Security has been top of mind for IT leaders following the rash of major data breaches in 2017. If those breaches weren't enough to get your attention, maybe this will: Gartner has predicted that worldwide spending on information security products and services will reach $86.4 billion this year. And in 2018, spending is expected to grow to $93 billion. In many cases the best defense is good offense, and with each new data breach comes the opportunity to learn and improve internal processes to ensure customer data is not compromised in the future. With that in mind, we asked experts for their best tips on preventing data breaches in your organization.
Josh Stella, CEO of Fugue, said that relying on paper-based checklists and manual reviews doesn’t scale. “Only automated solutions," he added, "can keep up with the pace of change that is outstripping human ability to govern infrastructure and operations."
Adopt Holistic Approach to Cloud Governance, Management
Invest in a "Cloud Center of Excellence" that can lead this effort, but don’t adopt technologies that limit the creativity and innovation of your developers, says Stella. The right kind of automation centralizes the heavy lifting of policy, but decentralizes innovation.
Align Operations, Development, Security and Compliance
The only way to do this is with DevSecOps collaboration via policy-as-code automation through the entire lifecycle. Give your security team the same capabilities as your developers, and they can add to your velocity, according to Stella.
Organizations should fully automate the remediation of cloud infrastructure policy violations and configuration drift. Traditional monitoring and alerting tools are not good enough in the cloud when your mean time to remediation must be measured in minutes, not hours or days, says Stella.
Tighten Your Passwords
Manoj Asnani, VP product and design at Balbix, said stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data. “Most security solutions do not provide visibility into breach risk from password reuse,” he added. “Predictive security solutions can look at the password behavior of users — including sharing of passwords across personal and corporate use — and flag that risk. With this kind of a solution, Uber would have been able to see developers sharing the same passwords for GitHub and Amazon Web Services (AWS) accounts and taken action to prevent this breach."
Actively Search for Protection Failures
Stephan Chenette, CEO and co-founder of AttackIQ, said security control misconfigurations often result in costly breaches. “Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber,” he says.
Consider investing time learning tips from the MITRE Corporation ATT&CK Matrix, says Chennette. Many of these techniques have been well documented by the MITRE Corporation ATT&CK Matrix. "This very useful framework allows organizations to rapidly assess if they can defend against attackers, whether nation-state or crime syndicates," he says.
Chenette offered other tips, including:
Secure AWS S3 Storage Buckets
Some of the most recent epic security failures could have been easily avoided by exercising security controls around AWS S3 storage buckets, validating and ensuring that access from the public domain was not inadvertently granted, according to Chenette. This can be tested by exercising credential access and exfiltration scenarios on the target infrastructure.
Avoid Security Policy 'Drift'
Another example of breach weaknesses is around advanced endpoint-detection-response (EDR) capabilities, according to Chenette. Many organizations purchase and deploy security controls like EndGame, Cylance and CrowdStrike. However, once a computer is deployed into the enterprise environment for a period of time, the security policy on those devices may experience "drift" or a degradation in configuration that allows an attacker to achieve a successful breach. These types of protection failures can be avoided by validating the security of end-point configurations on a routine basis.
Recognize the Human in Prevention
The most common failure is human failure, according to Chenette. Most organizations purchase the necessary security controls to defend their company. The most common failures are human misconfigurations of security devices such as advanced EDR, DLP, web filters and firewalls. For cloud, it is misconfigurations of AWS VPC and S3 storage buckets. What complicates this further is security pipeline failure, where the organization has invested in monitoring capabilities and fails to accurately record or respond to an attack.
Organizations should train their employees to recognize phishing scams and they should have a system where such scams can be quickly reported, according to Marty P. Kamden, chief marketing officer of NordVPN.
Brand Name Alone Won’t Do It
Rich Campagna, CEO of Bitglass, says cloud services like AWS can be secure, “but it is up to organizations using them to ensure that services are configured in a secure fashion.” Data-centric security tools help ensure appropriate configuration of cloud services, deny unauthorized access and encrypt sensitive data at rest.
Check Sources Like GitHub
“This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub,” he says. “Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”