Written by Sergey Ozhegov, CEO of SearchInform
In the early days of information security, we used to rely on antivirus and firewall in our arsenal. Once I even “caught” a leak with the help of the firewall logs: I noticed an atypically large data upload and found out that the user was uploading confidential information as virtual-machine images.
Technologies have changed business processes since then: the number of data transfer channels has increased, new threats keep multiplying with those channels. Now you can’t limit yourself to simple solutions – there is a whole system for each security problem.
There is Never Too Much Protection
With all the variety of tools, most companies still get by with a “must-have” minimum, like antivirus, AD and proxy. Highly specialized systems are rarely installed.
Typically, companies begin to equip themselves against specific threats when they actually face them. There was a leak — they installed the system.
“I worked in a bank, we had a DLP system. One day it alerted to an attempt to leak data. An ordinary employee sent account statements of VIP-clients to his personal email – information to which he wasn’t supposed to have access. We intervened promptly, the employee deleted the email and confidential files from the computer. But the question remained unanswered – how he got the data. It was only some time after that they found out that the settings in the file storage were twisted: instead of a narrow circle, all managers got access to the folder with the data of VIP-clients. If we had a DCAP solution for file auditing, we would know about the failure immediately and the incident could be avoided”.
The more tools you have, the less likely the problem will slip through. An incident is not a final event, but a chain, where one link pulls another.
Achieve Mutual Understanding
At the same time, the use of a large number of protective systems has its own pitfalls. There are problems with instruments interaction:
- Often, information-security systems conflict or poorly integrate.
- Working in different environments, programs cannot exchange data or transfer it in a shorter form.
- Products provide data in different formats — specialists do not have a common source of information for analysis.
When the question of expanding the information-security infrastructure arises, there are two ways to go. The first is to allocate time (months!) to pilot-test the compatibility of new products with existing ones. The second option is to immediately choose the maximum number of solutions from one vendor.
Vendors are interested in providing you with seamless integration, end-to-end data exchange between software or even one console. A one-brand kit will save you money due to the unified technical support and specialist training.
A good vendor develops the series logically so that the tools do not just cover individual needs, but complement each other. For example, the concept of SearchInform is to ensure control of threats at all levels of the information network: From hardware and software to file systems and databases, and from user actions on a PC to their activity on the internet.
In one of the renown banks, our database-monitoring system recorded numerous changes in the client base. Based on shadow copies of queries to the database, it was established that several employees with the right to access the database had changed the numbers of clients from remote time zones in it, and after a short time would cancel the changes. DLP intercepted a closed Telegram chat in which these employees discussed the search for “reliable people” in order to convey “instructions” to them. The correspondence was accompanied by a file of the same name with a description of the scheme: When it was night for clients, the scammers changed their numbers to their own in order to confirm small payments on their accounts via SMS, and then returned the correct phone numbers to the database before daytime in their time zones. The fraudsters were detected, but the security service went further: With the help of a file auditor, it revealed who else had a file with criminal instructions in the company, and they were removed from access.
To Sum Up
To prevent the arsenal from becoming too bulky, protective systems need to be “made friends.” The easiest way to achieve this effect is by working with one trusted developer, and getting an all-in-one kit that works like a Swiss Army knife.