Varonis’ CEO, Yaki Faitelson, and Nth Generation vCISO, Rich Lindberg, had the pleasure of recently catching up in a face-to-face exchange. They discussed ransomware and strategic approaches that organizations can utilize to manage this growing threat. This article stems from their recent conversation.
Information drives nearly every organization today – and we've become totally reliant on it. Data and Information Technology (IT) provide competitive advantages for organizations. The same factors that drive revenue can also become their critical risk. Data management means transmission, transformation, storage, and access while deriving value. Disruption of any part of these functions may grind an organization and revenue to a halt.
Today’s cybercriminals employ ransomware attacks to turn data dependence against us. These attacks continue to grow more lucrative – which further fuels the ransomware cycle – as attackers ask for and receive ever higher crypto-currency bounties from victims.
Modern ransomware attacks are frequently two-pronged: (1) they threaten to expose sensitive data, and (2) they encrypt data to disrupt business processes. IT systems can be reinstalled or replaced with time and money, but lost data is irreplaceable. Data can never be unexposed once leaked or posted to the dark web by attackers.
Given today’s data dependence, a ‘data-first’ approach to security is an effective and smart way to protect an organization from cyber threats. When security efforts match business priorities, it’s much easier to manage the tension between productivity and security. People need to create and share data to be productive. However, without the right controls, the blast radius (all the damage an attacker can yield) becomes unacceptably large and your critical digital assets become a liability.
What is a data-centric approach?
A data-centric approach addresses requirements relevant to the data you need protected. By looking at the world through data-centric lenses, organizations begin paving the way to attain effective data confidentiality, integrity, and availability (the well-known CIA triad), as well as competence.
Varonis and Nth Generation subject matter experts typically start a data-centric security conversation by focusing on three questions:
Where is your important data and how is it stored?
How does it move?
Who needs to access it?
The more confidence an organization has in the answers to these interdependent questions, the safer their data becomes. Let’s spend a little time on each one.
Where is your important data, and how is it stored?
Organizations are centralizing data storage in a combination of on-premise and cloud data stores accessible from more places and devices. These “sanctioned” data stores continue to grow in number and in volume while endpoints, such as phones and laptops, increasingly rely on centralized stores for business data.
If you’ve changed laptops or phones recently, you may have noticed you don’t have to spend time transferring files from an old device to the new one. The data is stored centrally in the cloud and available when you log into your new device after an automatic sync.
This is a huge productivity gain. However, it means these centralized, sanctioned data stores have become critical, and therefore more valuable, to your organization. They are also more attractive targets for cybercriminals.
In a ransomware attack, good decisions can’t be made without situational awareness. That means knowing what was stolen or encrypted in these central repositories: what was important and what needs to be recovered. This is what we refer to as data classification. It is the root of a data valuation process which sets prioritization for recovery in an attack.
How does it move?
Understanding how data moves in your enterprise requires a holistic view of the systems that interconnect storage, business systems, and users as data flows through trust boundaries. These flows must be clearly understood by stakeholders: business owners and/or executives, developers, DevOps, and system administrators. The complexity and dynamics of these flows require continual upkeep in documentation so stakeholders have up-to-date information and can stay effective in maintaining the organization.
Who needs to access it?
In most organizations, employees can access far more data than necessary. Understanding what data is essential and how it moves allows the business to safely revoke unnecessary access and reduce the blast radius of a ransomware infection. When an attack hits, attackers won't be able to steal or encrypt as much data with an account that's locked down.
When you start moving the data outward, you must protect accounts, underlying servers, infrastructure, applications, the network layer, and finally, the endpoints. It's much more of an inside-out model compared to the traditional, outside-in approach.
Gain situational awareness of your important data:
Automated alerts should notify your IT and security teams when suspicious activity takes place and requires further investigation. When alerts aren't tuned, however, they can overwhelm even the savviest IT and security staff. We've seen security teams spend years centralizing inputs and logs from just about every conceivable system, only to drown in noise from false alarms.
Data-centricity provides much-needed context that makes it possible to separate the signal – such as an alert that could be an early sign of a cyberattack – from the noise. Data-centricity also makes it possible to prioritize the alerts that matter most, ensuring the most vital signals are heard loudest and with the right insight, while giving other alerts new meaning.
Time for a data-centric approach:
Organizations that fall victim to cyberattacks are often left scrambling to find answers to critical questions while battling various challenges from angry stakeholders. With all the ransomware and cyberattacks in the news, now is the time to ensure your information security strategy is focused on the most pertinent and correct elements.
Even with all the complexity in today's threat environment, by keeping security focused on protecting the organization and what keeps it running [data], we can identify and prioritize data-centric strategies that enable productive controls. Overall, these approaches will help reduce the ransomware blast radius of an infected user, as well as detect, stop, and recover from ransomware attacks faster. This is a data-first mindset.