Do cybersecurity professionals even know what they’re protecting? How aware are they of the data, its content and its sensitivity? What happens to your security posture when you do understand the data you’re protecting? What can you do that you weren’t able to do before?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our sponsored guest, Aidan Simister (@aidansimister), CEO, Lepide.

Thanks to this week’s podcast sponsor, Lepide

Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast.

Got feedback? Join the conversation on LinkedIn.

Full transcript

Steve Prentice

Hi, I’m Steve Prentice. If you enjoy our daily Cyber Security Headlines podcast, then do yourself a favor and check out our Week In Review which airs every Thursday at 4 pm, Pacific, 7 pm Eastern, where we look at some of the stories from our morning podcasts and invite a cyber security expert to come in and weigh in with their expertise on those stories. It’s always a fascinating 20 minute conversation and you can be part of it as well. Simply go to Cisoseries.com, look on the register for video chats button and sign up. We’ll see you there.

David Spark

Do cyber security professionals even know what they’re protecting? How aware are they of the data, it’s content and it’s sensitivity? What happens to your security aperture when you do understand the data you’re protecting? What can you do that you weren’t able to do before?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the Ciso Series. Joining me as a regular always, I have other co-hosts, there’s Geoff Belknap and sometimes we get guest co-hosts jump in. But joining me frequently, I will say it that way, is Steve Zalewski who is the CISO over at Levi Strauss. Steve, we want to hear the sound of your voice. What does it sound like?

Steve Zalewski

Hey, David. Good to hear your voice again. Glad to be here.

David Spark

That’s exactly the sound of your voice. You don’t plan on changing it at any time during the show, do you?

Steve Zalewski

I hope not.

David Spark

Let’s hope not. You’re not going to be going through puberty are you during the show?

Steve Zalewski

[LAUGHS] No.

David Spark

Let’s hope not. Alright. Our sponsor for today is Lepide and in fact they’re the ones who brought this suggestion to us, that we talk about this, and I’m thrilled that they’re here to join us. And I’ll introduce their CEO in just a moment. But first our topic of discussion Steve, on LinkedIn, you asked this question, how much do you know about the data you are being asked to protect? Now it seems something we shouldn’t even need to ask, but just knowing that, seems to be a really complicated issue. And when we don’t know what data we’re protecting, we protect diamonds and candy bars at the checkout, equally which is far from an efficient use of cyber security resources. Do I have that right?

Steve Zalewski

Yes, you do. And the reason why I posted it again, cause this is a conversation that comes up periodically, is in my own work responsibilities, it’s changing. The question is the same, the answers are changing as to what’s driving it, both in my ability to know and what I have to do regardless of whether I know. Which is why I thought would be such a great topic to put out there, is to talk about what we’re observing now.

David Spark

Well the person to help us through this conversation is our sponsored guest, Aidan Simister, CEO of Lepide. Aidan, thank you so much for joining us.

Aiden Simister

Thank you very much for having me.

What are they doing wrong?

00:03:07:23

David Spark

Ward Balcerzak of Allstate said “To have the correct and affective controls to monitor and protect data, you have to know what it is.” Essentially the premise of what we’re discussing. And he said the reason for that is, you wouldn’t put up a $100 fence to protect a $10 horse. Jason Murray of Iron Mountain said, “It’s like a bad factory line for information management, with no quality control ownership and nobody knows who is responsible for the previous step.” Sad to say Jason’s description is more than norm than is not, yes?

Steve Zalewski

I would say yes. Jason hits it on the head in my mind. But where the question is for me isn’t is what we are doing wrong, so much as it’s why can’t we figure out how to make it work? So instead of highlighting why the business won’t take responsibility, part of our challenge is we simply can’t have that conversation anymore because the requirements are simply over taking us. And that excuse doesn’t cut it anymore.

David Spark

Let me ask Steve’s question. Why can’t we make it work, Aidan?

Aiden Simister

I think the point that you made earlier about taking responsibility is absolutely paramount here. I think the difficulty we often find, is that a lot of organizations still don’t really know who owns the problem. We see this so commonly and I think without a lack of accountability and ownership over who is it that should know that you’re allowed to keep data in that place? Or the people should have that level of access to that data. There seems to be a bit of a lack of ownership over those types of things. And I think until we can get to that place where we can start becoming more sensible over ownership and accountability status, I don’t know how the problem is going to change.

David Spark

Is there ever a company you see oh yes, they know their responsibility for their data, and the privacy issues and how long they need to retain it and all this stuff? They’re on the ball. When do you see that high functioning company and what are they doing to behave that well?

Aiden Simister

Steve, I’d love to get your view on this, but, I don’t see that. [LAUGHS]

David Spark

You’ve never seen it ever?

Aiden Simister

So right. But of course we’re biased, because obviously we only ever talk to organizations that haven’t fixed this problem.

David Spark

Yeah, people who are doing it all right are not you calling for help.

Aiden Simister

[LAUGHS] That’s exactly it. So, I think that my sample would be pretty biased. But I think that we almost need to step back before we start thinking about doing it right. We just need to do it at all. And I think a lot of organizations, when you think about even the really basic information like do you know what’s sensitive? Do you know where the information is that’s most sensitive inside your organization? Do you know who’s got access, what’s happened to it? I think fundamentally, people can’t answer those basic questions. I think you need to get that and you need to figure out who should own these things? Who needs to own what we do about this, how we protect you? Who’s making these decisions? Should it be the data ravers?

Steve Zalewski

For 30 years the conversation has been intellectual property. SARC compliance where it’s financial data. And we argue about that. We try to get to the business. What I’m seeing now is consumer data. PII data. And that’s not a conversation where we can wait nor is it a conversation that the line of business necessarily owns. And so, I have to do something. So you’re almost put into a position of, I either have to protect everything equally, because I don’t know. Or I can continue to try to chase this rabbit and see if I can figure out who in the business might be responsible and in the meantime, the business needs to sell more jeans.

What’s the motivation to fix this problem?

00:07:06:22

David Spark

Ward Balcerzak also again from AllState said, “One has to know how it’s properly used in order to prevent improper usage. For example, simple blocking data from leaving an organization that has business models wrapped around B2B interactions, would actually break said business models. The inverse of just letting data leave, is equally as bad.” I also want to mention what Mathew Biby of CISO over at Satcom Direct said, “What you do (the process) with what (the data) how (the systems) and what would happen if any of those are interrupted or fail. This is the best way to build lasting accountability and secure the data. All too often it’s perceived easier to throw tools at the problem, which at best only temporarily solves the problem and worst, leads to multiple security systems overhead, that eventually negatively impacts security resources budget.” Let me toss to you Steve, here. What’s your take on this of the going too hard, too soft and throwing tools at the problem?

Steve Zalewski

So, I’m going to go to the question, which is what is the motivation to fix the problem? Because, Ward and Matthew were talking about ways to do it, if you think about it. But let’s talk about the motivation for a minute. I know I’m going off, which was here’s the way I see it for a lot of business to consumer trends. Social contracts, with most companies that sell products, are becoming ever larger commitments. And what that means is the social contract on the consumer data itself, my promise to protect that data, in order to be able to use it, is paramount. So protect the brand for many people is always an issue. But it’s becoming bigger and here’s why. The management of that PII data, consumer data, historically has been with our legal team or with our e-commerce site. But now on a country by country basis, the countries are declaring the rules under which I can store and use that data internationally. And on a country by country basis, if I violate that I have to report it and I’m fined on it. So, how do I allow the business to use all of that data in the variety of ways it wants to do it to sell, to mine right and yet make sure that I’m compliant on a country by country basis? Who owns that problem?

David Spark

Where in these comments that both Ward and Matthew made about being too hard and too soft and then just having tools to solve the problem, where do you see the gentle balance?

Aiden Simister

I’m of the view that the first thing you need is visibility. You need to at least have the information to be able to make decisions about how you’re going to work with that. You need to know what it is you’re trying to protect. You need to understand the risks of understanding that people have access to things that they don’t need access to. You need to be able to find out what those anomalies are. You can’t just say well I’m not going to buy it. I don’t want tools to find out these things, because you need to know this information. And I think that there are some critical things in sites from getting that visibility that can enable any security team to make better decisions about protecting the data. And I think that we absolutely should do that. To say that well, tools aren’t going to solve the problem. Well they are giving you the visibility, surely you need that do you not?

David Spark

Right so, tools for visibility. Again, I don’t want a lump of old tools. We need tools for solutions. But I know what Matthew is intent was of this is going to be a Band-Aid to a much bigger problem and we need to look at the bigger problem, right?

Aiden Simister

And I do accept that. And I think that as I said earlier, I think that if we could actually get down to levels of accountability and people actually owning the problem about I’m responsible for this data, I think that is the root of the problem. That’s a better way of solving it, rather than just the tools alone. The visibility is almost turning the lights on after you’ve figured out something is already wrong. You need the bit before that. Steve, what’s your view on this? Trying to get your opinion here.

Steve Zalewski

I think the conversation is moving to so what, now what? Which was it always comes down to where’s the data? Who owns it? What to do? The reason why I posed the question is because I’m being pushed against the wall. I have to move the data. I have no choice. I’ve got to move it and therefore trying to get on the front end of analyzing and everything else, isn’t sufficient. Now what I have to do is move it and how do I protect the company, not secure the data, not demonstrate compliance, which is where I was starting to say “well then, it’s almost like I have to protect everything.” Now I have to assume all data is confidential because there’s so much of it moving across systems that never cared before. That’s my point. Which was, well I can’t continue to have the conversation because the business transformation is making it irrelevant. So what do I do on the back side now with tooling, regardless of the fact that I can’t actually solve the upfront as to who owns what.

Why are they behaving this way?

00:12:32:03

David Spark

Steve Zenone of Mindstrong, said, “Some organizations see this as a security problem and not a business issue to tackle,” which I think we’ve addressed this. And William Tarkington, of Zenefits said “The difficulty stems from the complexities of our integrations/shifting business drivers. As the business shifts, to monetize, reduce risk, enhance market position, gain market share, the various arms of the business all make independent choices on how to leverage the company’s assets. Establishing proper controls around how that data is used requires constant evaluation.” So, now that we know this information, Aidan, that we know where our data is, what are we able to do now that we were not able to do before?

Steve Zalewski

We’re able to focus on what really matters. We’re able to hone in and protect in a way where we can prioritize. So, rather than saying I’m going to try and protect this file or I’m going to figure out who’s got access to this file that’s got someone’s holiday photos in, I can say hang on, we’ve got a file or a folder here containing shadow documents. It contains a spreadsheet for the credit numbers, it contains a document here that contains confidential information.

David Spark

So once you’re doing this, what you’re describing all of a sudden comes to light. Yes?

Aiden Simister

Absolutely right! You’re able to really then hone in and say, right this is the stuff we need to protect. These are the people that have access to this stuff that shouldn’t have access. Here’s what’s happening to the data that matters to the most of our organization right now. So, that enables you to be much more effective in taking decisions to protect it.

David Spark

Simple as that. Your follow up Steve?

Steve Zalewski

So what I’m going to say is, where Aidan is going with that, is third party risk. What we’re really seeing is more and more of that data we’re having to give to a third party. We don’t keep it within out data centers and within our constrained environment. We’re having to give it to others because it’s the way that we now do business with Cloud and transformation. That’s the big difference. I have to move it out. So, what’s my risk to supply chain and third party is becoming greater if I don’t have at least some nominal control over what I’m exchanging. And that’s why we’ve got to do it. Another way that we’re solving this risk, besides just trying to quantify all of the fields and giving classification, is enforcing for example, no production data in non-production environments. Anonymization masking and even doing that, between two business partners, where if we have to send them data, if it doesn’t have to be the actual native data, we’ll anonymize it or tokenize it and then later, do a back end exchange to be able to commit to show that data. So, we are actively changing the conversation on the technology we’re using, to not try to get all of the data classified, so much as what we’re trying to do is, limit the use of that data and be able to focus on that level of trust and verification.

Aiden Simister

I find that really interesting and I think one of the big use cases from what we find clients using our software for, is to help them understand people that have access that don’t need access. So, they can at least reduce that risk if the opportunity is reduce the risk of that distracted employee that perhaps just doesn’t realize what he’s done. Or that someone that attaches that and doesn’t realize that that’s a problem. And I think that that reducing the level of people that have access to the data, is absolutely fundamental to keeping it safe. And I think that that’s one of the benefits of doing this, is you can do that, you can achieve those results.

Steve Zalewski

Let me just add a quick follow up to that. How complicated is it to constantly manage that? We got X number of employees, tons of data, tons of different rules on it, it just seems like a tantamount task to even keep an eye on that and manage it. Is there any way? My feeling every time I hear this is, there’s got to be some automation involved. And what that is automating? I don’t know.

Aiden Simister

Again, I think it comes back to what we were saying earlier. You can’t probably protect everything. You can’t look at every file and every folder. You cannot do that. But you can narrow it down. You can zoom in on the stuff that matters the most. And you can have people in the organization that can take those decisions based on the stuff that they know really, really matters. And I think that that is a really important step. I think that that’s important.

Why is this an issue?

00:17:09:23

David Spark

Debra Farber over at the Rise of Privacy Tech said, “most companies large and small, are just not funding the privacy function enough.” And we didn’t specifically talk about privacy here, but it’s sort of all enveloped. She goes on to say, “they set the bar so low as to only invest in meeting bare minimum compliance requirements.” and Steve Zenone again of Mindstrong said, “is this protected health information? This can get messy when debugged logs are being written that shouldn’t have sensitive data and those logs are then ingested through other pipelines. Making a mess for knowing where the data is, let alone making incident response and clean up difficult.” So, Steve, this gets into some heavy PII data issues which I’m sure, this has got to be the number one concern of why you need to know your data.

Steve Zalewski

Yes. And there’s another component to that which, Aidan talks about, which was I need to know where the data is. I need to know who’s going to touch it. Well, part of this and what you’re seeing here is, I don’t even necessarily know where all the data is anymore, to be able to go through a rigorous exercise of understanding who owns it and what it is. Part of this negotiation that we’re now having is, to sequel databases or the files, they’re everywhere and they’re moving further out into my network, if you want to think about it that way. So part of this conversation too is, rethinking where is the jump point that I’m going to even be able to implement from a tools perspective? To be able to apply policy and be able to demonstrate compliance. Because what really results out of all of this is, I have to trust more people with more data than I used to be able to get away with. And so, with that more trust means verify. So that in the event that they don’t take the trust that I’m giving them and behave correctly, I have to have evidence to take action. And so again, you can see the security practitioners being pushed into a corner so to speak, where now I’m trying to figure out well they’re given all this, at the very least, I have to have a central place to implement policy, given the location of all the data and be able to represent it, because that at least forces on the business, some ownership as a result of their speed, not necessarily providing the right level of protection.

David Spark

What say you on that, Aidan?

Aiden Simister

I mean certainly, when I look at what we do, we focus in on perhaps one niche area of this in terms of we’re thinking very heavily about unstructured data. But you’re quite right. The problem is big and it’s getting bigger and data could be anywhere and it’s increasingly complication to figure that out. But, I think that we’re very, very focused on helping thinking about data that’s stored and the price data stores, unstructured data, because we see so much risk there and we see that that’s something that’s so often overlooked. If I take the example of health care, we see perhaps, surgeons and they’re a law unto their own, and they’ll create documents that contain PHI and they’ll save it, in a word document on a server. [LAUGHS] And no one will even think about that. And then they’ll email it to their other colleagues and some suppliers, some external provider as well, to help them as well. And this is all creating risk. And this is just over looked. And I think that, unstructured data in particular, is such a big problem.

David Spark

Why don’t we just boil it down to a customer comes to you that has the problems that we’ve just described, which are pretty disastrous. What is it you’re doing? What is it Lepide is actually doing in this situation?

Aiden Simister

We’re going to help you understand where it is, why it’s sensitive and then we’re going to help you understand who’s got what levels of access, who’s using these levels of access. Are people even using these levels of access they’ve been given? Do we have people that have more access than they need? Or another way round this, you could say well what’s happening to it? So it might be that you find out that you’ve got an anomaly around some sensitive data and then you can say, well okay, who else could do that? Who else could perform that type of behavior? How can we limit the number of people that can access that data. So I think that really, it’s just it’s that visibility over where is it, who’s got access, what’s happening to it? That’s really the value that we’re delivering.

David Spark

And then once that information is had, then you’re helping putting policies on it, controls on it. What’s going on at that point?

Aiden Simister

Right, so there’s a couple of different things that we can do. We can obviously notify and then help an organization create some rules and some work place to take action on that. We can feed this into their sin platforms, their sore platforms. We find that is a common way people use it as well. Sometimes it’s going to Data Protection Officers and they’re reviewing that data and taking decisions for some organizations. So I guess, it’s really just about that, it is just about visibility. That’s the key. That’s the key. I can’t say that it’s consistent the way that every organization uses it, because the challenge also we find is that different organizations have different people that have different responsibilities for the data. So there is no common structure as to how everybody is using the output from what we’re delivering them. Comes back to what we were saying earlier, it’s not clear who owns the data in so many organizations.

Close

00:22:47:19

David Spark

Excellent point. And that brings us to the end of our show. But before we wrap up, there are two things we’d like to do. One is, pick our favorite quote and why it was our favorite quote. So Steve, I’ll ask you, which one was your favorite quote and why?

Steve Zalewski

Oh, I give it to Will Tarkington, absolutely. He did a really good job of articulating the different requirements and the different issues that you’re seeing us now thinking about how we have to solve it differently. Because the business is putting different requirements on us.

David Spark

And Aidan, you’re favorite quote and why?

Aiden Simister

Matthew Biby, you can’t throw tools alone at this problem. Tools will definitely help but unless you have the right processes, unless you have the right people and right accountability, it’s not enough. It’s not enough. It won’t work.

David Spark

Excellent. Alright, thank you very much Aidan. Thank you very much, Steve. We had Aidan Simister who is the CEO of Lepide on to talk about do you know your data? Cause you should know it. I’m going to let you, Steve, have a closing comment and Aidan you get the last comment of the show. Please and if you have any offer for our audience, please throw it out. Steve first.

Steve Zalewski

So, one, I want to say, thank you Aidan. You can see why I wanted to talk about this. It’s because the conversation is changing and that to me was the important part of what we wanted to do today, was bring out the changes in the conversation and the fact that we’re having to move beyond. But that, at the end of the day, knowing the data you have to protect, is still paramount.

David Spark

Alright, and Aidan, any last comments on this very topic and any offer of suggestion for our audience or how they can get in contact with you, since you’ve never seen a perfect case, most, if not all of them, have a problem knowing where their data is.

Aiden Simister

We believe that data really matters and we believe that it should be treated with absolute respect. And I think for us, we really want to help organizations get that visibility. We want to help them find out where sensitive data is, why it’s sensitive. Help them truly understand who has what levels of access, how that access is being granted. And understand what’s really happening with the data, not what they think is happening with the data, what’s really happening with the data. Now, if any of your listeners would like to have a free risk assessment, it is something we offer, no obligation, absolutely we have this offer to anyone that approaches us. Feel free to message, redirect the over Linkedin or send an email to sales@lepide.com. Love to help you out.

David Spark

And he will be LinkedIn the blog post for this very episode. But Aidan Simister with Lepide spelled L-E-P-I-D-E. Thank you very much, Aidan. Thank you very much Lepide. Thank you Steve, and thank you audience of all of your contributions and for listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.