As a Site Reliability Engineer or IT Operations Manager, you might think the answer is NO, it’s not my job to deal with data security. But if you ignore data security, there are meaningful consequences for your organization.
Consider the case of DCH Health Systems. On Oct. 1, 2019, a ransomware attack paralyzed the entire IT operation of DCH Health Systems, which is the operator of three hospitals in Alabama—all of their operations came to a complete stop, putting emergency and critical care patients at extreme risk. Furthermore, crucial patient information—such as diagnoses and treatments—had to be tracked with pen and paper, leaving critical gaps in patient records.
You may think this catastrophic scenario is rare, but it has become more and more common, with multiple incidents in the U.S. and one in Norway. While these particular scenarios had an extreme impact, ransomware attacks happen every day. By some estimates, there are an average of 860 lost or encrypted documents per hour worldwide. The Wikipedia page on data breaches claims that, in 2018 alone, more than 9 billion nonpublic data sets had been revealed to the public.
I’m sure you know data security is important. And it is everyone’s responsibility. So what can you can do to help secure the data infrastructure you manage?
Let’s break security breaches down further and show where your cloud and data security responsibilities might lie.
Data Security: Threats to Your Data and Documents
In addition to ransomware, there are other threats to your data and documents. Breach Level Index lists other sources of lost, destroyed, or encrypted documents. Let’s break it down into four categories:
- Malicious or compromised user
- Accidental loss
- Stolen or lost device
The current distribution of security breaches looks like:
Figure 1 - The Breach Index. (n.d.). Retrieved June 26, 2019
Currently, about 63% of all data or document losses are the result of a malicious or compromised user. These losses are hard to detect because most users have legitimate access to corporate data. In most malicious user cases, it’s not a question of an authorization (ACL) error. Not all perimeter security tools will be able to detect malicious behavior. So how do you distinguish malicious access of your data from legitimate access?
Let’s consider three types of bad actors:
- A malicious user: An insider trying to damage or steal data.
- A compromised user: A malware or hacker who uses a stolen user ID (for example, he received the ID through phishing, weak passwords, and other means).
- A careless user: For example, a user who releases a document containing confidential information to the whole world or accidentally stores the documents on the wrong drive.
Methods for Distinguishing Between "Good" and "Bad" User Behavior
What sets these bad users apart from every other employee in your company?
The behavior of malicious users will differ from that of a legitimate employee behavior in the following ways:
- They access files that their colleagues don’t
- They read or write more files than their colleagues
- They suddenly change their normal pattern of file access
Identification of colleagues/peers of a user
To look at the behavior of a user relative to their peers, you must first know who their colleagues/peers are. Typically, you can copy this information from the company's address book.
While the address book shows the organizational structure, it does not depict the working relationships between cross-functional project members. So how can you find out who really works with whom?
This area is where the Machine Learning and Artificial Intelligence comes into play. By analyzing file access, as well as organizational information, over time we can clearly say who works with whom and how they behave normally. This process defines a baseline for each employee's behavior and their actual working community.
Let’s consider a short example:
- Christian works in the folders "Project Files" and "Project Controlling".
- James works in the folders "Project Files" and "Development".
- Michael from the legal department works in the folders "Project Files", "Legal-Docs" and "Project Controlling".
- Michael’s colleague Christine in HR works in the folder "HR-Docs" and "Legal-Docs".
- Thomas is a developer and works only on the "Development" folder.
- Susan is from HR and works exclusively in the "HR-Docs" folder.
The following picture is an illustration of these access patterns.
Through this pattern analysis you can see the relationships, shown in the picture as a red dotted line, between:
- Susan and Christine
- Michael and Christine
- Michael and Christian
- Michael and James
- Christian and James
- James and Thomas
This example is just a simple illustration; in real life, interactions are much more diverse, but I think you’ll get the basic idea.
Behavioral comparisons or changes
As soon as one of the colleagues changes their access behavior, it can be an indication of one of the three malicious user types.
Any change of behavior makes him suspicious. With this knowledge, you can evaluate the danger that, for example, Thomas’ anomalous behavior might represent.
Through continuous analysis and comparisons, you are now in a position to notice:
- Changes in the relationships between users
- Changes in a single user’s behavior
- Deviations in user behavior relative to others in the community
How can this method save you time?
By automatically detecting user access patterns in and among communities, you eliminate the need to define static rules and policies. It’s also unnecessary to import existing authorization structures, such as report lines, from the Active Directory. Automatic detection gives an immediate and accurate view of user access and community membership at all times.
Cloud Insights: Ensure Data Security With Cloud Secure by NetApp
At NetApp, we created Cloud Secure to provide visibility into user access and malicious behavior to detect possible threats and assist in compliance reporting.
Unlike perimeter security tools that assume insiders are trusted, Cloud Secure assumes zero trust for everyone. All activities on the supervised shares are monitored in real time. The data is then used to automatically identify the working communities of all users. This process creates a foundation that enables Cloud Secure to detect any behavior that violates the established normal pattern. With Cloud Secure, you gain an unprecedented level of visibility into your corporate data on NetApp infrastructure, whether it’s in your own data centers or in the cloud. Cloud Secure gives you a holistic view of how your corporate data is accessed and by whom. The ability to audit all document access will help you to assure compliance with your regulatory requirements.
Cloud Secure is an important feature of Cloud Insights and addresses the challenges around user behavior and user trust.
Returning to the idea of protection against ransomware: Cloud Secure protects you against internal threats by arming you with information. It analyzes and identifies potential malicious users that are accessing your data. In the event of suspicious behavior, you will be notified immediately and will be able to respond appropriately to minimize the risk of ransomware attacks or stolen confidential information.