The Last Integration: Why This Needs to Happen Now
It’s time to break down the silos that still separate data and threat protection so that threat security control points become fully data-aware
Across the cyber security industry, most companies have kept the technology stacks between data and threat protection very separate.
The threat protection stack doesn’t know about the data; it’s looking for indicators of compromise. Threat protection technologies cannot decipher if a file being sent outside a company is a picture of someone’s kid or the latest source code for a new project. These tools solely focus on signs of an active threat. The data protection stack knows if the information is indeed the latest source code, but it doesn’t know if the person emailing it is a threat. The technologies are fighting the good fight, but in silos, limiting their ability to see the forest for the trees. One side thinks indicators of compromise, files, hashes, URLs and IP addresses. The other thinks, “How is the data classified? Is there personally identifiable information?”
It’s time to break down the silos and put it all together.
Take data loss prevention (DLP), encryption and multi-factor authentication tools, for example. DLP is the brain of protection. It understands the data. It knows if a file has personally identifiable information or proprietary source code. DLP is intelligent, however it doesn’t actually protect the data; it just blocks the user from sending it. Don’t share that file. Don’t send that email. DLP is Captain “No.”
Encryption, on the other hand, is very good at protection, however it has no idea how to differentiate between sensitive data that must be encrypted and data that doesn’t need to be encrypted. So, companies encrypt everything from a picture of an employee’s kids to a confidential document. Multi-factor authentication is another tool that is good at protecting access to sensitive data, but once it grants a user access, it steps out of the way. It doesn’t protect anything pertaining to that user any more. What if we brought these three tools together so that they automatically talked to each other? What if DLP was the brain of encryption and encryption became identity aware? DLP would tell encryption if a file were classified. Encryption would encrypt that file, and only decrypt it if a user authenticated properly.
Another example is integrating DLP with endpoint protection tools. Endpoint protection can tell DLP to monitor data that is unknown or a suspicious application because it could be a zero-day attack. Then, DLP can tell the endpoint tool, “That process is trying to access highly confidential data,” to which the endpoint tool responds, “I am going to stop it right now because an unknown application should not be allowed to do that. It could be an advanced persistent threat, ransomware, etc.”
What if DLP was the brain of encryption and encryption became identity aware?
If you think about it, all threats have one thing in common that they cannot hide: they want to steal critical information. Threat security control points should be data aware to be able to block access to confidential data, so a potential threat cannot do anything with it.
There is one more significant technology that serves as the glue binding these tools together – user and entity behavior analytics (UEBA). UEBA, which is the core of our Symantec Information Centric Analytics solution, provides a user-focused lens on who is interacting with sensitive data and how they are interacting with it. It blends the threat and data stacks, prioritizing which users need immediate investigation based on the value of the data at risk, associated vulnerabilities and the impact if the data were compromised.
Let’s say “Jane” typically emails “Bob” payroll information because they work in the payroll department. But, one day “Jane” emails payroll information to someone outside of the company. DLP would block the information from leaving and tell encryption to encrypt the data. UEBA would flag Jane’s unusual behavior, compare it to the behavior of her peers such as Bob, and overall business unit, and prioritize the alert as highly critical so investigators know to follow up with Jane immediately.
This is called the last integration. If you think about it, all threats have one thing in common that they cannot hide: they want to steal critical information. Threat security control points should be data-aware to be able to block access to confidential data, so a potential threat cannot do anything with it.
If you found this information useful, you may also enjoy:
We encourage you to share your thoughts on your favorite social platform.