Having been in security for a while, the profession as a whole spends a lot of time on the concept of attack surface and more importantly how to reduce it. There are multiple definitions that define attack surface but suffice to say that for this blog we will use TripWire’s definition of attack surface which defines attack surface as the sum of your security risk exposure.
Or possibly more simply put, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. Based on this the less vulnerabilities and interfaces you have the more you reduce your risk of exposure. But wait for it…
The concept of attack surface is even more divided into sub-categories of Software Attack Surface, Network Attack Surface, and Human Attack Surface. Is it just me or does anyone see something missing here? Still don’t see it… OK, we’ll get there.
Having primarily focused on infrastructure security for most of my career the concept of Software, Network, and Human attack surfaces makes sense. We harden our software during development and patch it after the fact. IT security teams deploy firewalls, IPS/IDS, APT, SIEM, DLP, and a host of other network based security solutions to harden a perimeter that for most organizations evaporated long before they were aware of it. And the people problem, beyond the annual security awareness training and the monthly email from their organization’s security team, that problem still remains. However, the one thing that no one is talking about is the Data Attack Surface.
From examining the Data Attack Surface, the concept often gets lost in the data classification space. Data Classification is tantamount to a “grand challenge” for security organizations and usually ends up being something that is way too complex for anyone to understand or implement. Well-meaning security and compliance teams expect end users to understand and manually implement a labeling scheme of five to seven categories that need to be manually applied to Word docs, PowerPoint presentations, and the like. Then thousands of dollars are spent to train end users to be able to apply categorical labels to data they are creating on-the-fly. In this scenario, if end users don’t understand how and when to apply these labels, they will just ignore it. Let’s try a simpler approach.
The key to start to understand your organization’s Data Attack Surface is to ask some basic questions:
1) Do I know where all my data lives?
2) Can I get visibility into all those places where my data lives?
3) What kind of security analysis can I perform on that data to understand the ongoing risks to my data attack surface?
Understand Where The Data Lives
With Druva, organizations can protect data whether it resides on smartphones, laptops, cloud applications, or servers. In addition to all the benefits and scale of leveraging cloud based data protection that Druva provides, this also gives organizations visibility as to where the data lives based on how it made its journey to the cloud. Subsequently, knowing where the data lives provides telemetry as to where it makes sense to focus security resources. For example, if most of the data originates from mobile devices, then maybe it makes sense to shift security resources to protect that vector. Either way, Druva can provide actionable intelligence and telemetry to be able to make informed decisions on how to protect your data attack surface.
360 Degree View of Your Data
When it comes to the security of data, organizations often have to make trade-offs in the type of visibility they get depending on whether the data is stored on-premise or in the cloud. With Druva there is no need to make compromises. Druva solutions can protect data no matter where it lives, on-prem or in the cloud. Couple that with Druva’s data protection support for market leading SaaS applications like Office 365, Google Apps for Business, and Box, organizations have a 360 degree of all data, but more importantly an expanded understanding of the data attack surface.
Proactive Compliance and Security Analysis
Once organizations have that 360 degree view of their data and where threats are likely to be focused, they can shift focus from reactive protection to proactive analysis and monitoring of data centric threats. The purpose of this proactive analysis is two-fold. First, to know when and how to adjust your security controls in relation to evolving threats to that data. Second, and possibly more important, to understand the content of the data, how much of it is subject to compliance regulations, and if that data is protected adequately to meet those compliance requirements.
With Druva’s InSync, Phoenix, and the Proactive Compliance Suite, organizations are able to have real-time context as to the composition of their data and whether they are adequately protecting their data attack surface.
For more information on how to address data risks in environments characterized by increasingly distributed data, download the free white paper today.