(Source: Thales blog)
Recently the headlines have been dominated by infected enterprise software that has resulted in malware and hackers gaining access to mission critical infrastructures, taking control of systems, and stealing data. There also doesn’t seem to be a week that we don’t read about a successful large scale ransomware attack. Whether piercing the network security perimeter is accomplished via a sophisticated code injection into trusted software or the simple click of a well written phishing email, the result is the same. The hard coconut shell that was protecting your data is cracked and cybercriminals now have access to your systems, potentially draining and taking control of your data like it was coconut milk.
As security threats evolve and adapt, so too must an organization’s response to them. Microsoft’s 2020 Digital Defense Report makes it clear that threat actors have rapidly increased in sophistication and are using techniques that are very hard to detect. These threat actors are disciplined, highly motivated and oftentimes state-sponsored with infinite resources. The recent SolarWinds attack is a prime example of a calculated attack. Using intrusion through malicious code, the attacker was able to gain the elevated privileges to the trusted Security Assertion Markup Language (SAML) token-signing certificate and was able to add their own privileged credentials. Once the attacker gained access, it was easier for the breach to move across systems and environments without raising any alarm. This focused attack poses a good question to other organizations… “Is my valuable data really secure?”
Layers of Defense Mitigate These Attacks
When it comes to how to help protect against such attacks, there are several best practices every organization should follow. Many of these best practices are simple to implement and pack a powerful punch when it comes to keeping these attackers at bay by adding a layer defense around the data—protecting the targeted, valuable coconut milk itself, so to speak.
All Encryption Solutions are Not Created Equal
Due to its success in securing endpoint devices, many organizations deployed or considered deploying Full Disk Encryption (FDE) to their data center. FDE works on endpoints because if the device is stolen the data cannot be used. This rarely, if ever, occurs at the datacenter because the high risk isn’t the disk being physically stolen, it is remote unauthorized disk access.
Many managers and auditors may not realize that once the storage device is powered up, FDE affords no protection, all the data is in the clear. Therefore, FDE offers no auditability or protection from advanced persistent threats, malware or rogue insiders such as administrators. The most likely threats to data center and cloud storage.
For enterprise data on back-end systems (e.g., file servers, network servers, or cloud-based storage), the biggest threats are infiltration and unauthorized access by external attackers, fraud or theft by trusted insiders, and non-malicious errors made by authorized, well-intended users. In these threat scenarios, file-level encryption (which unlike FDE) is actively protecting the organization’s data whenever these back-end systems are online, available and accessible, even if unauthorized access has been successfully achieved. For a closer examination of data center systems cyberattack risks and mitigation tradeoffs, I recommend that you read Aberdeen Group’s “Selecting Encryption for ‘Data-At-Rest’ In Back-End Systems: What Risks Are You Trying To Address”.
To harden data at rest in data centers and clouds, so it can resist cyberattacks that have breached your perimeter, your encryption solution must offer additional layers of control and defense:
Application Whitelisting and Signing
Data protection must not start and end with users. What is running in a server, which application is accessing the data and how they are accessing the data are as critical as user access control. Malwares use sophisticated techniques like code injection to run on the system and gain access to the data. The ideal data security solution doesn’t only encrypt, but it also provides a way to check the integrity of application signatures to prevent polymorphic malware infected applications from gaining access to your protected data.
Device Protection and Separation of Duties
The weakest link in the security chain is the people who manage, administer and operate their computer systems. Centralized key management improves security by making key surveillance, rotation, and deletion easier while also separating duties so that no single administrator is responsible for the entire environment.
Security Information and Event Management (SIEM) solutions monitor both real-time events and a mountain of long-term data to find anomalous patterns of usage, qualify possible threats to reduce false positives, and alert organizations when needed. SIEM solutions are strong tools, but can be blind to possible threats to your protected data. By combining SIEM tools together with detailed log information, you can identify anomalous process and user access patterns for investigation. For example, you might see an administrator or process suddenly accessing volumes of data when their typical usage is light, or an auditor accessing portions of a database unrelated to their work. This is often an early signal of ransomware or malware trying to gain hold of your system.
How To Mitigate Attacks
CipherTrust Transparent Encryption is one of the most widely deployed data protection products within the CipherTrust Data Security Platform. It provides data-at-rest encryption, fine-grained access control, application whitelisting capabilities, system auditing and enables organizations to prevent such sophisticated attacks. It protects both structured and unstructured data with policy-based access controls to files, volumes, databases, containers, and big data wherever it resides (on-premises and in hybrid cloud environments).
As well-planned attacks continue to grow, organizations should do their part in equipping themselves with the right tools to keep their data secure. The ultimate goal of this process is to turn the unknown into known, and improve the overall security posture with protections at a faster pace than attackers can develop their malicious codes and exploits.