Operationalizing any new security platform begins with the process of integrating the platform with an organization’s existing infrastructure and workflows. To get the most value out of the system we need to offer an easy path to adoption if we want to crossover from theoretical security concepts into practical, day-to-day operations that protect against cyber threats. Technology change is hard, but changing the way people work is even harder. Successful operationalization ensures that a security platform moves beyond mere installation to become an integral, effective part of an organization's defense strategy.
According to an IBM study, on average, enterprises deploy around 45 cybersecurity-related tools on their networks. Security tool fatigue has been widely reported, and people are getting inundated with alerts that are hard to manage, and ultimately lead to the loss of signal in the noise. Good cybersecurity, however, is not about how many tools you have, but about how well you have covered your overall attack surface. A lot has been made of this concept of a Platform vs Best of Breed for security. We believe there is a Goldilocks zone where you create a platform augmented by Best of Breed capabilities where it makes sense. Our goal is to make Data Security Posture Management an integral part of your existing security stack, without forcing yet another workflow upon an already overworked security team.
Getting to a new security baseline/steady state
Assuming the new Security Platform introduces new security capabilities to the organization, in this case Data Security Posture Management capabilities that weren’t available before, the end result will be additional security insights, and potentially new types of incidents and alerts that need to be acted upon. This does not necessarily mean a completely new persona needs to be introduced to the existing IT and/or Security Operations teams, but rather an augmentation to what came before. To use a metaphor, if shining a flashlight in your basement exposes cockroaches, it does not mean you need to call the exterminator if you are equipped to handle it yourself. In any organization’s security approach, there are known unknowns, i.e. risks you are aware of, such as insiders potentially walking out with a trove of proprietary data. But there are also unknown unknowns, i.e. risks that come from situations so unexpected that they would not be considered previously, often because you had no way of knowing before, such as developers exposing sensitive data through test environments for example.
This then begs the question, who is responsible for data security in your organization?
There are many existing stakeholders in most organizations that have some link with data, and ultimately data security.
There is infrastructure needed to run the application and its data. This infrastructure needs to provide redundancy and resilience to ensure data availability for the organization. The application can be fragmented, think data lakes and data warehouses, leading to copies and potentially silos of data. Ultimately, the infrastructure and application are the responsibility of the CIO and their IT Ops teams. A wildcard here could be SaaS services that are under the purview of business owners, bypassing internal IT teams completely. Then people consume this data via an application, access to that application is accomplished through a device, maybe a web browser or dedicated app running on a computer. This device needs to be secure to ensure the integrity of the data consumed by the end-user. To protect this stack, the CISO and their Security teams introduce and implement the organization’s overall cybersecurity strategy.
Effectively, both IT and Security teams are responsible for Confidentiality, Integrity, and Availability in terms of data. The CIA Triad—Confidentiality, Integrity, and Availability—is a guiding model in information security. A comprehensive information security strategy includes policies and security controls that minimize threats to these three crucial components.
Confidentiality refers to protecting information from unauthorized access.
Integrity means data are trustworthy, complete, and have not been accidentally altered or modified by an unauthorized user.
Availability means data is accessible when you need it.
If IT and Security work together to get the organization to a new default of level of security, in this case by minimizing the data attack surface, we can then start to think about ongoing monitoring, prevention, detection, investigation, and response to cyber threats by means of a Security Operations Center (SOC).
Using Rubrik DSPM to get to the new security baseline.
Proactively driving out risk starts with full visibility of the data estate, you cannot secure what you cannot see. Rubrik DSPM autonomously detects your data assets across on-premises, public cloud, and SaaS. This provides the organization with an understanding of where data is located and what type of data is being used, including additional data context, so you can better understand not only the contents of the data, but also the data container (i.e. file).
Additionally, you can now start to minimize your data attack surface by first addressing Redundant Obsolete Trivial (ROT) data, meaning digital information that has little or no business value to the organization, but is still stored and potentially open for exfiltration. This achieves two things: drive down cost by not paying for data consumption, and drive down exposure by removing potentially sensitive information from the equation.
Next, we can start to address additional data security violations in the environment caused by misconfigurations. Once those are addressed, we should have achieved a new data security baseline that is the basis of our ongoing data security monitoring and response.
These violations can be broad in nature, but are classified under 4 main categories in the Rubrik DSPM platform.
Overexposed Data: sensitive data being overly-exposed to public access, 3rd parties, and more.
Unprotected Data: sensitive data not protected through encryption, activity logging, retention, and more.
Misplaced Data: sensitive data stored in unauthorized locations, such as lower environments (test- and dev), forbidden geo-locations, and more.
Redundant Data: already addressed above.
Ongoing monitoring and response.
Now that you minimize your data attack surface, we need to shift our focus to maintaining good security hygiene and continuously monitor for violations and incidents. Generating an alert is one thing, but we need alerts to be actionable, understand what we should do to mitigate or address this alert.
Security ecosystem integrations are leveraged to receive and respond to these alerts and incidents. The goal is to leverage existing processes and workflows as much as possible, so remediation can be swift and complete.
This way, we can have IT data incidents addressed by IT Operations, and security data incidents by Security Operations
In this example, Rubrik DSPM has detected overexposed data and presented the ability to create a ticket for assignment to the correct team member for follow-up. Part of the information in the ticket is a link to the suggested remediation action, in this case an updated S3 bucket policy to remove public access.
Depending on your existing tools and processes, this might not match your current operational model. Therefore, other integration methods exist whereby we can provide the relevant context to your existing tools automatically.
For example, let’s assume you have Microsoft Sentinel as your cloud-native SIEM, being operated by your SOC. Rubrik DSPM can provide integration so your existing processes can be maintained.
What is the end-goal?
Most components that play a role in data security already have a clear owner, they are found in both the CIO and CISO organizations. Data Security Posture Management addresses a new and sorely needed part of any organization’s attack surface, providing a security lens for your data, arguably the most important asset for most organizations. By slotting DSPM into existing controls and workflows, we can minimize organizational adjustment and maximize reuse of existing processes to safeguard your data.
Rather than adding more alerts to an already overloaded security team, the aim is to drive down the data security attack surface and align it in line with organizational best practices. Once that new baseline is established, actionable alerts will guide security personnel to leverage existing response tooling to ensure that initial security incidents don’t turn into sensitive data exfiltration events, thereby reducing the consequential impact of these events.