Most security solutions are focused around defending Federal Agency networks, both at the perimeter and in the “soft underbelly” internal networks. This is a good change from just creating a hard crunchy outside, but it’s not all that is needed to be done. In order to thwart bad actors, the data needs to be defended and even booby trapped to ensnare them.
GuidePoint Security has been working with companies like Vormetric to defend Agency information where the data is at rest. Done right, protecting data at rest must be a single platform that can secure file data, integration with application data and a singular solution for on-prem and public cloud data. By adding this broad platform that focuses on the data itself, new barriers and alerts can become a serious problem for the bad guys. This works by following NIST guidelines in separation of duties between the system administrators and security teams. Traditionally, every day administrators have access to highly sensitive data and decide who else gets access to that data.
This has been the source of many a high profile breach. “Privilege Escalation” has become a term that non-security teams are now aware of because it’s a serious problem. Whether through “pass the hash”, poor password hygiene, or vulnerability exploitation, gaining access to a domain admin account has become the goal and the “PWNED” moment for bad actors. The now notorious Target breach is an example.
By encrypting the data without removing the ability to administer the data, Vormetric now adds new hurdles for the bad actors and adds new opportunities to identify a breach early on. When a privileged user tries to access data, they will receive cypher text that is unusable and Vormetric will send an alert to the SOC either directly or through a SIEM. In addition to this, the bad actor will now have to attempt to find a user that has access to that data. If they are able to figure that out, and that is a big if, simply using sudo to become that user will not work either, but would be likely the first thing a bad actor tries. That again, would set off an alarm to the SOC. Once all of that has failed, the bad actor would have to pivot to gaining direct access of a specific user or set of user’s accounts in addition to the original user and the administrative user they have escalated privileges to.
Anyone who has been on a Red Team doing penetration testing, or done forensics of a breach will see this is a huge advantage for the defender. It is very likely that they will trip several alarms, adding to the likelihood that SOC teams will identify an in-process attack before they are able to exfiltrate data.]
For more information about how GuidePoint is helping agencies defend their data with solutions like this, please register and attend our webinar on July 25th here.
About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.