The “Big Data” movement has made its way into every facet of business, especially the security organization. There is an expectation to protect all parts of the enterprise infrastructure, including network, endpoints, cloud, virtual machines and more. Leaving the pure volume of data to monitor, analyze and protect across the enterprise framework a nearly impossible feat. Security organizations across all industries, especially highly regulated environments, need to take a step back, strategically evaluate the personally identifiable “sensitive” data that is housed within the enterprise, or organization, including such items as intellectual property, financial data and any personally identifiable information from customers, patients or employees, and place priority on protecting that data.
Perhaps the most important reason for this is the need to comply with an ever-growing list of data privacy regulations and the related breach insurance policy edicts. Nearly every industry has regulations each with their own compliance rules and enforcement requirements, while also meeting stateand national laws. One thing is clear, the expectations regarding breach notification and auditing is tightening, for example the impending GDPR code states that organizations must provide notification of a cyber attack within 72 hours. In addition, insurance providers have a growing set of detailed actions that must take place in order for claims to be paid.
By decreasing the scope to monitoring only conversations to and from sensitive data stores, allows the security operation to focus their forensic analysis effortson determining the scope of the potential breach. To do so requires the capturing and recordingof all data within these conversations, while allowing simple identification and extraction of any conversation. By doing so we can answer the following mandatory questions with assurance:
1) What devices are involved and to what degree?
2) When did the breach start and when did it end?
3) What critical databases and/or files were accessed?
4) If I replay the initiating attack data, do my new patches stop the attack?
How impactful is this change in approach? Normally investigative response techniques take 100s of hours. By providing a means to quickly review every conversation to sensitive data stores – down at the data level – can improve the results andreduce the effort to 10s of hours per breach. Therefore, reducing costs by 10’s of thousands of dollars per incident.
Turning the “Big Data” security issue into a “Little Data” attainable request can completely change the trajectory and success of any breach investigation.