Cybersecurity Awareness Month: Time to Embrace Detection and Response

October is “Cybersecurity Awareness Month,” created in 2004 by the Department of Homeland Security and the National Cyber Security Alliance with a goal of promoting awareness of keeping citizens safe online. Each week of October will focus on a different cybersecurity theme. Week 1 is centered on keeping consumer devices in the home safe; Week 2 is dedicated to cybersecurity education and training; Week 3 is all about protecting businesses from cyber attacks, and Week 4 will highlight the importance of protecting the nation’s critical infrastructure.

Each theme of Cybersecurity Awareness Month shines a light on the many different challenges we face from cyber threats, both at home and at work. But there is a common threat among all of them: adversaries are penetrating systems in search of valuable data that they can steal and exploit for various reasons.

For far too long, the security community has been focused on prevention: build a higher wall, a taller fence, a more robust firewall, encrypt all data, and hopefully someday you will keep the bad guys out. But year after year, we still read reports about how this particular year is the worst ever for data breaches. Prevention is still important, but it’s not enough. No matter how tall the fence, adversaries still find their way in. A strategy for detection of bad actors and a way to identify these leakers and hackers is needed if security practitioners are ever going to gain any ground on adversaries and flip the asymmetry in favor of the defender.

But, where do we start? How do we weave a detection and response strategy into a current prevention-focused strategy? This is especially vexing for businesses who have spent considerable budget on prevention or data loss prevention (DLP), which still presents significant gaps.

My suggestion is to start with the basics. What is it that all of these bad actors seek most of all? The answer, of course, is data. And in most cases, that data lives in enterprise documents. Documents—Word, Excel, PDFs—are the lifeblood of any business. Documents embody how we collaborate, communicate, and get things done. The way we share these documents has evolved over the years from email to cloud-based storage to text messages and so on, but the vulnerabilities of these documents hasn’t changed. In fact, it has escalated.

Implementing a detection and response strategy to strengthen your organization’s security posture means asking some basic, but penetrating, questions. How do you track who last opened a document? Who has been reading your company’s secrets? Are there people in your organization or with a trusted third party who may have shared documents outside of policy - either legitimately or accidentally? And what’s at risk once a document leaves the control of the organization?

Your company may have invested heavily in endpoint security and or data loss prevention (DLP) technology to monitor if sensitive documents were inadvertently sent to an employee’s home email, or worse -- to some unknown domain. But what about sensitive documents that were legitimately provided to trusted partners? Examples of documents being shared beyond the safety of a DLP system include forwarding to a board member, a law firm, an accounting firm, or your intellectual property counsel’s inbox. Once that happens, your DLP solution cannot tell you where that document went or who else shared it.

Let’s suppose that in the trusted third party hired temporary workers who, in their zeal to do a good job, read documents and emails at home or on vacation on laptops they brought with them. And there are those pesky local caches again; even if users deleted the documents, don’t forget that the cache went on vacation, too.

But it doesn’t have to be this way. Allure Decoy Documents can track and report on the integrity and security of third-party shares, and internal folders or directories that store your most valuable data. Allure Decoy Documents are strategically placed in third-party folders and file shares. The documents have alluring names that are enticing to would-be leakers and hackers. If opened, inside or outside of the originating folder or file share, they trigger real-time alerts that provide proprietary geofence and telemetry insights.

With Allure Decoy Documents, security teams can take immediate action to stop and limit data loss. The proprietary geofence and telemetry insights also give incident response teams actionable data that can help them identify and reveal hackers and leakers - for internal or law enforcement investigations.

View our online demo

Posted by Salvatore Stolfo on Oct 9, 2018 1:10:23 PM
Salvatore Stolfo

Salvatore Stolfo

Salvatore Stolfo is a tenured Columbia University professor, teaching computer science since 1979. He is the co-founder and CTO of Allure Security. Dr. Stolfo has been granted over 47 patents and has published over 230 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, NIST, and DHS.

Topics: third-party risk, data breach, insider threat, detection and response

Related posts