CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a research paper examining how DLP programs impact the effectiveness of security executives while also protecting corporate data. We surveyed more than 130 CISOs, VPs, directors and managers responsible for the evaluation, selection, deployment and governance of their organization’s DLP solution.

What we found is that data protection is growing in strategic importance, as 89 percent of respondents said their company’s data protection plan originated from the top. And more than half of respondents’ companies launched a data protection plan because they had either experienced data loss or felt such an event was imminent.  While DLP solutions are increasingly being used to protect data, it’s more than a security tool. DLP is a business process for managing risk across every department that touches confidential information. As such, DLP is most effective when CISOs work with business users to implement it.

So what can be done? Your CISO peers, who have evaluated and deployed DLP solutions, suggest the five tips below:

1. Clearly define your data loss monitoring requirements – It’s important to understand what data is confidential to your business, how data owners want to respond to incidents, and how to define policies that fit your organization’s culture.
2. Build a business case for your DLP program – Many organizations work with security vendors or consultants to help them perform a risk assessment that will identify critical data leaving your network and quantify data loss risk. The results will arm you with a compelling business case to gain funding and support from your business stakeholders.
3. Understand the total cost of ownership of DLP solutions – In addition to up-front software license costs, you need to factor in hardware, maintenance, installation and staffing.  Respondents noted that 90 percent of running a DLP program is reviewing and remediating data loss incidents.
4. Deploy DLP in waves to get quick wins – Start with monitoring and discovery to get visibility into your high-risk areas first.  Implement a small set of policies and be mindful of tuning them to minimize false positives before you turn on notifications and blocking.
5. Prepare for broken business policies – Before a full DLP deployment, CISOs need to work with business stakeholders to determine the best way to deal with broken policies, and how to remediate them.

CISOs today have a tough role. You’re not only responsible for protecting sensitive data from leaving your organization, but also you work as an intermediary between fellow executives and employees to ensure they all understand the risks to business information.  Armed with these tips from your peers, CISOs can protect data from falling into the wrong hands, drive change across the organization, and elevate the CISO’s role as a strategic partner – nearly half of the survey respondents believe they have improved their credibility with peers in other business units by implementing DLP. For more detailed findings and tips from this survey, download the report here.

The ISTR, which covers the major threat trends observed by Symantec in 2012, reveals a significant increase in cyberespionage to gain access to confidential formation and valuable intellectual property, and the criminals methods of obtain this information are shifting. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them, representing a threefold increase from 2011.

Mark your calendars to join #ISTR chat and plan to discuss the latest attack vectors and techniques used by cybercriminals to gain access to your intellectual property.

Topic: Internet Security Threat Report: Volume 18—what does the data tell us?

Date: Thursday, April 30, 2013

Time: Starts at 9:00 a.m. PT / 12:00 p.m. ET

Length: 1 hour

Where: On Twitter.com; follow the hashtag #ISTR

Expert participants:

• Kevin Haley, Director, Symantec Security Response, Symantec – @kphaley
• Paul Wood, Cyber Security Intelligence Manager, Symantec–@paulowoody

Cross-posted from Symantec Security Response blog.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase–with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks. One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit, once the target visits the website their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

Data breaches declined in 2012, but the number of identities stolen increased, totaling nearly 240 million. Healthcare, education and government accounted for the majority of these identities stolen, and while most reported breaches were due to outside attacks, the risk of insider-caused attacks remains high.

Vulnerabilities, exploits, and toolkits

Zero-day vulnerabilities increased to 14 in 2012, and overall vulnerabilities rose to 5,291. Also increasing are mobile vulnerabilities, up to 416 last year. Cyber criminals use these to compromise the security of their targets, which are particularly vulnerable when they fail to frequently apply patches and updates. This failure on the part of IT is largely responsible for the 30 percent increase in attacks while new vulnerabilities are increasing at a much slower pace.

Even those without technical skill can become cybercriminals through the use of toolkits, which use previously discovered vulnerabilities in browsers and plugins to perpetrate attacks. The toolkit called Blackhole made up 41 percent of all Web-based attacks in 2012.

Social networking, mobile, and the cloud

Social networks are the new source of spam, with fake offerings making up 56 percent of social media attacks. These are made easier by the personal information made publicly available, and the propensity of people on these sites to share links and data with others. Other tactics include creating fake “like” buttons that install malware, or tricking users into downloading fake browser extensions.

Mobile vulnerabilities are rising, with 387 reported for Apple iOS alone. By contrast, the Android platform only showed 13 vulnerabilities, yet its large market share, open platform and multiple distribution methods for applications, likely accounts for the fact that the majority of mobile threats are directed at Android devices (158 of 163 unique threats). Overall, mobile malware increased by 58 percent in 2012.

As more businesses take advantage of cloud computing, they enjoy overall greater security and lower costs. But there are security concerns with the cloud as well. Retrieving data from a disreputable cloud provider can be a challenge, and attackers are discovering that attacking these providers can yield large amounts of data. In the future, attackers may also begin to attack virtual machines that are used to support the cloud infrastructure.

Spam, phishing, and malware

As social media spam picks up and authorities crack down on botnets, traditional spam has been declining slightly from 75 percent of all email in 2011 to 69 percent in 2012. Pharmaceutical spam has been replaced by adult/sex/dating spam as the most common form, accounting for 55 percent of spam. Despite the decline, 30 billion spam emails are still sent each day. The shift in cybercriminals’ tactics is also evident in the decline of email as a phishing vector. Overall, one in 414 emails is now a phishing attempt, down from one in 299 in 2011.

Malware is found in one out of every 291 emails, and among those emails 23 percent contain URLs linking to websites with malicious code. Every day, approximately 247,350 Web-based attacks were blocked, an increase of 30 percent over 2011. 2012 also represented the first wide-spread case of malware specifically targeting Macs, with the Flashback attack exploiting a Java threat to infect 600,000 Macs. The number of Mac-specific threats is now on a general upward trend. Other new malware attacks include ransomware, which locks the machine until the user pays a fee to the cybercriminal.

For more details on the current threat landscape, see the full ISTR.

Cross-posted from Symantec’s Security Response blog.

There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider?

Retailers face a similar predicament of external and internal theft where shoplifters and employees are stealing their wares. Shoplifters are essentially the retailer’s equivalent of hackers. However, retailers know the bigger threat is their own employees – in 2011 shoplifting accounted for 35.7 percent of total losses in 2011 while employee theft accounted for 43.9 percent and cost retailers $35 billion. Thwarting insider theft is where retailers heavily invest in increasingly sophisticated and concealed tools like Internet Protocol cameras that provide live stream viewing, video correlation with transaction data and register keystrokes, RFID inventory systems, and even biometric identification systems to prevent cheating on time sheets.

Like the shoplifter’s spoils, the take from a hack most likely pales in comparison to the slow, steady trickle of insider IP theft. A study Symantec released last month found that half of employees admit to taking corporate data when they leave a job, and 40 percent say they plan to use the data in their new job. This means valuable IP – the crown jewels— is falling into the hands of competitors. Even if hackers went away completely, you won’t solve the problem of routinely losing your IP unless you take steps to reduce the risk of insider theft.

We suggest that companies take a multi-pronged approach:

• Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical – companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
• Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
• Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

While hackers make for sexy headlines, we can’t lose sight of the insider threat. Employees walking out the front door with corporate secrets can be just as damaging and enterprises need to pay attention. As to whether companies should disclose insider theft incidents, well that’s a debate for another day.

What do you think? Are enterprises paying too little attention to insider threats?

Unfortunately many enterprises relying on third-party vendors often assume that these third parties properly protect their sensitive employee, customer and business data. Sadly, this is not always the case. Consider these data points:

• Only 24 percent of respondents require third-party suppliers or partners to comply with baseline security procedures. [1]
• Although 84 percent of senior IT decision makers [were] concerned or very concerned about the risks associated with IT security breaches, 55 percent of CIOs have not tested cloud vendors’ security systems and procedures. [2]

These numbers are shocking when you think about the potential risks that third parties can introduce to an organization’s reputation, business and customers. High profile third-party data breaches have impacted a larger number of major brands beyond the initial breach. According to the Ponemon Institute’s Cost of a Data Breach study, 41 percent of organizations had a data breach caused by a third party. And data breaches caused by third parties increased cost by $26 per compromised record.

With so much at stake how do you ensure that your data is appropriately protected? According to research from the IT Policy Compliance Group, the best performing companies go beyond the contracts to actively manage and hold vendors accountable to requirements. These companies routinely collect information including online surveys and log data on a monthly basis. In addition, the majority of best performing companies automate the process of gathering and assessing vendor information. This automation facilitates a larger number of more frequent assessment requests.

Without ongoing visibility and management of vendor risk, there is no way of telling if your enterprise’s information is adequately protected. Organizations need to consider vendor risk management solutions that can provide the continuous vendor oversight required to protect sensitive data and reduce overall business risk. They allow CISOs to gain visibility into their vendor risk, automate vendor risk assessments and deliver up-to-date information in a timely manner.

The most important message to take away from this post is to not leave your third-party security to chance. In addition to monitoring how third-parties are managing data, it is important for organizations to have the right risk management solutions working for them that monitors and protects information that is internal as well as external to the organization. It only takes a few simple steps to protect your organization’s business assets and reputation. It is time to take the reins. Learn more about how to manage third-party security at Symantec Control Compliance Suite’s home page.

Cross-posted from Symantec’s Information Unleashed blog.

When it comes to using ecommerce sites we all expect a certain level of security to protect our financial data.  When it comes to non-ecommerce sites, it seems like there’s less thought given about the ramifications of what happens when you provide your personal information.  For example, job posting sites on the surface seem pretty benign, but when you consider things like posting for jobs overseas and perhaps having to supply passport information, now things are getting a bit more serious.  This type of data is being passed from posting site to various companies and recruiters seeking to look at the data and supply data to job applications.  Recruiters are pulling information from these sites and using these for prospecting purposes.

I often talk to customers about the need to take a serious look at their upstream and downstream suppliers, vendors, partners, affiliates, etc. to make sure these organizations are secure and protecting their information effectively.  It occurs to me that we as individuals really need to consider a similar approach for any site we provide information to.  Here are some ideas to consider when posting information to any site on the Internet:

1. Take an inventory of all the sites that you’ve posted your credit card to.  You may be surprised at not only how many, but who you’ve given your card to.
2. Review your bank statements and credit card statements and look for anomalous billings and/or charges.  I once discovered that a billing service continued to charge my card even after I canceled the service.
3. Consider what the site is going to do with your information.  Will they be keeping it or sending it off to someone else or will others have access because of the service.  Take a long look at the privacy statement and terms and conditions for the site.  (Yes I know we don’t have the time to do this, but at least consider this when giving a lot of your personal information to a web site)
4. When clicking on emails or links received, just consider what information you’re providing and why.  Taking a second look at what you’re about to do at the last minute could save a lot of problems later.
5. Scrutinize email you receive.  Make sure you’ve got a good Anti-Spam/Anti-Malware program like Norton Internet Security.  This will help clean out the SPAM.  Other than that, we all get offer emails of sorts sent to us that result from having given information to one provider only to discover they’ve sold the list to another and now you’re receiving more offer emails.

The upshot is that Attackers and Thieves are getting more creative than we ever imagined before.  If you ever thought one day this would stop or slow down, think again!  This is not going to stop!  Attackers and Thieves have more time to devise these new creative schemes than we have to dream them up.  They’re also not bound by silly things like laws or law enforcement.  In the world of the Internet it behooves us to think twice before placing our personal data on a web site.

Cross-posted from Symantec Connect What’s @Stake blog.

According to the Symantec 2013 Hidden Costs of Cloud survey, rogue cloud deployments are one of the pitfalls of the cloud. It is a surprisingly common problem, found in more than 77 percent of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent) than SMBs (70 percent).

Among organizations who reported rogue cloud issues, 40 percent experienced the exposure of confidential information, and more than a quarter faced account takeover issues, defacement of Web properties, or stolen goods or services. And yet the most commonly cited reasons for rogue cloud projects were to save time and money.

This is where implementing security metrics in the organization relating to cloud can help measure, analyze and manage risk. In addition to an organization managing data, customers and business requirements, they now need to keep an eye on their cloud vendors’ security. The organization needs to know all the layers of security and exactly which assets they own in the cloud, and what is accessed both locally and remotely.

So what can cloud security metrics provide?

• Cloud metrics provide visibility for the company, both into the cloud provider and into itself.
• Cloud metrics educate and provide a common language for understanding the information security program as applicable to the cloud vendor and to the company.
• Cloud metrics motivate both the cloud provider and the company to improve.

From a security metrics point of view, while cloud computing may be the new normal, with shared responsibilities as the new cloud security model, some things haven’t changed.

• Both an organization and its vendor will measure security. Organizations need to define who is doing what.
• Both an organization and its vendor will manage functional components of an information security program.
• Security work is never finished. Cloud computing should motivate both an organization and its cloud vendor to assess the threat landscape and what new or different security threats exist in the cloud.
• In order to correctly assess responsibility, three service models for cloud computing (SaaS, PaaS, IaaS) can be viewed as a stack, with platform building on infrastructure and software building on both infrastructure and platform.

The need for security metrics in the cloud is not much different from the need for security metrics in general. Everyone in the cloud, vendor and purchaser alike, will need to measure the effectiveness of security controls and show their accountability to each other and to regulatory bodies. In the past, there was little benefit for companies to share security metrics as there were risks in doing so. With cloud computing and a world of share d accountabilities across virtual, physical and geographic boundaries, we need to find ways to share information between vendor and tenant across the industry in responsible ways. This implies we need to remove some of the roadblocks to success and work on areas such as common definitions for terms, common metrics deployed in a consistent manner, and a consistent reporting framework. Industry bodies such as the Cloud Security Alliance, of which Symantec is a member, are helping to achieve these goals, and many security practitioners are volunteering their time and talent.

In addition, solutions to protect cloud data keep getting stronger. Symantec O3 enables its partners and customers to embrace the business agility and cost advantages of the cloud. O3 offers a single point of identity and access control, and related policies, for cloud apps for all endpoints. O3 is also easily integrated with existing identity stores, various cloud app authentication and a simple cloud single-sign-on for user.

For information security practitioners, an important first step is to establish a baseline that is appropriate for the business to determine what is the new normal for security in cloud computing. Businesses will need to make decisions based on concrete data, and a comprehensive security metrics program can support important planning and decision making, and drive beneficial changes in an organization.

Information Technology is radically changing. We can wrap it in terms and buzzwords like cloud, mobility, BYOD, Web 3.0, but the reality is both the sum of and more complex than the names we give it. IT is no longer in the hands of the professionals. It’s not just the devices but all aspects: the networks, the software, the services, and the infrastructure have become so ubiquitous and cost effective that any individual can own and manage their own IT.

As information security professionals how can we bring any safety or security to this explosion of IT? It’s not as bleak as it sounds. Just as the current environment is the acceleration and combination of directions and trends from the past so our existing tools and controls provide a basis to manage this new world. Don’t go looking for one technology or process to solve the problem, because there isn’t one. We must be as flexible and agile as the industry.

I was securing mobility back when it was called remote access and none of the fundamentals have changed since then. It’s still a determination of which services to provide, how to manage authentication and authorization, and how to monitor the subsequent access. The complexity comes as we can’t simply rely on a single aspect of the IT infrastructure to provide all the control. There are too many use cases to rely on one, we must understand them all.

Don’t limit your thinking to how you control the corporate environment. Look beyond device control and go back to the network. How can modern gateway devices protect the services you’re pushing to your users as well as protect those publicly facing services from attack? Who knows, even Network Access Control may come back from the dead. Look beyond device control and look forward to the applications and data. Why try to control the whole tablet when all you care about is that one application that connects to your proprietary information?

The points of control still exist even if the infrastructure is contracted out to another company. Authentication is common across all services worth protecting. Logging is also common to all services. How does your contracted provider allow you to understand the accountability of authentication? Who looks at the logs and what is done with that information?

The fundamentals of security are sound. We can use our mastery to implement these tools in innovative ways to continue to secure Information Technology no matter how it changes. Take a breath and break down that new business methodology into its component parts and you may find out that you’ve secured those pieces in the past.

Cross-posted from Symantec Connect What’s @Stake

When it comes to taking your intellectual property (IP), employees are the less obvious player but they can be frenemy #1. In many cases, these trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use at their next employer. It’s not that these employees are inherently malicious – often they just don’t know it is wrong to do so.

According to a new Symantec survey examining employee behavior and attitudes around IP theft, this is happening more than we’d like to think. Half of employees admit to taking corporate data when they leave a job, and 40 percent say they plan to use the data in their new job. This means valuable intelligence is falling into the hands of competitors. Ultimately, this puts everyone at risk – the employee who takes the IP, the organization that invested in it and the new employer who unwittingly receives it. Everyone can be held accountable, and no one wins.

What’s startling is the sheer number of employees who don’t think taking corporate data is wrong. Sixty-two percent of employees think it’s acceptable to transfer corporate data to their personal computers, tablets, smartphones and cloud file-sharing apps. And once the data is there, it stays there – most employees never delete it.

Employees don’t think twice about taking corporate data because they don’t see the harm – 56 percent don’t think it’s a crime to use trade secrets taken from a previous employer. Underlying this belief is a lack of understanding who owns the IP. The survey shows that employees attribute ownership of IP to the person who created it.

Companies are failing to train people in what belongs to the employee and what belongs to the company, and they are not creating an environment that promotes employees’ responsibility and accountability in safeguarding business information. Additionally, they are not educating employees that using a former employers’ confidential data puts the current employer at risk.

What can businesses do to reduce the risk of insider IP theft? Symantec has created three key recommendations based on the survey results:

• Employee education: Organizations need to let their employees know that taking confidential information is wrong. IP theft awareness should be integral to security awareness training.
• Enforce non-disclosure agreements (NDAs): Include stronger, more specific language in employment agreements and ensure exit interviews include conversations focused around employees’ continued responsibility to protect confidential information and return all company information and property (wherever it is stored). Make sure employees are aware that policy violations will be enforced and that theft of company information will have negative consequences to them and their future employer.
• Monitoring technology: Implement data loss prevention software that monitors inappropriate access and use of IP and automatically notifies managers and employees in real time when sensitive information is inappropriately sent, copied, or otherwise exposed, which increases security awareness and deters theft.

As for safeguarding valuable IP, companies cannot focus their defenses solely on external attackers and malicious insiders who plan to sell stolen IP for monetary gain. The everyday employee can be just as damaging to an organization. The lesson from this survey is clear: keep your enemies close and your frenemies closer.

For more information, we invite you to read the complete report What’s Yours Is Mine: How Employees are Putting Your Intellectual Property at Risk, available for download at: http://bit.ly/XFjYwQ.

Cross-posted from Information Unleashed.

Lack of Executive Support: Security teams that fail to get executive buy-in for their DLP program are setting themselves up for failure. Implementing DLP is not just an IT decision; it’s a business decision that impacts everyone from HR, audit and compliance to legal, engineering and sales. Support must originate from the top and early on. One way to help C-level executives understand the importance of DLP is to conduct a risk assessment to quantify current vulnerabilities, demonstrating the need for a multi-layered security strategy.

Management buy-in is key for not only securing budget, but also enforcing policies business-wide. With executive sponsorship of your DLP initiative, you can implement governance around the program. Because different groups throughout the organization own and access pieces of the most critical information, you need the business data owners to support the DLP program in order to respond to and clean up issues in their area of the business. You also need executives to help determine how transparent your DLP activities should be, based on your corporate culture. Only when executives and business stakeholders are on board will your DLP program thrive.

Boiling the Ocean: Once you have top-down support, it’s important to focus on the high-value data that your business considers confidential – i.e. the crown jewels. A common misconception is that you have to classify all of your data first before you can start monitoring and protecting it with DLP. However, you risk wasting a lot of time classifying low-value data. This is another reason why exec buy-in and business owner support are critical – the business owners can best define what data is most important. The differences between confidential and non-confidential data can be subtle. Take source code for instance – it can be open source or proprietary and only your engineering team can discern the difference. Prioritize your most critical data first to drive down significant risk and get some quick wins.

Disrupting the Business: A DLP program is intended to enable secure access and use of confidential data without disrupting your business.  However, if your initial data loss policies are too broad, you risk interrupting the daily activities of your users, including executives. You won’t be able to stop every email that might contain intellectual property on the first day. Instead, your deployment should first focus on understanding where data is and how it’s being used. Start with a more manageable deployment, setting a few DLP policies with a pilot group. That will allow you to refine policies and narrow the scope of your needs before you deploy the system more broadly. Add functionality step by step, enabling notifications to educate people until you have the parameters in place that give you confidence to finally turn on blocking.

Data loss prevention is the safest investment you could make to protect your business from a data breach. Establish a corporate environment where management makes data loss prevention a priority, determine what precisely needs protection and deploy the program methodically, to avoid the challenges that can accompany DLP implementation. As you complement your existing security measures with DLP, your organization will be able to stay out of the wrong kind of headlines.