It is becoming widely recognized that “unknown” data leakage of PCI data, and more broadly other Personally Identifiable Information, within enterprises is the highest value target for the bad guys.
While encryption, tokenization and masking together with current market Data Loss Prevention tools are valuable, they do not provide for expansive and prescriptive data discovery. We urgently need more intelligent data discovery tools to limit our attack surface.
Gartner published the research note “shift cybersecurity investment to detection and response” in January 2016. The research note concluded that IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents. In the digital world, the pace of change is already too fast to anticipate and, combined with advanced attacks, it will be impossible to defend against every type of attack. Organizations must create the right mix of investments across prevention, detection and response capabilities.
I agree with this Gartner research that we need to shift cybersecurity investment to detection and response. I think that the “detect and respond to malicious behaviors” methods can be automated and based on discovery of sensitive data items. Encryption, masking and tokenization are not enough.
From the recent FS-ISAC 2016 Summit, Lawrence Chin reported about “Know Your Data” and stated, “At the end of the day, your business critical data is the asset that needs to be protected. Consequently, an awareness of where it resides, who has access to it, and how it travels through your network is necessary. To protect data, encryption at rest has become the new norm. However, that’s not sufficient. Visibility into how and where it flows during the course of normal business is critical. Armed with this knowledge, deviations from the baseline can be detected and even stopped.”
Understanding where this integral data “resides and who has access to it,” which Chin discussed, coupled with discovering “deviations from the base line” is the best way to rethink our security approach.
PCI DSS 3.2 provides an important and unique update on data discovery (A3.2.5, A18.104.22.168, A3.2.6) for service providers. While these requirements are not mandatory for some time, it’s important to know that you and your service providers now have an opportunity to leverage and adopt these controls. Implementing data discovery solutions can significantly and positively impact or reduce scope/cost, which will ultimately make it easier to validate PCI compliance, and the PCI QSA community developed many specialized tools to support the payment card industry.
The bad guys continue to target leaked PCI data and other Personally Identifiable Information. To mitigate and limit future attacks, it is essential to generate and implement data discovery tools that go beyond the existing data loss prevention tools.