Why Data Protection Programs Fail? By Amit Yoran, NetWitness

Cyberspace continues to observe many security program failures: from the spectacular to those that hardly ever see the light of day. Why do data protection programs continue to fail, and what should public & private organizations be doing to prevent such failures in the future?

There have been many public failures of security programs during the last few years. For example, Titan Rain and some of its successors in the public sector demonstrated the ability of Chinese hackers to penetrate government systems and exfiltrate large amounts of data in spite of substantial security programs and technologies in some of these agencies. In the retail sector, TJX has become the poster child for everything that is wrong, not only with retail industry security, but also potentially the incorrect focus of regulatory activities such as PCI.

From an operational perspective, all of these breaches and security program failures share a common set of attributes. For example, although all organizations possess some level of security monitoring and incident response capability, they were not monitoring the correct network traffic to detect the egress of sensitive data. If these organizations have focused their efforts strictly on FISMA or PCI compliance as a desired outcome for their monitoring efforts, the bar could be set too low to provide the level of vigilance required to deal effectively with foreign intelligence organizations and organized crime.

Typical security investments focus on detection of a specific problem set, known issue or threat, and may not be providing your organization with a way to find the tricky unknowns like "designer malware". Also, once you receive intelligence or an alert regarding an anomalous event, you must move beyond log files and statistical estimates to analyze the deep content and context contained in the specific network evidence to determine your next course of action and move quickly to investigation and remediation.

There are a number of approaches organizations can take to decrease the likelihood of security program failures, and ensure the protection of corporate and citizen data. Solutions include a comprehensive technology and process framework for improving security programs. A central part of such a program would include three primary objectives:

1. Decrease the focus on regulatory compliance and increase the focus on improving security operations. The bottom line is the real results you can show, not in checking boxes.
2. Pay closer attention to what is happening on your internal network. Stop worrying so much about the perimeter and look inside your network for the weaknesses and for the places where you already may have problems.
3. Use an evidence-based approach to network monitoring. Augment signature and statistical approaches with techniques that examine all the network traffic.

Security program failures can be lessened by increasing the focus on operational security, particular with respect to internal security issues and deeper visibility into the behavior of users, systems and processes.

Amit Yoran is the CEO of NetWitness (www.netwitness.com), headquartered in Herndon, Virginia. Yoran is also the former cybersecurity czar of U.S. Department of Homeland Security and head of CIA's in-Q-Tel venture capital arm.