In the global digital economy, data is the most important asset organizations must protect from theft and damage. CISOs are fundamentally guardians of that asset, obligated to keep it secure and available to relevant users when and where they need it.”Every company has become a data company in this day and age; even if you’re Caterpillar, who’s manufacturing heavy machinery equipment, you’re still a data company on some level,” David Richardson, VP of endpoint at Lookout, tells CSO. “That’s the most valuable asset.”However, given the staggering amounts of data, around 402.74 million terabytes, according to some estimates, created daily, data protection can seem like a ceaseless struggle. Even as the volume of data that CISOs need to protect surges, the nature of the threats to that data is quickly evolving, rapidly rendering existing protection programs obsolete.Data security experts say CISOs can cope with these changes by understanding the nature of the shifting landscape, implementing foundational risk management strategies, and reaching for new tools that better protect data and quickly identify when adverse data events are underway. Although the advent of artificial intelligence increases data protection challenges, experts say AI can also help fill in some of the cracks in existing data protection programs. Not surprisingly, one of the top challenges CISOs face in data protection is grappling with the sheer volume of data. “It is vast, and it is everywhere, both in terms of locations and what we try to answer for,” Dan Benjamin, head of data, identity, and AI security at Palo Alto Networks, tells CSO.”An enterprise will have data on-prem, SaaS, public cloud, endpoint, mobile devices, email, and multiple different types of locations,” he says. “And traditionally, there are no single products to tackle all those locations.”Some data security experts see behavioral threats, such as phishing efforts to steal system credentials, as a relatively recent and increasingly significant challenge to keeping data secure. “A top challenge is managing access to sensitive information,” JD Denning, CISO at FS-ISAC, tells CSO. “Ensuring that only authorized users have access to data, whether at rest or in transit, remains a constant challenge.””The biggest thing is that threat actors’ tactics have evolved in the last few years,” Richardson says. “These days, hackers don’t hack in; they just log in using legitimate credentials and access that individual users have. That’s not necessarily what the security staff was built for. It was built for ‘Are we going to be attacked, and how and where do we need to patch all our vulnerabilities?’”Another central challenge is that tried-and-true data protection methods of the past and straightforward technology solutions such as encryption are quickly becoming inadequate to manage the growing mound of data and evolving threats. “The way in which we’ve traditionally relied on protecting data since the seventies is just straight-up encryption, like public-private key cryptography,” Daniel Shugrue, security product expert at Digital.ai, tells CSO.”That’s something that has been the cornerstone of the internet,” he adds. “But since the advent of the smartphone and as mobile apps proliferate, the private key in that public-private key pair is essentially in a threat actor’s hands if they do so much as go to the Google Play store and download an app. In other words, this foundation, or this cornerstone of what we’ve relied on, is being chipped away.””Data is scaling faster than we can identify it and understand it,” Lamont Orange, CISO of Cyera, tells CSO. “Some legacy tools that took us to the first iteration of going to the cloud never considered data. They considered access, they considered compute, and they considered storage. They never really considered data security. We tried to secure everything else around it. And now those tools are really starting to show their warts.”
Lay the data protection groundwork first
Experts say that what most CISOs should consider in running their data protection platforms is a wide range of complex security strategies that involve identifying and classifying information based on its sensitivity, establishing access controls and encryption mechanisms, implementing proper authentication and authorization processes, adopting secure storage and transmission methods and continuously monitoring and detecting potential security incidents.However, before considering these highly involved efforts, CISOs must first identify where data exists within their organizations, which is no easy feat. “Discover all your data or discover the data in the important locations,” Benjamin says. “You’ll never be able to discover everything but discover the data in the important locations, whether in your office, in G Suite, in your cloud, in your HR systems, and so on. Discover the important data.”Benjamin adds that another critical step toward better data protection is ensuring your organization complies with regulatory and other requirements. “Make sure that you’re in compliance,” he says. “Compliance typically is an easy hack. Why? Because organizations have to do it. It covers 60%, 70%, 80% of the work that most organizations strive for. And it’s budgeted.”Another important step is to develop a data risk assessment and a governance framework that guides all protection strategies. “Developing and implementing an effective data protection strategy begins with a thorough risk assessment,” FS-ISACs Denning says. “CISOs must evaluate the organization’s systems, networks, and data to identify potential vulnerabilities. Establishing a comprehensive data governance framework is equally important, as it defines data classification, retention, and access control policies.”
Data protection tools to consider
CISOs can use many technologies, tools, and techniques to help protect their organizations’ data.Chief among these is the implementation of multifactor authentication (MFA), mainly to protect against data theft from identity-based threats such as phishing campaigns. “Hopefully, all CISOs have already completed this step,” Lookout’s Richardson says. “Make sure you’re using multifactor authentication, specifically non-SMS-based multifactor authentication.”However, in locking down data using tools such as MFA, CISOs should consider that this added protection can also frustrate internal and external users, who might devise alternative ways to access the data or give up trying. Cyera’s Orange says, “I’ve talked to many organizations that say, ‘yeah, we MFA, everybody. That’s how we solve the problem.’ You have the MFA; two minutes later, you’re going to MFA again, and if you go to another system or another drive, you’re going to MFA again. So that creates friction.”Or, as Lookout’s Richardson sums it up, “It becomes an actual trade-off discussion of the more that I lock down the data, the less productive my employees will be, the fewer data they’ll be able to access, and the less data-driven they will be.”Another protection tool is implementing a tracking system that identifies abnormal or anomalous behavior, such as one that delivers user and entity behavior analytics (UEBA). “The concept here is you want to examine all of the behaviors of all users and devices regarding what sort of data they’re accessing, make sure that it makes sense, and put additional checks and gates in place,” Richardson says.”So, for example, somebody in sales should be able to log into Salesforce and see their customer information. But do they need to be able to export every single customer’s name and phone number? Probably not.”FS-ISACs Denning points to data loss prevention (DLP) tools that combine cybersecurity measures, such as firewalls, endpoint protection, and system monitoring, as critical components of a data protection program. “Data loss prevention tools are also critical as they help monitor, detect, and prevent unauthorized sharing of sensitive information,” he says.As is true with everything else in cybersecurity, “it is crucial for organizations to foster a culture that prioritizes cybersecurity,” says Denning. “Employees at all levels should be actively involved in the process since those who lack awareness or fail to follow secure practices can inadvertently expose critical data.”
AI both complicates and improves data protection efforts
All experts agree that the emergence of artificial intelligence could be a game-changer that simultaneously complicates and enhances data protection efforts.”The largest concern of organizations using and hosting AI applications is ‘how do we govern the data,’” Palo Alto’s Benjamin says. “How do we ensure the AI model will not read data that it shouldn’t? And how do we ensure the AI model will not get trained on data that it shouldn’t? How do we ensure it doesn’t spit out data that it shouldn’t? AI security is becoming a data security problem.”However, the flip side is that AI can help organizations spot data threats faster and better than ever. “AI and machine learning technologies are becoming increasingly helpful for detecting anomalies and emerging threats,” Denning says. “These tools analyze patterns in data traffic and behavior, enabling organizations to address potential vulnerabilities proactively.”At the same time, AI can help fill in the cracks in data protection programs. Cyera’s Orange likens data protection to a basketball. “The basketball has seams,” he says. “None of [an organization’s data protection tools] are connected.””So, all the gaps are in the seams,” Orange says. “And I’m proposing that we’re at a point technologically where we can leverage some of the modern technology around LLMs and AI to start giving direction to some of those tools in the seams to provide a more holistic coverage.He adds, “No one tool can do it all, but you do need a brain that can control and issue signals consistently across your data landscape.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3628704/data-protection-challenges-abound-as-volumes-surge-and-threats-evolve.html
