Seclored: The Data Security News Blog

Shrinking the Aperture
And other useful methods to help solve complex problems in Cybersecurity

Category: Data Security

Overview

In most organizations, cybersecurity decision makers own a diverse set of domains that they must address: governance, risk and compliance (GRC), talent acquisition and retention, the changing threat landscape, and much more. Navigating the specific challenges that accompany each of these domains and knowing how to select the right solutions for those problems are challenges for every cybersecurity leader.

Cybersecurity exists in a unique part of the organization and often faces conflicting interests. For example, user speed and experience are of paramount importance, but security measures often introduce complexity and latency. However, simply forgoing security is not an option, since a breach that leaks users’ personal information or interrupts delivery all together are far more negative consequences. Striking such balances can be difficult.

When navigating such complex problems, it can be helpful to apply a framework to organize the many moving pieces and tradeoffs into bite sized steps. Today we’ll explore a handful of  such frameworks in order to tackle operational or practice-level challenges, tool selection and much more.

Constrain Problems, Not Thinking

There are many problem solving methodologies to explore –McKinsey, Google, AT&T, and many others have all developed different frameworks to attack various problems. While they’re all slightly different, they share many common techniques as well.

Unsurprisingly, in each of the well-known frameworks, there is a step (usually at the beginning) dedicated to defining the problem. This step is often one of the most challenging in the entire process for a number of reasons, especially in cybersecurity where the problem is often very opaque and undefined. start there, as this step alone can be challenging.

Defining a problem well requires an editing process that gets to the essence of the issue. The process should isolate the problem as much as possible, and as clearly as possible. Constraining the problem is the first and most crucial step. Once the problem is constrained, you can explore solutions in a very unconstrained way and creative problem-solving can start to play a role.

Let’s give this first step of defining the problem in narrow terms a name: shrinking the aperture of focus..

Shrinking the Aperture of Focus

To illustrate how shrinking the aperture can help, let’s take an example of a common security challenge: selecting tools for asset protection.

Protection is a very broad topic, so we’ll need to start our editing process. Instead of trying to tackle the undefined task of “protection,” we will define it further and focus on two specific, and most important, aspects of protection––data and identity.

We have chosen to focus on data and identity because of the role they play in almost every attack. One could argue that data and identity represent all of the targets that a bad actor would like to acquire. By isolating the problem in this way, we can be much more deliberate, focused, and consistent as we search for solutions. And as a result, we’ll need fewer of them. After all, so-called “tool sprawl” is a challenge in and of itself. Complexity in and of itself can introduce unnecessary risk, so we want to select the minimum number of tools required to meet our coverage and protection requirements.

We’ve defined the problem as securing data and identity. We can only focus on one at a time. Let’s start with data protection. Continuing to narrow in on data protection, we need to identify what type of data we seek to protect. After all, structured data calls for different strategies than unstructured, file-based data.

Continuing to shrink the aperture, we arrive at a clearly-defined, specific problem space to address: protecting unstructured, file-based data, both in circulation and at rest.

Of the various forms of data, many of the most devastating attacks seek to ransom, exfiltrate, or otherwise abuse file-based data. Moreover, the nature of file-based digital assets makes it particularly challenging to protect in a comprehensive way – most approaches focus on protecting these assets via permissions local to a user system or on the server via file shares.  While these strategies are useful, once a file leaves the perimeter of the organization or a user’s device, security controls are lost.

Aperture

Starting at the End

Now that we have shrunken the aperture to narrowly define the problem, we are ready for the next step.

Again, each problem-solving framework has their own sequence of events. For cybersecurity applications, we like a technique found in a methodology called TRIZ, or TIPS, which was developed in the 1940s. The TRIZ framework uses the same beginning step of  breaking the problem into smaller chunks (shrinking the aperture), and follows it with a technique of “starting at the end.” In other words, to look at the problem by starting at the desired end-state solution, and work back from there.

In this example, we’ve shrunk the aperture to focus on protecting digital file-based assets, so let’s look at the problem of file security with an eye toward our idealized end-state. In order to do this, it’s useful to start with a specific use case.

Consider a sensitive file that is shared with several stakeholders. Two stakeholders are internal, and two are with a third party that the business relies on for a specific set of outsourced functions, such as a call center.

This file is shared via email as an attachment, and contains sensitive information that should not be shared outside of the organization and their authorized third  party business partners.

When the email is sent, copies of this file are distributed to the stakeholders. What was once a single file has now become five files in total. The email attachments of the original file now have a lineage back to the original.

Email attachments

While this email attachment behavior is well understood, it’s incredibly relevant here for addressing the problem that we have defined––protecting unstructured, file-based data, both in circulation and at rest. Let’s make some observations on the dynamics at play:

  • In order to convert file based information into business value, these files need to be shared. But this also means that we expose ourselves to risk. Each copy of the file that is sent as an attachment increases risk.
  • Shared files represent a one-to-many relationship. A single file can be copied and shared many times. The more people that receive the file, the more likely it is to be shared further downstream without authorization and to spread like wildfire.
  • Security controls are totally lost once the file is sent outside of the organization.
  • We have no way of knowing when the file was opened, or who opened it. We also have no idea of what actions were taken on the file.
  • There is no way to revoke access to the file once the email has been sent.
  • We can’t constrain access to a specific period of time.

By starting at the end, we can use the various aspects of the problem to form requirements for our ideal solution:

  • Security controls must follow the file, even after it leaves our organization. These controls are managed remotely, by our organization and our policy.
  • We need the ability to revoke access to the file, prevent copying, modification, and other actions that fall outside of our policy.
  • Automated enforcement actions must take place. Authentication, access and authorization for various actions needs to be automatically checked and enforced without user intervention or manual steps.
  • We need to be able to enforce the proper “lineage” of the file. In other words, we need to automatically limit the number of recipients to only those that are authorized to use the file.
  • Granular control over specific file actions must be easily implemented, e.g. read, write, copy, print, etc.
  • Comprehensive audit logging must be in place so we’ll have visibility into which actions were attempted on the file and by whom.
  • All of this must be done in a minimally intrusive way that doesn’t negatively impact users.

By starting at the end, we land on a clear set of requirements that a solution needs to meet in order to protect our digital assets. Moreover, it’ll greatly simplify the selection of candidate solutions–they’ll either be able to meet our requirements or not. The original challenges of ambiguity and paradoxical tradeoffs are eradicated.

Real World Examples

The scenario above isn’t pulled from thin air. It’s based on feedback from our many customers. They use Seclore to protect their files and to solve this problem in a streamlined, automated way. Below are two examples of real enterprises who wanted to improve their “protection,” shrunk the aperture, and found Seclore as their choice solution for protecting unstructured, file-based data, both in circulation and at rest.

Insurance Fraud

A customer in the insurance industry relies on third party actuaries as part of their day-to-day operation. This entails sharing policy information with the third party. Even though various usage agreements were in place, there was still leakage of these shared files via employee turnover or unauthorized sharing.

During the COVID-19 pandemic, fraud cases proliferated globally, and insurance fraud was no exception. Policies were forged using information from valid policies to execute fraudulent transactions.

The insurance provider went through a similar exercise as above, and after clearly defining the problem, shrinking the problem space to be as specific as possible, and starting with their ideal end state in mind, they selected Seclore’s solution to address their data security challenges.

Once deployed, policies were automatically enforced, even with remote thrid party business partners. Copying, printing, modifying and sharing the policy information was stopped immediately. And so was the fraud.

Insider Threat

In 2022, the World Economic Forum’s Cybersecurity Outlook placed malicious insider threats in the top three concerns among survey respondents for the year. Unfortunately, concern is unlikely to change anytime soon, causing many organizations to seek out solutions for automated prevention of data theft.

A customer in the Financial Services industry suffered from a steady stream of leaked information contained in sensitive files. They realized that they needed to enhance their protection, even though they had an existing DLP solution. They knew that once the files were leaked, control was lost and could not be regained.

They, too, went through the exercise of shrinking the aperture and starting with their end goals in mind––protecting and controlling sensitive information and IP. They selected Seclore to help protect their sensitive files, and utilized custom watermarks, audits to quickly identify who within the organization was responsible for the leaks and to prevent future leaks from being possible.

Conclusion

We draw on several tried and true problem-solving frameworks to navigate cybersecurity’s biggest challenge: ambiguity and conflicting priorities. These techniques enable security leaders to focus on a well-scoped problem space and set specific requirements in order to find a solution in an otherwise cluttered marketplace.

Seclore was founded after undergoing a similar exercise, which boiled down the most commonly faced challenges for the modern enterprise. Our solutions allow customers to protect their digital assets across various industries, company sizes, and security maturity levels.  As this proliferation of data continues and remote work as the new reality, comprehensive and automated protection will remain critically important for security leaders.

Related Posts