The modern tech ecosystem is constantly under threat from malicious actors. In cybersecurity, the safe assumption is that any system vulnerability that can be exploited will be exploited. One way to combat these vulnerabilities is by preempting cyberattacks with the Data-Driven Agile Approach to Cybersecurity.
We have witnessed a 667% increase in phishing attacks during the pandemic--targeting large organizations like the World Health Organization (WHO) and causing over $2 trillion in damages. By 2021, damages are projected to reach over $6 trillion. With the Data-Driven Agile Approach to Cybersecurity, it will be possible to be more proactive and prevent devastating losses.
The Data-Driven Agile Approach to Cybersecurity is a culmination of modern best practices in tech. Namely, the data-driven and agile approach. The process always starts with identifying the most essential unprotected dataset or core process. This information drives the entire process of determining which security strategies are the best fit for data protection.
Through the use of row-level and column-level security, security professionals can architect systems so that datasets are segmented. In a security breach event, hackers will only have access to specific data, and other datasets are kept well-protected. Best practices like RLS and CLS are derived from the design philosophies “defense-in-depth” and “zero trusts”.
In data-driven agile cybersecurity, the process always starts identifying the most important unprotected dataset or core process. This information drives the entire process of determining which security strategies are the best fit for data protection.
Security layers can be thought of as an onion. The outermost layers include firewalls and other similar security measures, whereas the core represents the dataset or process that is being protected. Since we follow a defense-in-depth approach, breaching the system to get to the core will make it difficult for attackers.
With this approach, the most important datasets and processes come first. By following this order of priority from most important to least important, ensures that in the event of a breach, it is less likely for hackers to reach the most important datasets.
Additionally, since datasets are isolated, breaching one dataset does not mean attackers will reach other datasets in the system. This makes for less risk and more damage control.
In Zero Trust, we assume that hackers are already in the system. Thus, we do not wait for an actual breach--instead, assume the worst and outline the right countermeasures for the worst-case scenario. This effectively reduces the liabilities in a system.
The main goal apart from thwarting attackers is to make sure that hackers will not have access to all data even in the event of a breach. Ideally, we want to architect our systems so that datasets are isolated from each other.
To do this, the following process flow can perform iteratively for each dataset in the organization:
Standard datasets that companies might want to protect include PII (Personally Identifiable Information), financial data, patient data, genomics data, and intellectual property. It will depend on the company as to which dataset represents the most important to the organization.
A threat matrix describes the threat level; each possible threat would have relative to a vulnerability. A sample threat matrix is given below:
Additionally, finding out data behavior and vulnerabilities while in-transit or in-storage would open up more options for setting the right security strategy.
At this point, the information gathered from steps 1 and 2 should be enough to execute defense-in-depth and zero-trust on the chosen dataset. This way, we get to maintain data-level security. Standard security best practices include homomorphic encryption, role-based schemas, and the separation of production and development data.
Data-driven cybersecurity has two elements. First, it employs the principles of defense-in-depth. Second, it operates the principles of the zero-trust strategy. Together, security can be considered more robust and less prone to inside and outside threats.
Defense-in-depth is another approach to cybersecurity wherein defense mechanisms follow a layered pattern to ensure that if one layer fails, another will step up in its place to defend against the cyber attack.
The system can be imagined as a castle whose walls must be breached by the attackers. Typically, castles have several layers of defenses such as moats, archers, burning oil, and more. For the opposing army to fully breach the castle, they must storm through all those defenses. This is also the reason why, in the middle ages, sieges would last from months to years.
Sometimes, attackers would give up because of dwindling supplies or other circumstances. In that scenario, a castle’s defense mechanisms have successfully held off attackers by employing a very similar strategy to defense-in-depth.
There are 3 main layers to the defense-in-depth architecture.
1. Physical Controls
These include security measures for physical assets. For instance, a data center could be guarded with 24/7 security patrols, CCTV cameras, and state-of-the-art smart locking systems.
Here are key steps to improve physical security:
a. Keeping the server room locked
b. Placing cameras in important areas like critical junctions and within the server room
c. Perimeter fencing to prevent break-ins
d. Proper lighting to deter malicious actors
2. Technical Controls
These include security measures on the software level, such as firewalls and antivirus programs. Technical controls are meant to protect the system on a system-level.
The following are the significant subsets of technical controls:
a. Perimeter security such as firewalls
The firewall regulates and analyzes inbound and outbound network traffic. This is a defense against malicious software since it often refers to a blacklist of known illegitimate traffic and sources.
Often, the firewall is enough to thwart most threats. The danger usually lies in suspicious files being allowed through the firewall by the system.
b. Application security such as spam filters and DNS-based protection
Phishing attacks are one of the most common attack vectors. Emails that contain attachments with malicious code are often mass-sent to people. These spam emails masquerade as legitimate emails by pretending to be from a trusted source or presenting something enticing such as a subject line with the phrase “I love you.”
By downloading the malicious attachment and installing it on your system, you are effectively allowing the virus to spread with your permission. This is why spam filters, in combination with proper personnel training, is imperative.
Now, DNS-based protection comes in once malicious code has breached your system. For instance, if you have downloaded a virus from a spam email, the DNS-based protection system should prevent you from visiting a malicious site.
c. Endpoint security such as antivirus programs and multifactor authentication
Your antivirus program steps in when a hacker has successfully breached your firewall, spam filter, and DNS-based protection. Most antivirus programs have a database of signatures belonging to known malware. Additionally, advanced programs can take a heuristic approach to identify malware.
Multifactor authentication is another excellent way to thwart attacks. This system will require evidence that you are the rightful owner of the system, such as your phone number, email address, or biometric information.
If your system requires hard proof that you are the rightful owner, it adds even more depth to your defense.
3. Administrative Controls
Administrative controls are security measures involving policies and protocols for responsible parties. An example would be a defined security policy that lets employees know who has what level of access to what part of the system.
Row and column security controls follow the design philosophies of zero trust and defense-in-depth. In a database, tables are restricted to certain security groups. Within those tables, certain rows and columns are restricted to subgroups. In that way, table security is layered and policy-driven--as is the core driver for zero trusts and defense-in-depth.
This pattern maximizes access granularity, which in return maximizes security. In the scenario that a hacker can access a SQL server, they will have first to bypass the table-level security check. If they have succeeded, they will then need to avoid the row/column security check.
The RLS/CLS workflow is as follows: the system first identifies the user. Typically, a user would have to sign in. Next, the system then determines the set of permissions for that particular user. Depending on how permissions work in that system, the user can be part of a user group in which security rules are true for all members or have additional privileges or restrictions on top of the inherited security rules.
Next, based on the rules, the system will then show the data table containing only the rows and columns that the user can access. If a breach occurs and a hacker might have access to an employee’s account, they will probably only be able to access mundane data. More essential data can be reserved for the accounts of mid to high-level management.
A Fortune 5000 mid-sized company’s managed firewall generates events for North-South traffic. However, comprehensive analysis is still lacking for threat detection. In East-West traffic, events are available in server logs and lack comprehensive analysis for threat detection.
On average, the company experiences three threats daily and, because of the lack of automation in log analysis, costs $600 in 2-3 days if done by a junior analyst. That is, the company spends up to $452,925 every year for incident analysis.
The solution then is to provide a means to automate incident analysis. The cybersecurity company employed the Zero Trust Approach to offer comprehensive real-time prevention--considering North-South and East-West traffic.
After deploying their solution, the company monitored and detected illegitimate traffic on the fly instead of deploying a junior or senior analyst for just a single incident for 2-3 days.
Not only does the solution detect threats, but it also offers remediation options. Hence, the Zero Trust Approach has effectively covered detection and management.
Instead of employing analysts for nearly 1000 dollars for three days of work, the solution provided instant threat detection and management. This has resulted in significantly reduced costs for security and an infinitely safer company system.
Here at Codvo.ai, we recognize the importance of cybersecurity in an organization, whether it is a public or private entity. Moreover, we emphasize swift incident management and response with the Data-Driven Agile Approach to Cybersecurity. Our experts conduct thorough security checks for every sprint to ensure high quality and secure end-products for our clients. We run penetration testing and maintain a database of malicious signatures as part of our effort to drive data-driven cybersecurity.
If you are interested in employing a data-driven agile approach to cybersecurity, contact us today at email@example.com!
Discover Data-Driven Agile Approach to Cybersecurity which is a culmination of modern best practices in tech.
Is your data warehouse up to date? Find out in this blog on the Top 5 Data Warehouse Trends in 2021