Protecting your company’s data from attackers while adhering to data laws is a big ask for any CISO. It can feel like you’ve been asked to spin plates and win a boxing match, at the same time.
But you’re not alone!
A number of big-name brands have experienced high profile data breaches, just in the last six months.
The problem facing companies everywhere is that the traditional approach to information security is flawed and out-dated.
We often see a CISO spend all their time focusing on endpoints, perimeters and firewalls, only for data security to take a backseat.
Until a breach happens.
Traditional security measures may keep you compliant and reassure management, but they actually mask the problems until there’s an incident, or until data security regulations like CCPA and GDPR force you to shift focus.
Get a Free Data Risk Assessment
At that point, it can feel like a daunting task getting your data security in order, and it’s difficult to know where to start.
In this article, we’ll answer the following questions:
- Why CISO’s struggle to address data security
- Why the traditional approach to cybersecurity is flawed and risky
- How the Varonis data security roadmap we’ve used to help over 7,000 CISOs works, and how you can implement it in your organization
By the end of this article, you’ll have an actionable plan to protect your data, following a roadmap we’ve fine-tuned over our fifteen years in cybersecurity.
The times, they are a-changin’
When planning and defining their cybersecurity playbook, most companies tend to follow a common playbook. This playbook approaches security from the outside-in, focusing on external devices, and attempts to stop them from accessing your data.
This includes things like end-point protection, SIEM, data loss prevention, and firewalls.
And this approach was effective for a time. When the team stored all their files and data on their own machines, locally managed servers, or on-prem data centers.
But the way organizations create, store, and access data has changed significantly in recent years.
Nowadays, your data is stored across different locations, cloud storage, and SaaS applications. All housing and processing different versions of your data.
So because of this, this widely-used playbook simply isn’t an effective way to secure your data anymore.
As a CISO, you can’t confidently safeguard your data if you don’t even know Gary from accounting has signed the team up to yet another unprovisioned SaaS app.
This makes your data vulnerable, and the traditional approach can’t do anything to solve this.
More than just a tech problem
It’s not (entirely) Gary’s fault, though.
Your organization is full of humans with their own priorities, responsibilities, and flaws. They’re making choices that match how they want to work, and the goals they’re trying to achieve.
This is why you need to approach data security as more than just a technology problem.
Most of the time when we talk about cybersecurity, we focus on apps, databases, and APIs. Which is a big part of it, but it doesn’t show the whole picture. The people in your organization play just as big a part, and can often pose even more risk than the tech.
Internal security policies are a great example.
Every organization knows they should have security policies, and most need them to comply with standards and regulations. But the goal quickly becomes creating the documents, and not actually implementing effective policies.
And—as every CISO knows—just because you make someone sign a document, it doesn’t mean they’ll actually adhere to the policy.
Another problem you’ll face is that huge amounts of data are being created by your company every passing day. So trying to stay on top of what everyone is creating, storing, accessing, etc becomes an exercise in futility.
For example, if you’ve got a file that contains sensitive data, how do you know who can access that document? On day one, it could be just one person with access, and you’re compliant with your policies and regulations.
But then they share that document with a colleague in a different team. Then they share it with a larger group, unaware it contains sensitive data. Then someone in that group uses some content for a sales presentation.All of a sudden, you’re non-compliant, and you’ve put yourself at risk.
This might sound like hyperbole, but it’s not. These situations arise so easily, and it can feel impossible to prevent.
The first step to solving this problem is understanding that there’s no one-and-done solution (as much as we’d love there to be). The reality is your company will continue to create new data, add new people, and unfortunately, also remove people from the team.
Instead of sticking to the old playbook and hoping things work out, you need to change tact, and adopt a data-first approach.
This means identifying the data that’s already at risk, securing your data, and implementing frameworks and tools to automatically secure your data.
The Varonis Data Security Roadmap
In the last section, we talked about the crux of the problem: there’s no way anyone can expect the traditional cybersecurity playbooks to be effective in the cloud age.
So in response to that, we developed a data security roadmap that’s helped some of the biggest enterprises in the world, like Coca-Cola, ING and Toyota, to improve their data security. We’ve also helped them maintain a strong data security posture in the long-term.
Before we do anything else, we need to get a clear picture of how much of your data is at risk. The way we do that is by automatically assessing all of your data, and compiling the results into a report.
We talked before about it being difficult knowing where to start, and this first step does that discovery for you.
We analyze where your data is, what the environment looks like, and how it’s all been configured.
We also look at the access and permissions of your data, across your different cloud storage, SaaS apps, etc. Assessing who’s accessing what data, how the data is being used, and analyzing behavioral trends.
Using this information, we can start to identify and prioritize any potential issues and risks. This process is vital, as issues can vary wildly in terms of severity and potential impact.
For example, when we identified that a marketing team had stored their company's social media passwords in OneDrive, shared a public link to the file, and got it indexed by Google.
Or when a consultant still had access to a company bonuses file, and accessed it every day, even though they were let go six months earlier.
You can view our sample Data Risk Assessment report here, to get a better idea of what we include.
If access is limited to a small number of people internally, it’s less likely to be a problem. But if it’s being shared externally, there’s much more risk.
The goal here is to get the lay of the land, and start identifying risks straight out the gate. At Varonis, we call this ‘Day 1 Value’, because you start protecting your data from the very start.
We've had customers install Varonis on a Tuesday morning, and get a call from our Proactive Incident Response team at 4pm, notifying them that we just stopped a ransomware attack.
Learn & Tune
Once the enable stage is done, most cybersecurity tools abandon you to fend for yourself. But that doesn’t help you very much. In fact, it can often leave you even more confused, as you try to interpret and prioritize the findings.
Don’t worry, we won’t abandon you.
Instead, the Varonis AI evaluates the metadata we derived from your environments, and builds a model so we can continuously analyze your data. The aim is to use this behavioral information to create context around your data, so you and your team can make better and more informed decisions.
We do this using three key ingredients:
- Sensitivity - Where the sensitive data is, and the type of sensitivity
- Permissions - Who has access to what data
- Activity - How have people interacted with the data
We then use these behavioral models with our threat detection to set up automated reporting and alerts. As well as integrate cybersecurity tech like SIEM, DLP, and SOAR.
When this is fine tuned and customized for your data, you’ll have both a list of recommendations for improvements and changes, but also the context you need to make informed decisions at the next stage.
As a CISO, it’s not enough to just identify the risks and issues — you need to solve them. Historically, this has been done by throwing manpower at the problem.
But even if you hire an army of contractors to try to fix the issues you’ve found, the list will be out of date by the time they’re finished. Not to mention the timescale and huge financial expense.
Instead, Varonis automatically fixes the issues for you, actioning the recommendations from the previous phase, and reducing risks across all your environments.
This is done using our DSPM (Data Security Posture Management) features, which remove stale and redundant permissions, strengthen your active directory, and automatically create data retention and quarantining policies.
The goal here is to minimize the potential blast radius as quickly and efficiently as possible.
For example, if you have an employee who’s recently changed teams, they probably still have permission to access the systems and data for their previous role. Varonis not only highlights this issue, but also fixes it automatically, so they can only access what they need for their new role.
Our automatic remediation covers four types of risk:
It’s hard to keep track of what everyone in your business is doing, and it’s not uncommon for people to unintentionally expose sensitive data to outside parties. Which can lead to the theft, deletion, or alteration of your sensitive data.
For example, if someone at your company stored social media credentials in Microsoft 365, and it’s been shared using “Anyone” links. This would mean anyone with the link could access your sensitive data, and log into your social media accounts.
How your SaaS and cloud apps are configured plays a big part in your data security, so it’s important to detect misconfigurations and remediate them efficiently.
For example, if your company uses Zoom, maybe it’s been misconfigured to allow participants to record the calls locally. This could put you at risk if you’re discussing sensitive data.
As an organization grows, it becomes more exposed to identity risks. These risks refer to vulnerabilities in an organization's identity and access management processes.
For example, if an employee leaves your organization, but their access isn’t revoked, your sensitive data is vulnerable.
Ensuring your success
The final phase of our tried and tested roadmap is less about big bombastic actions, and more about maintaining the quality, consistency, and compliance of your data.
If the previous steps were losing the weight, this step is keeping the weight off.
As your company grows and evolves, you’ll adopt new tools and platforms, and your data will continue to grow and spread. There will also be new risks and regulations popping up that you’ll need to be ready for.
This stage is about keeping on top of anything new, while maintaining your existing environments. Our team works with you to regularly review new and existing risks, business value, and security maturity.
We also help you to keep your tools secure, without being forced to update needlessly.
Essentially, we iteratively loop through the previous phases, keeping you constantly in a secure and compliant state as things change and your business moves forward.
With the increasing pressure of regulations and the high risk of data breach, CISO’s need to see data security as a core pillar of their security roadmap. This means moving away from an outside-in style strategy and moving towards a data-first approach.
But with the proliferation of data creation and storage across all industries, this is an almost impossible task without a plan and platform that’s fit for purpose.
By following the Varonis data security roadmap we’ve successfully used to help more than 7,000 companies, you can improve your data security posture.
Curious about how exposed your sensitive data is? Get a free data risk assessment when you book a Varonis test drive.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.