The data is at the endpoint, waiting to be “captured” and analyzed when new tagging rules arise. Now, you can only tag sensitive data. Team members aren’t aware of the new rules or fully engaged and in result, abnormal activities start to occur while the data is in motion. Outsiders now have the data, staying “low and slow,” avoiding detection. They’re mapping our organization’s defense from the inside, creating a battle plan and deploying multiple kill chains to ensure victory. What’s the best defense? How can we safeguard the reputation of our organization? How can we train our employees to take action?
Audience members were able to answer these questions after our online training, “Cover Your Bases, Track Your Data,” when the old-school, yet classic game of capture the flag was brought back to life. Expert panelists Gary R. Galloway, Data Loss Prevention Program Manager at the U.S. Department of State, and Ken Durbin, Continuous Monitoring and Cyber Security Practice Manager at Symantec’s Public Sector, expressed the importance of better educating the user community in order to find a better security policy, for both in-house and interagency alignments.
Galloway first discussed the history of the Data Loss Prevention (DLP) Program. After the 2008 stolen laptop dilemma of the Department of Veteran Affairs, the State Department called to increase their security posture for their most valuable asset – information – in order to operate more securely on a day-to-day basis. The program itself is a department-wide capability to identify and minimize the inappropriate transmittal of sensitive information, but the State Department needed a tool. This is when the cyber task force unites. The DLP Symantec Tool consists of systems and products that identifies, monitors and protects potentially sensitive data – at rest, in motion and in use – in order to keep the bad guys out of the system.
- Data at Rest – data contained in storage and content repositories (servers)
- Data in Motion – data traffic on the network (emails, instant messaging, web traffic)
- Data in Use – data located where it can be manipulated by a user (copy to USB drive, send to data to printer, paste data into document)
The DLP tool will find the data and capture what needs to be captured, but human interaction is required. When employees begin thinking of the tool as a business tool and not an IT security tool, they will be fully engaged during all implications, creating a holistic, secured community, noted Galloway.
Durbin later walked audience members through the anatomy of a breach. Incursion, or when attackers break into a network, delivers targeted malware to vulnerable systems or people. Attackers then discover valuable information, access unprotected systems and capture information over an extended period of time. Ultimately, exfiltration occurs, where the captured information is sent back to the attack team’s home base for analysis and further exploitation fraud.
By actively monitoring data, agencies can prevent this cycle from occurring and can begin to understand abnormal activities (flag outside activities to investigate), but it is hard to do by manually looking through a log. With a DLP Strategy that exists in 10 easy steps, employees will be able to recover data across endpoints, network, and storage smoothly. Below are the ten steps:
- Identify the appropriate data owners
- Locate all of the places where sensitive data resides
- Tag your sensitive data
- Monitor/Learn how sensitive data is typically used by your workforce
- Determine where sensitive data goes
- Implement automatic “real-time” methods to enforce your CISO approved data security policies
- Educate your sys admins as well as your end users about sensitive data security
- De-escalate excessive sys admin privileges
- Wrap additional security around sensitive data
- Halt data leaks before spillage occurs
Learn more about how you can align your agency’s policies to Symantec’s DLP Tool to protect your data by viewing the on-demand version of the online training here.