What Exactly is “Visibility”? A Security Perspective
Seeing as much of the threat landscape, and your own vulnerabilities, as possible, will help your team prevent you from becoming the next big breach in the news.
Join the DZone community and get the full member experience.Join For Free
I’m not sure when “visibility” became a unit of measurement for your ability to predict, identify, and investigate a data breach. But if you attended an industry conference like Black Hat, you heard analysts, journalists, and vendors tell you about the importance of getting it. Before you ask, “How do I get visibility?” and “Once I have visibility, how does it help me?”, let’s take a step back and answer the broader question of “What is visibility?” The definition has changed over the years.
Ten years ago, having visibility meant you had your eyes trained on your security perimeter, always on the lookout for external hackers trying to slip past your firewall, antivirus, antispam, and other outward-facing defenses.
Today, the threat landscape looks much different. Organizations have embraced technologies like cloud computing, file-sharing, and powerful endpoint devices. That means all of your information no longer resides in the relative safety of your servers and data center.
The upside is that your users can access information anytime, anywhere on all their devices, and easily share that information with colleagues, partners, and customers. The downside is that the risk of a data leak has never been higher.
Terms like “visibility,” “full visibility,” “complete visibility,” or “real-time visibility” are all different monikers for the same concept: the ability to continuously track all activity to provide full context into where your sensitive information assets are and how and when they are created, accessed, moved, and shared. This capability is also critical to determining the source, impact, and vector of data exfiltration.
How Do I Get Visibility?
Just as important to knowing the context of how individual files are accessed and used is understanding the data-element level content involved. In other words, achieving full visibility requires you to know what’s happening at the information content level with full context, in real time and historically.
It’s one thing to know that file XYZ was accessed with Apple’s Safari browser. But it’s much more useful to have real-time insight into the fact that file Accounts32412.xlsx containing 5,000 credit cards numbers, including a specific credit card number 1234-4444-5555-0987, was uploaded to Dropbox.com via the Safari browser by user “John” on the JohnsMacBook machine, at 10:05 pm on October 1, 2017. At ThinAir, we call this “Information Attribution” in real-time, and it is critical to knowing exactly what happened and what information is at risk.
This kind of detailed attribution provides you and your investigators with the various individual characteristics that comprise visibility. You can answer the famous “5 Ws” questions that journalists ask themselves when investigating a story: who, what, when, where, why, and – the “sixth W” – how. You understand the depth and breadth of what happened, the exact time the risky behavior occurred, the user(s) involved and what devices the specific files involved.
How Does “Visibility” Help Me?
Achieving visibility is critical to identifying and mitigating a breach. Because you are able to understand where the “crown jewels” are, you can also identify the users'/devices’ risk profiles even before an exfiltration occurs, and break the Insider Threat Kill Chain. Visibility into the sequence of user-data access events can help identify and catch insiders before they can inflict significant damage.
Visibility is key, but you also need to act with speed when conducting a risk assessment, compliance or breach analysis. Acting quickly to get the answers to the 5 Ws enables you to determine the root cause quickly and accurately, and take effective remedial actions. Unfortunately, this has become the security industry’s Achilles’ Heel.
According to the Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview report, it takes an average of 191 days to identify a breach, and 66 days to contain it. That’s far too long.
Visibility enables speed. I realize that may sound counterintuitive. After all, the more information you have to collect and analyze, the longer an investigation will take. However, just the opposite is true.
Published at DZone with permission of Gajraj Singh, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.