This white paper discusses adopting a "good shepherd model" for cybersecurity to minimize potential damage from data breaches. It recommends knowing where important data is stored, understanding its value, and protecting it accordingly. This involves four activities: 1) defensibly deleting low-value data to reduce investigation scope; 2) locating high-value records and moving them to secure repositories; 3) protecting high-risk private data with encryption and access controls; and 4) applying policies and audits to ensure only authorized users can access important data. Through these efforts, organizations can understand their data worth and reduce opportunities for breaches of important information.
Before the Breach: Using threat intelligence to stop attackers in their tracks
White Paper - Nuix Cybersecurity - US Localized
1. NUIX WHITE PAPER
WHITE PAPER
Four rules for minimizing the potential
for—and damage suffered from—data breaches
THE GOOD SHEPHERD MODEL
FOR CYBERSECURITY
By Stuart Clarke and Lee Meyrick
2. PAGE 2
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
CONTENTS
Executive summary.............................................. 3
The rewards and costs of cybercrime................... 4
People are the weakest link................................. 5
Malicious insiders.......................................... 5
Loss or theft................................................... 5
“Bumbling insiders”...................................... 5
Are outside attacks more effective?............... 5
Breaches are inevitable........................................ 6
Where is your data?............................................. 7
The “good shepherd” model................................ 8
Defensible deletion........................................ 8
Data herding.................................................. 9
Data security.................................................. 9
Access controls.............................................. 9
Case study:
Investigating a datacenter breach
the hard way.................................................10
A change of mindset............................................ 11
References.......................................................... 11
About the authors...............................................12
If we cannot prevent
malware from breaching
perimeter security or
information from leaking
outside our virtual walls,
how can we protect
important, high-value and
high-risk data in our care?
3. PAGE 3
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
EXECUTIVE SUMMARY
The high value and easy marketability of private data such as credit cards have made all
organizations that store customer information a target for cybercrime. There is also growing
evidence of widespread cyber-espionage targeting valuable intellectual property. The costs
of a single high-profile data breach can reach many millions of dollars.
And now for the bad news: Breaches are inevitable. Security researchers believe
determined attackers can infiltrate any perimeter security system and lodge malware within
organizations’ networks. However, the majority of incidents that lead to data being exposed
are from internal causes: Malicious insiders, loss or theft of devices, or simple errors by IT
and security administrators.
Knowing this is the case, organizations must adopt a new set of information security
disciplines to protect high-value and high-risk data:
• Knowing where important data is stored, understanding what it’s worth and making sure
it’s protected
• Reducing the delay between breaches and when they are detected
• Conducting rapid, thorough and effective post-breach investigation and remediation.
This paper will focus on the first discipline. It will examine how organizations can use
information governance technologies to reduce the costs and extent of cybersecurity
breaches by becoming “good shepherds” of their data.
These technologies can provide transparency into unstructured data so you can understand
what your data is worth and where your organization stores high-value and high-risk
information. You can achieve this through four activities:
• Defensibly deleting data that has no business value
• Locating high-value documents and intellectual property, and migrating them to
repositories with encryption, access controls and retention rules
• Protecting high-risk private and financial data with appropriate encryption and access
controls, and ensuring this information does not leak from controlled repositories
• Applying policies and conducting regular audits to ensure only authorized staff members
have access to important data.
Through these efforts, your organization can minimize the opportunities for malicious or
accidental breaches of important information. If you know where your data is, you can
respond efficiently to breaches by first targeting the high-risk storage locations. This in turn
means you can close information security gaps quickly before they can be exploited again.
4. PAGE 4
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
Many companies are simply buying more
cheap storage to house their growing data but not
taking the time to understand and manage it
THE REWARDS AND COSTS OF CYBERCRIME
Cybercrime has become highly rewarding. A single live credit card number, accompanied by accurate
identity details, can fetch up to US$100 on the black market.i
Private data is worth more to criminals
than most organizations could ever spend protecting it from them.
Rapid data growth, teamed with an increasing number of storage devices, cloud technologies and
“bring your own device” policies, are all increasing opportunities for data leaks. Many companies
are simply buying more cheap storage to house their growing data but not taking the time to
understand and manage it. This makes it harder to identify and control the business risks it contains.
The costs of data leakages can be vast. For example, in 2013 the UK Information Commissioner’s
Office increased the maximum fine it could hand out for data breaches from £5,000 (US$8,400
at time of writing) to £500,000 (US$840,000). The European Union’s General Data Protection
Regulation, which is currently before the European Parliament, would levy fines of up to 100 million
(US$137 million) or 5% of annual worldwide turnover for breaches of EU citizens’ privacy.
But fines are only a part of the total cost, which may include damaged company reputation, disaster
recovery costs, loss of intellectual property, a weakened competitive position and the negative
impacts on customers who were affected. The estimated total costs of US retailer Target’s credit
card breach in 2013 include $61 million of direct costs, consequential costs to third parties of up to
$400 million and a fall in Target’s stock price of 11%.ii
The value of the stolen credit card numbers to
hackers by comparison could be around $53.7 million.
A Ponemon Institute survey of 234 organizations in six countries, published late in 2013, found
the mean annual cost for cybercrime incidents was $7.2 million per organization, with a range of
between $375,000 and $58 million.iii
Looking at recovery costs alone, the survey found that cybersecurity attacks took on average 27
days to resolve, once they had been detected, with an average cost of just over $500,000 during
that time. Malicious insider attacks took 53 days, on average, to contain. The report showed that the
faster an organization resolved an incident, the less it cost overall.
According to Verizon’s 2014 Data Breach Investigations Report, around 90% of attackers were able to
compromise their targeted information asset within “days.”iv
However, only around 25% of attacks
were discovered within a similar timeframe. According to Mandiant’s report M-Trends 2014: Beyond
the Breach, during 2013 the median number of days attackers were present on a victim network
before they were discovered was 229.v
This was a slight improvement on the previous year, when the
median was 243 days.
5. PAGE 5
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
PEOPLE ARE THE WEAKEST LINK
People are the weakest link when it comes to protecting sensitive data. The Verizon report
found insider misuse, physical theft or loss and miscellaneous errors were responsible for
majority (57%) of cybersecurity incidents that left organizations’ data exposed.
Malicious insiders
Insider misuse most commonly involves privilege
abuse. This is where employees misuse the access
they have been granted to information assets—
which they need to do their day-to-day work—to
copy or remove information for unauthorized
purposes. This frequently involves copying
such information to USB devices, emailing it to
personal addresses or using it against company
policy—for instance, taking high-risk information
home to work on it over the weekend.
US Government contractor Edward Snowden was
the most high-profile incident of insider misuse
in the past year but far from the only one. For
example, the Ponemon study reported that 60%
of respondents said they knew a co-worker had
brought data from a previous employer.
Loss or theft
Physical theft or loss is as the name suggests.
The Verizon report found, interestingly, that
losses outnumbered thefts 15 to 1. And while the
stereotypical physical loss incident is a laptop
left on the seat of a train or taxi, the report found
almost half of all losses and thefts (43%) occurred
inside the office.
The scale of this problem is demonstrated by a
freedom of information request from security firm
McAfee to London’s public transit authority which
found that 15,833 mobile phones, 506 tablets and
528 laptops were handed in to its lost property
department in 2013.vi
“Bumbling insiders”
Miscellaneous errors are the result of “bumbling insiders”
rather than malicious ones. Breaches can often be the result
of IT admins incorrectly configuring security solutions or
access control settings.
Another common example is publishing errors, where
organizations accidentally post non-public information to
a public resources such as a web server. For example in
February 2014, the Australian Department of Immigration
and Citizenship inadvertently posted to its public website a
database of names and personal details of 10,000 asylum
seekers held in detention.
Breaches can also result from disposal errors, where
confidential information is thrown away without being
shredded, in the case of paper, or properly wiped, in the
case of digital assets.
Are outside attacks more effective?
It is worth noting that while these insider attacks and
errors were responsible for the majority of potential data
exposures, they only accounted for around 10% of confirmed
data loss incidents. This may be because professional
criminals are much better than amateur insiders at extracting
the information they seek. Sophisticated malware, once it
is inside the network, can give attackers all the access an
employee would enjoy. Or it may be that most incidents were
caught and fixed before anyone had an opportunity to exploit
them—as far as anyone knows.
The most effective cybersecurity attacks that resulted in data
loss were web app attacks (35%), cyber-espionage (22%)
and point-of-sale system intrusions (14%). The Verizon report
noted that a major theme of 2013 was attacks on point-of-
sale systems to extract credit card numbers.
6. PAGE 6
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
BREACHES ARE INEVITABLE
The Ponemon Institute survey estimated the respondent
organizations were victim to 1.4 successful cybersecurity attacks
per week, on average. It defined a “successful attack” as “one that
results in the infiltration of a company’s core networks or enterprise
systems.” On the one hand, it broadly defined an “attack” to include
malicious code, denial of service, web-based attacks, phishing
and social engineering, stolen devices and malicious insiders. On
the other hand, these were only the attacks that the organizations
detected. It is entirely possible other breaches occurred which they
did not notice.
Gartner’s bluntly titled report, Malware Is Already Inside Your
Organization; Deal With It says “determined attackers can get
malware into organizations at will.”vii
It argues that “organizations
must assume they are compromised, and, therefore, invest in
detective capabilities that provide continuous monitoring for patterns
and behaviors indicative of malicious intent.”
If we cannot prevent malware from breaching perimeter security or
information from leaking outside our virtual walls, how can we protect
important, high-value and high-risk data in our care? It requires a
change in mindset and a new set of disciplines around information
security. This involves three core capabilities:
• Knowing where important data is stored, understanding what it’s
worth and making sure it’s protected
• Reducing the delay between when breaches occur and when they
are detected
• Conducting rapid, thorough and effective post-breach investigation
and remediation.
Organizations must
assume they are
compromised and invest
in detective capabilities
that provide continuous
monitoring for indications
of malicious intent
7. PAGE 7
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
WHERE IS YOUR DATA?
This paper will focus on the first core capability: Knowing where important data
is stored, understanding what it’s worth to your organization and making sure it’s
protected in proportion to this value.
At its heart, this capability is an application of the classic information security triad:
• Confidentiality. Information is protected from being disclosed to people who should
not see it.
• Integrity. Information cannot be modified by people who aren’t authorized to do so.
• Availability. The right people can access information at the right time.
This is complicated by the fact that organizations store large volumes of unstructured
data—typically 80% of the total—which is often in complex formats that are difficult
to search and understand. To put it another way, you can’t protect information if you
don’t know where it is and what’s in it. It’s also hard to decide how much to spend, or
calculate the return on investment of security measures, if you don’t know what the
data is worth.
One of the main reasons organizations take so long to detect and remediate breaches
is they don’t know where the high-value or high-risk data is stored, so they can’t target
those systems for investigation. Instead, they must collect data widely, potentially
including staff members’ “bring your own” laptops and other unmanaged locations,
which takes time. Alternatively they can collect from a random sample of devices,
which risks missing the compromised systems. Meanwhile the clock is ticking: Data
has gone missing, costs are building up and there is an ever-present risk that someone
could exploit the same vulnerability again to do more damage.
One of the main reasons organizations take so long
to detect and remediate breaches is they don’t know
where the high-value or high-risk data is stored
8. PAGE 8
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
THE “GOOD SHEPHERD” MODEL
Thus information governance technologies become a powerful tool in
reducing the costs and extent of cybersecurity breaches by delivering
transparency into unstructured data and facts upon which security
professionals can make informed decisions.
1. Defensible deletion
Organizations store large volumes of “eTrash”—
data that has no business value because it’s
duplicated, trivial, no longer used, past its
retention period or potentially risky. While most
organizations have strict compliance rules around
how long they must retain data, once the retention
period is over, the risks and costs it contains
greatly outweigh any residual value. Deleting
this low-value data, according to predefined
and legally sanctioned rules, reduces risks and
also minimizes the volume of data that could be
compromised. This in turn reduces the scope of a
post-breach investigation.
Information transparency can have huge impact on how secure your
organization is from data breaches and how effectively you can
respond to incidents—internal or external, deliberate or accidental.
It also gives you a clearer understanding of what data is worth so
you can concentrate on protecting the high-value data and easily
calculate the return on your security investments.
In this model, information security, information governance and
records management specialists become good shepherds of their
data. They know where all the sheep are, segregate them into
separate fields, make sure the fences between fields are sound and
regularly check to ensure the sheep are healthy and not due to be
made into shepherd’s pie. In this way, even if a wolf manages to get
into one of the fields, most of the flock will be safe.
Applying these principles to data gives us four broad rules or areas
of activity:
Figure 1: asvanwervaa vnwr avoern arvn
DEFENSIBLE DELETION
Valuable data
Old data
Trivial data
No business value
Potential risk
Fig 1: Deleting low-value data minimizes risk and reduces
the scope of post-breach investigations.
1
DATA HERDING
Fig 2: Locating records “in the wild” makes high-value
information less vulnerable to breaches.
2
9. PAGE 9
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
2. Data herding
Organizations often have intellectual property and company records
such as contracts stored inappropriately in file shares or email
attachments. Both records managers and end users struggle to find
the time to ensure records are always filed correctly. Information
governance technology can locate these records “in the wild” and
move them to controlled repositories with appropriate security,
access controls and retention rules. This makes it much harder for
anyone to gain unauthorized access.
3. Data security
Increasingly strict regulations around data privacy and financial
information make it imperative to hold personal, financial and
health details in the strictest confidence. Nonetheless, this
information regularly escapes controlled repositories, whether
through poor policies or employees not following the rules.
Employees may make “convenience copies” to work from home or
as test data for a new application. And even if they dispose of this
data correctly, it may still be retained in backups or archives.
By conducting regular sweeps of email, file shares and other
unprotected systems, organizations can quickly locate and remediate
unprotected private data. At the same time, understanding where
this high-risk data is stored, organizations do not need to spend time
and effort protecting data that doesn’t need it.
4. Access controls
The key principle here is making sure the only people
who can access high-risk data are those who need
to for day-to-day work. This requires a combination
of sound policy and constant vigilance. For example,
many data loss incidents occur when a disgruntled
employee leaves the organization. By cancelling an
employee’s login and access credentials as soon
as he or she leaves, this minimizes opportunities
for important information to go astray (although it
may also be prudent to scan their recent emails for
indications of company intellectual property or other
important data).
It is also essential to regularly audit access controls
on important systems and employees’ security
profiles to ensure the policy theory matches reality.
For example, in one data breach investigation we
worked on, employees had stumbled across a way
they could view salary information and other personal
data on a human resources department network
drive. It emerged that an IT admin had been updating
the access controls to the drive and had mistakenly
granted all users access to it during the process.
DATA SECURITY ACCESS CONTROLS
Fig 3: Keeping private, financial and health data within known,
protected locations reduces business risks.
Fig 4: Regularly auditing access controls ensures security
policy matches reality.
3 4
10. PAGE 10
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
Nuix analysts worked with a major consulting firm to investigate a breach at a large
datacenter. This firm had literally thousands of web, database and file servers belonging
to individual clients with no visibility into their contents. It was impossible to know by
examining the servers what roles they performed and which of them might contain credit
card numbers or other personal data.
Fixing the problem was urgent. The company was losing revenue from having to
take some clients’ servers offline. And the incident was doing considerable damage
to its reputation.
Realizing it would be impossible to scan all the servers within a reasonable time, Nuix
analysts and the consulting firm staff took a random sample of the servers and used a
named entities search to locate credit card numbers and other private data. Fortunately
the gamble paid off and they located systems that had been compromised. This provided
a signature of the attack they could use to find compromised servers among the
remaining systems.
Had the hosting provider been conducting regular sweeps, it could have quickly
identified any servers that contained credit card numbers and were likely targets of the
breach. It could have ring-fenced servers containing sensitive data and applied stringent
encryption and access controls. Alternatively, it could have changed its policy so that
credit card numbers and other private data could only be stored with a specialist third-
party provider, and conducted sweeps to ensure clients were complying.
These steps would have minimized the likelihood of future breaches and greatly reduced
the time taken to locate them, protecting the firm’s revenue and reputation.
CASE STUDY
Investigating a datacenter breach the hard way
11. PAGE 11
WHITE PAPER THE GOOD SHEPHERD MODEL FOR CYBERSECURITY
A CHANGE OF MINDSET
While perimeter security defenses remain essential, organizations must shift
their information security mindset from “How much do we have to spend to
prevent breaches?” to “How can we minimize the opportunities for breaches
and the damage we suffer from them?” and “How can we gain return on our
security investments?”
By adopting these four common-sense rules around deleting, herding,
encrypting and controlling access to data, organizations can:
• Know where important and high-risk data is stored and be confident it is
only stored in those locations
• Minimize the opportunities for malicious and accidental breaches of
important information
• Respond to breaches in a more targeted and effective way, by first targeting
the high-risk storage locations and collecting much less peripheral data
• Close information security gaps quickly before they can be exploited again.
REFERENCES
i Ken Westin, “Stolen Target Credit Cards and the Black Market: How the digital underground works,” Tripwire, December 2013
www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
ii Brian Krebs, The Target Breach, By the Numbers, May 2014, krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
iii Ponemon Institute, 2013 Fourth Annual Cost of Cyber Crime Study: Global, October 2013,
www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reports
iv Verizon RISK Team, 2014 Data Breach Investigations Report, May 2014, www.verizonenterprise.com/DBIR/2014/
v Mandiant, M-Trends 2014: Beyond the Breach, April 2014, connect.mandiant.com/m-trends_2014
vi Harry Cockburn, “16,000 phones lost on Tube over 2013, posing personal security risks”, London Loves Business, December 2013,
www.londonlovesbusiness.com/business-news/london-transport/16000-phones-lost-on-tube-over-2013-posing-personal-security-risks/7028.article
vii Peter Firstbrook, Neil MacDonald, Malware Is Already Inside Your Organization; Deal With It, February 2014
www.gartner.com/doc/2665320/malware-inside-organization-deal-it