the data has to the company rather than the cost it could bring if lost or stolen. Those are not necessarily the same values.
iii. If you truly value the data, protect the data, not the network.
a. If you knew your bank as an operation required or allowed bank tellers to take cash to their homes and count it and bring it back, would that bother you a little?
b. So why do we not view unencrypted laptops, usb drives, and shadow Cloud in the same manner?
III.Where is the data?
A. The network is no longer the place where the data soley resides.
i. Laptops, BYOD, Tables, USB, Cloud, etc.
B. These new places cannot always be controlled via a firewall or IPS.
i. Even when the data is ‘on prem’ these are hardly the best defense against attacks and breaches!
ii. Malware gets through firewalls to endpoints because the users still need to browse, check email, download files, and stick USB drives in.
a. all of these bypass the IPS and firewalls.
iii. Data that is in the cloud can be accessed anyware. Firewalls and SEIMs cannot stop those attacks.
C. Where your data is is not an IT question. It is an institutional question.
I. The business is what needs to gather, store, and handle data. Not the IT dept.
a.The IT Dept cannot query what is in a filing cabinet!
II. InfoSec HAS to get intimate with the business operations heads and figure out the who, what, where, when, why, and how of data for the organization.
a. We call this data discovery and classification.
IV. Who has (should have) access to this data?
A. Not something a Firewall is going to be able to tell you.
i. However a firewall may be able to identify traffic sources by who is logged in through a directory services integration and thereby restrict or define NETWORK access to various destinations based on WHO it thinks the user is.
a. This is good, but not the end all. You still haven’t touched true access to the data. Just possibly the resources it resides on.
b. Also consider that microsegmentation is not on most people’s radar, an intrabroadcast-domain access attempt will never be seen by a network firewall!
B. Once again, we have to ask business operations who needs access
i. From here we can begin defining role based access requirements in policy as well as separation of duties as far as separating the ability to create data from the ability to change data or delete it.
C. Auditing this will require technology, but not network technology. It will require software and systems that audit and check for accesses to file systems, databases, network shares, USB transfers, etc.
i. It has been noted that 80% DLP goals can be accomplished with Endpoint only solutions. Network based solutions don’t come close to covering that.
V. Change business operations first, not technology
A. Look at ways you can simplify and consolidate the amount of methods data is handled
i. Data that is easier to manage, is easier to secure
B. It cannot be a cultural change
i. If security doesn’t look like work, security doesn’t happen.
ii. When work looks like work, work gets done.
Iii. Remember it is the same for the threat actor. If they can make their work look like organizational work, it is likely to get done.
a. Making your business processes more resilient to being easily reproduced maliciously or injected into will do more wonders than any expensive technology can.
C. Once policy is designed, operations changes are agreed upon, start looking at where to start on technologically supporting those goals.
i. Start first where the data is
ii. Then move on to where the data is handled
iii. Then move to the permiter
VII. Do as much as you can with what you have
A. Terminal server based access to critical data
i. This means the endpoint even it not accessing nor storing the data the user is working on.
VIII. Non Network Technologies to look into
A. Data Classification Solutions
i. Some times a part of DLP solutions. Sometimes best to be a thing of its own ii. Look for something that allows for custom identitcation of IP and other institutional data types.
iii. Look for a solution that allows for classification of data at creation both automatically and manually
iv. Should be highly auditable with actionable reporting
B. Endpoint DLP
i. Look for cloud app recognition
a. such as uploads to Box, Drive, etc
ii. Look for perhipheral controls
iii. Look for terminal services features as well
iv. Encrypted traffic becomes a non issue as this control exists and acts before encryption of traffic happens!
C. Mobile
i. Look for containerized data controls
ii. look for application control features
iii. Look for limiting email and corporate data transfers inside container
D. Database
i. Many databases can be audited for accesses by various accounts and can control and stop anything that is not allowed by policy via separate software.
E. Endpoint and Peripheral Encryption
i. Many unencrypted laptops are still being stolen or lost with important data on it.
IX. This isn’t perfect
A This isn’t the end all be all. You still need network based security.
B the point of this talk wasnt to entice you to throw away your firewalls or tell your VAR sales rep to rescind your recent IPS PO.
C. This talk merely wished to explore the great expanse that exists beyond the permiter and how InfoSec could better secure data by focusing on data rather than the network.
Q&A
I haven’t thought of everything! I am interested in your thoughts, opinions, and contributions.
True Neutral, Security Engineer, Literal Sartorialist, Whovian. Superbly Sexable. 0ddJ0bb likes to keep his profession and hacker scenes separate for the most part. 0ddJ0bb helps run CircleCityCon. 0ddJ0bb has an associates degree and several years experience in IT and Security. 0ddJ0bb is an expert, but not THE expert. 0ddJ0bb also likes talking in the third person.
