CSO Perspectives 8.24.20
Ep 19 | 8.24.20
Data loss protection: around the Hash Table.
Transcript

Rick Howard: George Washington is famous for maybe being the Founding Father who had the most impact in creating the new United States. He was the general that defeated the British. He was the first president. He held sway over the fighting John Adams, Alexander Hamilton and Thomas Jefferson. And he stepped down when he likely could have been king. But what many people forget is that when he was commanding the American forces against the British, he was a sly old fox. As the lyrics in the Broadway show "Hamilton" explains, he was up against it. He was indeed outgunned, outmanned, outnumbered and outplanned (ph). Here is Leslie Odom Jr., playing Aaron Burr, and the rest of the Hamilton cast introducing Washington, played by Christopher Jackson, in the Broadway show.

(SOUNDBITE OF SONG, "RIGHT HAND MAN") 

Leslie Odom Jr: (As Aaron Burr, singing) Ladies and gentlemen. 

Unidentified Actors: (As characters, singing) Here comes the general. 

Leslie Odom Jr: (As Aaron Burr, singing) The moment you've been waiting for. 

Unidentified Actors: (As characters, singing) Here comes the general. 

Leslie Odom Jr: (As Aaron Burr, singing) The pride of Mount Vernon. 

Unidentified Actors: (As characters, singing) Here comes the general. 

Leslie Odom Jr: (As Aaron Burr, singing) George Washington. 

Christopher Jackson: (As George Washington, singing) We are outgunned... 

Unidentified Actors: (As characters, singing) What? 

Christopher Jackson: (As George Washington, singing) ...Outmanned... 

Unidentified Actors: (As characters, singing) What? 

Christopher Jackson: (As George Washington, singing)...Outnumbered, outplanned. 

Unidentified Actors: (As characters, singing) Buck, buck, buck, buck, buck. 

Christopher Jackson: (As George Washington, singing) We got to make an all-out stand. Ayo (ph), I'm going to need a right-hand man. 

Rick Howard: How about that? A dusty, historic commanding general getting an ovation from the audience that is normally reserved for rock stars. You haven't seen the play yet - you are missing out. 

Rick Howard: But Washington knew if he was going to have any hope of fending off the British, he was going to have to use every trick in the book, and one of his go-to plays was deception. He did this on multiple occasions, but my favorite example was at the battle of New York, where Washington basically got his butt handed to him by the British and Hessian forces. The British generals thought, at the end of the day's fighting, that the next day would be the end of the war, that they were basically going to perform mop-up operations because Washington's forces were utterly defeated. 

Rick Howard: But according to the History website, in the evening of August 29, 1776, Washington told his units to light campfires across the front of his positions to set a small guard force to walk in front of the fires to get noticed. And then he proceeded to sneak 9,000 soldiers, their equipment and the supporting artillery in the middle of the night across the East River to safety. When the British generals woke up on the next morning, Washington had vanished - poof - and they were astonished at the audacity of the move. Outgunned, outmanned, outnumbered, but maybe not outplanned. And deception played a key part. The question we want to answer today is, should deception be part of our first principle strategy to reduce the probability of material impact due to a cyber event? 

Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. Today, we are talking to four cybersecurity thought leaders about their data loss protection experiences in the real world. 

Rick Howard: Before we go too far, we should perhaps clarify some terms. I mean, when I was starting to look into this topic, I kept indiscriminately using two phrases as if they meant the same thing. In one instance, I would say DLP stands for data loss protection, and in the very next instance, I would say that DLP stands for data loss prevention. Back in 2010, Gartner was calling it data loss protection, but today, they seem to have consolidated their thoughts around data loss prevention. From the commercial vendor perspective, they mostly call it data loss prevention. 

Rick Howard: As I was reading through the various frameworks and standards, I couldn't find a definitive source one way or the other, though. So I decided to myself that they meant the same thing. Well, as common in my career, I was absolutely wrong. Thank goodness I got a chance to sit at the hash table with Dawn Cappelli so she could set me straight. She is the VP of global security and CISO for Rockwell Automation and a very old friend of mine. 

Dawn Cappelli: We use our DLP technology in both modes. So we use it in one way for our highest-risk users. So users that have access to our crown jewels, we use DLP in prevent mode, which means if you - for instance, if you work on our source code, any data that comes out of the source code repository you cannot put onto a USB drive. You cannot email it out of the network. You cannot move it to cloud. It's totally prevent. But for everyone else in the company, it's protect. 

Rick Howard: In other words, for her material data, the data that would impact the business significantly if it ever got out, and all of her employees who have access to it - all of that falls under a program of prevention, with stringent controls designed to prohibit that information from leaving its hermetically sealed infrastructure. And that makes total sense and falls completely in line with our first principle thinking - that we are trying to prevent material impact to our organization. It goes without saying, then, that our data loss prevention program should focus only on our material data. 

Rick Howard: Gary McAlum is another old military buddy of mine - Air Force but, you know, we won't hold that against him. He is the CSO for USAA and has been there for a whopping 10 years. That is a long time for a CSO to be in one job and is a testament to how valuable the USAA leadership team thinks he is. When he met me at the hash table, he said this about material data. 

Gary Mcalum: And I would say, for any organization, you know, they should have some sense of data classification, right? In a regulated organization like a financial services company, you definitely have to be able to identify what is your sensitive data, ensure that it's properly classified and properly protected, whether it's, you know, at rest, in motion - right? - whatever the case may be. And so not all information is equal, and so there's some information - non-PII, non-PCI nonintellectual property - which is just, you know, information of questionable value or little value, right? So if you try to protect everything at the same level, you probably will not be very successful. So you do have to have some level of granularity in your data classification program. And so it really starts with understanding your data. What is the sensitive data? Is it properly classified? Is it properly protected in various states? And do you know where it's at within the organizational boundaries of your network? 

Rick Howard: Nikk Gilbert is yet another military veteran - Navy this time. I have known him for years. He made his cybersecurity mark in the commercial sector helping the oil and gas industry. Today, he is the chief information security officer for Cherokee Nation Businesses, and he agreed with Gary. 

Nikk Gilbert: You know, the first question you have to ask yourself is, you know, OK, so I'm in an organization. What are the crown jewels of my organization? What am I really trying to protect? You know, in a financial services company, it's going to be the financial records, the customer data, you know, how many customers you have. You know, in a manufacturing company, it's probably your research and development people you want to protect because you're - and your manufacturing processes and things like that. So you really have to understand the company. And then you can, you know, create a DLP strategy to match that. 

Rick Howard: But when it comes to the other DLP, the data loss protection, Nikk views that function to be less about cybersecurity fundamentals and more about business process improvement. This is more about best practices for data in general, not necessarily preventing material impact to the company. 

Nikk Gilbert: I've worked for several organizations where I've deployed DLP. I think DLP, if looked at in the right way, is a valuable tool to the overall enterprise not just for - from a data protection perspective, but also from a process improvement perspective. So what I found is that 90-plus percent of the anomalies that occur through your DLP detection software or process program strategy, whatever you want to call it, is - are usually operational improvements. So there's two pieces I look at. I look at the operational improvement part, and then I look at the actual protection of data - keeping in the data within the organization and making sure that, you know, if data does go out of the organization, it's protected. That's important. So, you know, obviously, keeping your information secure and knowing where it's going and who's doing what with it is extremely important. 

Nikk Gilbert: The really key things that I've found over the last decade or so when I deploy this type of technology is - as I said, 90% of it's operational improvement. And what I mean by that is - I remember in a company some time ago I was at when we deployed it, some of the first things that we discovered were just processes that people were doing that, you know, weren't necessarily nefarious. They just - it's just how they always had done it. You know, we had one group of - one part of the organization who had been backing up their data on portable USB drives. And, you know, it's sensitive information. And, you know, once we had our DLP software deployed, we saw this happening. And we're like, oh, this is interesting. But as it turned out, you know, it was a process that they'd been doing for years and years and years. 

Rick Howard: And these best practices are not ironclad. They are more like safety bumpers that you might see at a bowling alley so that your kids don't throw gutter balls every time. But as my kids used to do, if you really wanted to, you could defeat those bumpers. 

Nikk Gilbert: There's always going to be some smart guy who's like, OK, well, if I encrypt this and then I wrap it in this zip file and then I do this with it, I can bypass all of your DLP. Oh, yeah, sure. OK, buddy. You know, more power to you, but I'm worried about the 99% of the other employees who aren't that savvy or - and if I catch you doing that, you're going to be in trouble, you know? Malicious and - you know, like I said, the percentage of malicious employees within organizations is far less than most people think. Operational improvements are really what you're going to get with DLP and protecting users from just making just silly mistakes that they wouldn't normally do if they thought about things for a little bit more than, you know, a few seconds. 

Nikk Gilbert: I think there's still going to be that, you know, small percentage of employees who may be trying to do something they shouldn't - like I said, relatively small. But I think there's going to be a larger amount of employees who are going to be doing stuff that they - you know, the non-malicious, you know? They accidentally - they didn't think about it. 

Rick Howard: Which brings us back to the difference between data loss prevention and data loss protection. Tom Quinn is the chief information security officer at T. Rowe Price and has been with the firm for over four years. When I sat him down at the hash table, he was quick to point out that a DLP vendor solution is pretty good for a general-purpose data loss protection program. But for data loss prevention, you need humans in the loop deciding what is material and what isn't. 

Tom Quinn: I think that the concept of materiality is tough for computers to divine. So now you need humans - right? - to make decisions about materiality, which is fine, right? I think humans probably - you know, an informed human probably really does understand materiality. And the reason why I mention that is I think coarse-grained controls generally are helpful. You know, they are effective. And it does allow you - and I agree with you that you - you know, you should apply this - you know, this kind of, you know, DLP control for copy, paste, print access, you know, those kind of things, to really small amounts of data that you believe are important. But I think the thing for it is you also - I believe you also need to invest in humans who will know what that is. And that goes to the heart of data management, data inventory, data tagging and alike. I - the concept of materiality I think is important, but I think the challenge may be, you know, that there's a lot of work in designing systems, processes and technology to really enable those things to happen in a sustaining way. 

Rick Howard: Like Tom said, when you design these things, these data loss prevention programs and data loss protection programs, you are clearly going to think about process and technology. From the commercial vendor side, you have DLP or data loss prevention solutions. According to Josh Fruhlinger over at CSO Online, these solutions look at data as it transits your network or sits on your devices. Features include rule-based matching like looking for Social Security numbers, fingerprinting or looking for user-supplied structured data, file name matching and machine learning to identify sensitive data. 

Rick Howard: For what they do, they are pretty good at traditional perimeter protection, like web traffic and email, but check your vendor before you buy. Make sure they cover your other data islands like SAS and hybrid cloud deployments and employee devices. Also, from the commercial vendor side, you have tools called UEBA, or user and entity behavioral analytics. Here is Dawn explaining what these tools do. 

Dawn Cappelli: So UEBA is user and entity behavioral analytics. Basically, it's a tool that you can bring in diverse data sources and integrate them together, sort of on the order of a SIM, but it's people-based or entity-based. So you can go into Dawn Cappelli and look at all of my activity from all of these various logs, and you can bring in contextual data about the person or about the organization. So for instance, my termination date - if I have a termination date set, that greatly increases my insider risk. And so the risk models, once they see a termination date set, it increases my risk score, especially if there's any suspicious activity associated with me. 

Dawn Cappelli: You also can build watchlists. If you have something happening in your organization, like a reduction in force, you can integrate that into those risk models. So it's a very comprehensive technology for an insider risk program.  

Rick Howard: Like other security services, you can get UEBA functionality from on-prem devices and from SAS providers. But the market for UEBA has been shifting these past few years, and, more and more, you're starting to see UEBA functionality from the SIM vendors. 

Rick Howard: Since I've been doing this network defender business, DLP has never been the top priority tool for me. My priorities were always zero trust, intrusion kill chains, resilience and the supporting strategies that made those go. For me, DLP was always at the bottom of the list. If I got all the other stuff done, I would think about DLP, which begs the question, do you need it? Is it critical? The opinions across the hash table this week were mixed. Here's Gary McAlum, the USAA CSO. 

Gary Mcalum: I think that the challenge is there is a category of software known as DLP, or data loss prevention, which is very specific to that function. But when you stop and think about it, any organization's security technology stack is designed to do several things, but one of the things that it's really designed to do is prevent and detect and respond around data leaving the organization. That's one of the functions. And so in a way, you could say our entire security technology stack is designed to do that, which is, essentially, true. But there is a type of software that, you know, helps you do some very specific things around data loss prevention. 

Gary Mcalum: You still got to have firewalls. You still got to have IPSs. You still got to have IDSs. You still go to have WAFs. You know, all the things that you do in an organization - right? - you have to do, and it's designed around preventing unauthorized access to information. It's designed to ensure availability. It's designed to ensure the privacy and confidentiality of information, and it's also designed to make sure that the stuff doesn't leave the organization's boundaries, whatever those boundaries are, whether it's the endpoint or the network or the S3 bucket, whatever the case may be. 

Rick Howard: Tom Quinn, the T. Rowe Price CISO, agrees with Gary but has mixed feelings about the intended purpose. He worries that you have to build an entire companywide process to facilitate the tool. 

Tom Quinn: What I've certainly taught to my team and other leaders at the firm is, you know, if we - if the security people had the ability to leverage, you know, functioning inventories that had high fidelity and that, you know, data was tagged and labeled, you know, in a way, right, that it was very explicit about what it was and how it should be handled, computers can do a great job of routing that stuff, you know, to the right places or applying policy. You know, like, the easy part, right, is applying a policy enforcement tool. When you've got that kind of knowledge or metadata associated with information, I think the challenge is, in some cases, you know, we're fumbling around, making imprecise decisioning based on ephemeral data, right? I think that's a real challenge. So yeah, again, I think if the - you know, generally, labeling and inventory was dramatically improved, data loss prevention is just background capability infrastructure that just enables and facilitates what needs to happen. 

Rick Howard: Dawn Cappelli from Rockwell Automation disagrees. She says that in the age of being able to store voluminous telemetry data derived from your company's networks, it makes no sense to rely only on the traditional blocking strategies that you might get from intrusion kill chains or zero trust. You don't rely on DLP alone, either. You need a hybrid approach. 

Dawn Cappelli: You know, it all comes down to balancing security versus productivity, and if you lean too much on the preventive controls, then you start impacting your employees' ability to do their work. That's why we've taken this dual approach that - there are some people that they should never be able to move certain kinds of information anywhere. And so them, we lock down. But for everyone else, we need to know what they're doing. But we can deal with it with quick detection and response. But without DLP, I think you'd have to prevent. You'd have to lock down. And that's really hard to do and still let people get their jobs done. 

Dawn Cappelli: I hate to say it, but we're making it up as we go, you know? I - the biggest complaint about DLP is if you use it in a vacuum, you are going to be overwhelmed with false positives because, just like I said, there are people that have to - they have to email - you know? We email our competitors because we're working on a joint customer project together. So you can't block emails to competitors. We have to put things on USB drives. You - without having that contextual data and the anomaly detection that you get with the UEBA tool, I think DLP all by itself is very difficult because of the false positives. 

Rick Howard: Besides DLP, there are other data protection technologies that can help. Encryption comes to mind. I always thought that if you just encrypted everything, most of your data protection problems would just go away. Nikk Gilbert, the Cherokee Nation Businesses CISO, agrees. 

Nikk Gilbert: Encrypt everything, man (laughter), everything. I don't care what it - I would have every single thing encrypted, even keyboard strokes, if possible. I mean, it's so cheap and so easy and so - I mean, if you're an organization today and you don't have your laptops encrypted, then I'm sorry. You're asking for trouble. And I'm talking like 2002, 2005. There was a lot of pushback because, you know, we're still on Pentium II or Pentium III back then I think, you know? Nowadays, with the processor speeds and the way that software is developed, there is no excuse not to have your everything encrypted end to end. I wouldn't - can't say that enough. 

Nikk Gilbert: I mean, every time I think or look at a product, you know, I'm thinking, OK, all the different, you know, places it's going to touch, is it encrypted, encrypted at rest, is it, you know, encrypted in use, is it encrypted in transit, you know? All those different things are so important, and it's such a low bar. Now, again, obviously, there's some bad guys out there that are going to be able to side-channel or break or intercept or whatever have you. But, you know, we're talking about the majority here, you know? If you're - if you've gotten the attention of a nation-state, you've got bigger problems. 

Rick Howard: Tom Quinn, the T. Rowe Price CISO, agrees but has some reservations about encryption performance and impact on users. He says that most data doesn't need to be encrypted at all. 

Tom Quinn: So, one, I agree. I think encryption is one of many tools that can be applied, you know? And, certainly, you know, for data loss prevention, it is effective in certain scenarios. I think, you know, the work that needs to be done or the work that needs to be considered is, you know, whether performance implications, you know, for the systems may have them, whether the business process implications for having, you know, data encrypted and potentially not being able to be available. And I think that there is a lot of - you know, just throwing encryption as a solution is not the right approach. At least, I don't believe it's the right approach. I think, you know, using it where it makes sense is key. And I'll give you an example, right? I think, you know, most data in many cases, you know, may not need to be encrypted at all. Like, you know, the lunch menu doesn't need to be encrypted. Maybe your public website information may not be - need to be encrypted. 

Tom Quinn: So, you know, I think it should be used judiciously and where it needs to be. And in some cases, it's not maybe even the information that needs to be encrypted; it could be a key or a reference that when you join bits of information together really tell you a story. So I think those are all things that need to be considered. But, again, encryption is just one of many tools in the tool belt that should be applied. And, you know, when you use encryption, there's implications for doing it. And, again, some of that could be availability of the data, performance of the data and alike. And in some cases, it may be, you know, in some countries, you know, you may need to provide encryption keys to regulators and national governments. So, you know, and if that's the case, what role is encryption playing if lots of people have the keys to unencrypt it? 

Rick Howard: Another way to protect your data is with tokenization. According to Mike Riesen over at SecurityMetrics, tokenization is the process of substituting sensitive data in large data sets with dummy data. He says, and I'm quoting here, "the whole point of tokenization is to limit the usage and storage of plain text sensitive data to as few places in your environment as possible," end quote. He says that systems come in two flavors - reversible and irreversible. Gary McAlum at USAA agrees. 

Gary Mcalum: That's why things like data masking or data tokenization is so important from, you know, an end-to-end perspective. It goes back to the source of the stream, if you will, upstream, right? That happens, you know, really in the - at the system of record level, where that information, you know, can be - I call it, you know, transformed to a safe piece of data that it doesn't reflect - right? - the underlying sensitivity of the information, right? Data masking is another way to do that. Never let the full Social Security number get passed all the way to the end-user application. So you know, tokenization, substituting, you know, one thing for something else - right? - so that you still pass the field but you're not passing the real sensitive information. 

Gary Mcalum: Believe me - data labeling is still really important, and we've been on a journey in my organization for some time now to ensure that, you know, for example, email traffic - right? - that that, you know, that has to be labeled appropriately so that you can ensure that it doesn't leave an organization or it doesn't get to somebody who's not authorized to have it. That includes attachments, includes all those documents that, you know, you open up like PowerPoint briefings and spreadsheets, right? All of those things have to get properly labeled based on a data classification policy. 

Rick Howard: When I started this show, I was bragging about the general badassery of General George Washington and his use of deception against the British in order to escape and live to fight another day. In the previous episode of this show, I mentioned that standards documents from NST and from Forrester have recently started including the idea of deception as key planks to any data loss prevention program. I was interested to see if any of our subject matter experts thought so, too. Here's Tom Quinn again from T. Rowe Price. 

Tom Quinn: So maybe a couple of points there - one, deception technology, you know, has a variety of techniques and tools that you can use, and, certainly, deception networks, right, are - is one of them. And I think there's some value in that. I would be mindful, right, that if you have limited resources and limited budgets and you may be lower maturity on your technology or controls program, you may want to, you know, hold off on that but, you know, and, again, like, if you're having basic problems, like you can't patch your systems, or basic problems, like, you know, you're unable to scan your software, right? 

Rick Howard: Nikk Gilbert says that his team experiments with the tech, but that's about it. 

Nikk Gilbert: In the past, I've had honey pots deployed to kind of, you know, get a feel for what's going on out there. The majority of time, it's employees playing around, you know, IT employees specifically (laughter). But, you know, there's always sleight of hand in deception technology that's available for this kind of thing. But I - other than honey pots, I haven't used any. 

Rick Howard: The bottom line here is that the commercial vendors in the space have made the business of deploying deception networks really easy. But the care and keeping of them is still pretty tough, especially if your infosec organization is starving for resources. For them, deploying deception technology is probably not the first thing that you would reach for. If you haven't deployed a stable zero trust, intrusion kill chain and resilient strategies, then deception networks aren't going to help you. Here's Gary McAlum with the last word on deception. 

Gary Mcalum: I would say for organizations that have a very mature, controlled environment, right, multilayered, defense-adapted, it's strong. You know, I think that deception can be, I think, an extra arrow in the quiver. I wouldn't overindex on that, right, depending on where you're at as an organization, but it's something I think that's - could be legitimate in a high-risk organization that is, you know, definitely under attack. But when you realize, like most security technologies, you know, there's very little true plug and play - right? - it all requires implementation, tuning, optimization - right? - care and feeding, right? And, like anything else, if you can invest that kind of time into it - right? - it's an arrow in the quiver. But it's not a silver bullet, right? 

Gary Mcalum: And so - because you got to make it look like it's legitimately part of your network but it can't be too obvious, and it can't be too generic, right? Or it may not be - serve the purpose that it needs to, right? And then it still needs to be discovered, right, by somebody that finds it, right - either accidentally or through attempts. So, I mean, there's a lot of what ifs there. But again, do I think it's a legitimate arrow in the quiver of an organization security model? Yeah, I think so, depending on the organization. 

Rick Howard: One final note - I was listening to "The Lawfare Podcast" this week. The hosts, Evelyn Douek and Quinta Jurecic, interviewed Alec Stamos, the former Yahoo and Facebook CSO, about influence operations. It was fascinating. And it is not what you think. What we saw in 2016 is not what we are seeing today. But at the very end of the interview, the host questioned Alex about the current kerfuffle about the acquisition and customer access of the Chinese company TikTok. He said that there is a real threat to Chinese-owned apps, that TikTok is probably not that serious, but others are. And if you are a large tech platform, and you are not actively considering large countries as your adversaries in building them into your threat model and taking specific operational and technical steps to keep them out of your data, then they have access to that data. If you are not actively stopping them, they are stealing that data. 

Rick Howard: That has been my experience, too. If you are an international company doing business in countries like China, the Chinese government is actively trying to infiltrate you. If that isn't a good reason to deploy a data loss prevention program, I don't know what is. 

Rick Howard: And that's a wrap. Next week, we will be talking about identity management. You don't want to miss that. And in the meantime, if you agreed or disagreed with anything I have said in the last two episodes about data loss prevention, hit me up on LinkedIn, and we can continue the conversation there. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, and the remix of the theme song in the mix of this episode was done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.