Data—now universally understood to be the lifeblood of businesses—is at risk like never before in the form of both malicious attacks and innocent indiscretions. Recently, Steve Grobman, CTO for McAfee, discussed the range of threats to data security and what companies must do to defend themselves.
When you look at the data security forecasts that came out of the recent McAfee Labs 2017 Threat Predictions report, was there anything that stood out to you?
We are seeing IT aggressively moving to cloud-based architectures in order to improve efficiency and decrease their costs. There are tremendous benefits from doing so, and many of those will be security benefits as well—in that cloud providers can inherently invest in building a strong security architecture. But we also need to recognize that, given the value of the data that will be held in these cloud environments, the benefit to bad actors in breaching those environments will be very high.
Whether that is from a low-level perspective like virtualization technologies, or the orchestration capabilities that tie it all together, or even the bridging technologies that allow cloud architectures to interoperate with traditional environments—all of those will be targeted. One of the most profound areas from my perspective is that when a multitenant cloud system is breached, the impact can be much more severe than breaching a single company’s application or data architecture. The reason for that is that the bad actor could either steal or corrupt many parties’ data versus just a single organization’s. I think we will start to see issues related to the cloud becoming much more common.
It is possible for a data breach of any type to cause damage even if there is no financial opportunity.
You are right that using data as a weapon as opposed to just monetizing it by stealing it and selling it is key. That can benefit a cybercriminal in many different ways and one of the easiest is simply by extortion and threatening a company that if it does not pay a ransom in bitcoin, all the email archives of their top executives—with information about salaries and off-color comments—will be released. There is the potential to use data to threaten harm and extort companies. But then, the other part of that is an offshoot of what we saw during the presidential election cycle.
Compromised data can be augmented with fabricated data to make things even worse. For example, in a corporate environment, if you had your CEO’s email stolen, a bad actor could release the legitimate stolen data to establish credibility but then add fabricated data to do even more harm. Think of a scenario where the bad actor’s objective is to make money on manipulating the stock price of an organization. Data stolen from a key executive, that when vetted and evaluated will be found to be legitimate, can be interlaced with fabricated data that makes it appear as though there were scandals, or corruption, or illegal activity.
What needs to be done?
It is very important to make the point to the general public that we need to be very suspicious of data that is identified from a data leak. With the media continuously reporting the content of breached data, the general public is being conditioned to essentially trust this information. Think of something as mundane as the Ashley Madison breach—there was nothing to prevent the hackers from adding names to those lists.
How do you classify data risks?
Data breaches generally can be categorized in three ways. One is what I would term the “accidental breach.” A lot of data leaves an organization, not through malice, but through employees simply trying to get their jobs done. They forward sensitive data to their cloud account so they can work on it at home or they use other mechanisms to move data to places that they shouldn’t and then it ends up going to someone that should not have access to it.
And the next?
The second category of breach is caused by the intentional insider. And that is much harder problem if you have a sophisticated insider who wants to smuggle data out. Part of the problem is that there are certain types of data smuggling that are very difficult to prevent with technology. An example of that is what we call the “analog problem” which is a fancy term meaning that it is difficult to prevent somebody from doing something such as taking a picture of their screen with their cellphone.
The third situation is when it is an actor from outside the organization who is using a combination of malicious tools and techniques in order to break into an organization and then
exfiltrate the data.
How do you approach these challenges?
Our strategy is to break the problem primarily into two sets of technologies. The first big part of the technology is to provide a Pervasive Data Protection architecture across not only traditional systems but also the cloud as well as personal devices to create policy and controls on where and how data flows. The other big arm of the strategy is giving organizations a comprehensive set of technologies to defend their environment against bad actors that are using offensive cyber capabilities to break into an organization and exfiltrate data, and that is our Threat Defense set of products and capabilities.
Are there different challenges today to data security? You mentioned cloud and mobile.
Those are two, and a third one is the challenge around big data and using data from many places. Organizations want to be able to analyze data but also ensure that they are honoring the privacy and data access restrictions for that data. Enabling many different groups to have access to large pools of data for analysis is highly beneficial but by doing that you are making data accessible to individuals that otherwise wouldn’t have access. The challenge is enabling new forms of big data analytics, machine learning, where you really need to have access to large quantities of potentially sensitive data but not introduce new data privacy or data access issues by doing that.
There have to be controls.
One of the intelligence challenges that led to 9/11 was limited information sharing between intelligence organizations. As a result, there were procedures put in place to make moving data between agencies easier but then that put data at higher levels of risk, leading to things like the leak from Edward Snowden.
How can companies deal with this?
What every organization needs to do is find the right balance between efficient operations where you can take advantage of data sharing while still having tolerable levels of risk.
Are newer approaches such as AI, machine learning, and predictive analytics being deployed in data security?
Most definitely. We are using machine learning and artificial intelligence within our products, and really across the cybersecurity industry, it is one of the newer technologies that is being heavily used. But it is important to understand that it is possible to poison machine-learning algorithms or subject an organization to large numbers of false positives, so that it has to recalibrate its models, which then allows a criminal actor to have a viable infiltration vector. So, although it is an effective and very interesting new field that is being embraced by the cybersecurity and defense industry, we do need to be mindful that it has limitations.
What should an organization do to ensure that its data protection stance is adequate?
The key step is to recognize that protection is needed against both the accidental breach and the intentional breach and that the technology, systems, and processes for each will be different. Organizations also have to be careful to not just focus on the last incident that resulted in a data loss. Very often, companies that have lost data due to a breach or an unintentional loss put a lot of effort into that vector and in some cases ignore the other vectors.
What keeps you up at night?
The thing that keeps me up at night is the thought of having some of our large multitenant cloud-based data systems breached where you could have many of the companies on the Fortune 500 critically impacted. If you think of the number of organizations that rely on cloud-based CRM systems or cloud-based storage systems, if one of these systems were breached, it wouldn’t be a single organization but potentially a very large percentage of businesses and organizations worldwide and I think that those are the things that we need to pay a lot of attention to.
This interview was conducted, condensed, and edited by Joyce Wells.