Data Protection Best Practices

Corporate data theft is on the rise as attackers look to monetize access through extortion and other means. In 2022, 40% of the intrusions Mandiant experts worked on resulted in data loss, an 11% jump from the previous year. Just this year, a major vulnerability in a file transfer software has resulted in large-scale data loss for organizations across the globe (read our research on the MOVEit zero-day vulnerability).

To effectively protect sensitive corporate data, organizations should establish data protection programs that consist of dedicated funding, security tooling, and defined teams. A comprehensive data protection program can limit the impact of an attack and reduce the likelihood of data exfiltration in the event of a successful hack.

Table 1 shows examples of common types of data loss events that organizations face, and potential defensive controls that can be implemented to safeguard against.

Types of Data Loss

Defensive Controls

Publicly exposed cloud storage bucket

Data exfiltration from corporate network

Attacker access to a cloud-based mailbox / Inbox syncing

Loss or theft of a corporate device

Theft of data from trusted insider

Table 2 includes a non-exhaustive, high-level list of example data protection alerts and corresponding detection use cases organizations often deploy to identify anomalous data theft activity across different platforms.

Activity

Example Detection Use Cases

Bulk Downloads in Azure

Large Outbound Traffic

GitHub Uploads

Identification of File Transfer Utilities

Suspicious Database Queries

AWS Unauthorized Data Access

Google Workspace Data Exposure

Google Cloud Platform Data Loss

M365 Data Theft

This blog post outlines common strategies organizations can take to protect against the theft or loss of sensitive internal data. Overall, an effective data protection program can be achieved in the following phases:

A Data Classification and Protection program helps ensure that appropriate protection measures are applied to systems and applications handling key data. This also allows organizations to better gauge what systems would be of most interest to an attacker. Key policies and procedures should be developed to govern data protection across an organization. These should include the following:

Development of the program may require an organization to:

Organizations should design their Data Protection Program using a risk-based approach and should perform risk assessments to determine threats to data, potential vulnerabilities, risk tolerances, and the likelihood of attacks specific to the organization.

In order to properly identify critical data, a formal data discovery project should be conducted:

A Crown Jewels Assessment can help organizations better prioritize which data requires the most attention and safeguards. As a best practice, a process should be in place to perform a crown jewels assessment for each new data set that enters the environment.

Focus should be given to analyzing data flows and how different types of data move within the organization, with the goal of understanding how data is obtained, processed, used, transferred, shared, and stored. After this has been completed, a determination of the criticality of data can be made.

Data Loss Prevention (DLP) solutions should be integrated at gateways and endpoints to allow security teams to efficiently monitor the movement of critical or sensitive information, both internally and externally.

Tools and capabilities should be deployed to detect potential data loss events. Technical defense mechanisms that can aid in the protection of data include:

For an organization that primarily leverages the Microsoft ecosystem, Microsoft Purview can be deployed as a DLP solution that combines data governance, risk, and compliance solution tools into a single unified solution. Specific to protecting an organization’s data, Purview can be used to automate data discovery, data cataloging, data classification, and data governance. Specific to data loss prevention, Purview offers “Adaptive Protection” that utilizes machine learning to create context-aware detection and automated mitigation of DLP events.

For an organization that primarily leverages the Amazon AWS ecosystem, Amazon Macie can be leveraged to automate the discovery of sensitive data, access provisioning, the discovery of security risks, and the deployment of protection mechanisms against those risks in the AWS environment.

Organizations that leverage GCP can leverage Cloud DLP, which helps organizations perform sensitive data inspection, classification, and deidentification. Cloud DLP also automatically profiles BigQuery tables and columns across the organization to discover sensitive data. Key features include:

DLP rules can be created to control the content that is permitted to leave an organization’s network. These rules can be established to audit the usage of sensitive content, warn users who are about to share information outside of the organization, prevent sharing of sensitive data (e.g., contains PII, data labeled as sensitive, etc.), and alert administrators about potential policy violations.

Data loss detection controls are designed to identify and alert organizations about potential incidents or situations where sensitive data may be at risk of loss or unauthorized access. Detection controls should be deployed across the organization’s network, endpoint, cloud, and application assets. User activity should be monitored for suspicious or anomalous behavior, such as accessing sensitive files that the user does not usually access. Logs and alerts from multiple sources should be forwarded to a central repository (e.g., SIEM) to provide timely alerts for potential threats.

Refer to Appendix A for an example mapping of security tools against data protection program elements.

Using experience from investigations involving data theft, Mandiant created a non-exhaustive map of data protection technologies to components of an Information Security program. The table should be used to identify potential gaps or overlap in technology coverage, and customized based on an organization’s specific environment and risks.

Technology Type

Technology Layer

Access Management

Backups

Classification

Data Discovery

Data Loss Prevention

Email Security

Encryption

Endpoint/MDM

Network Security

Security Log Monitoring

Data Sensitivity Alerting Tool

Data

✓

✓

✓

Mobile Device Management

Endpoint

✓

✓

✓

Attack Surface Management

Network

✓

DNS

Network

✓

EDR for Endpoints

Endpoint

✓

✓

Password Vault

Data

✓

Cloud Data Classification and Protection Tool

Cloud

✓

✓

ACL Based Firewalls

Network

✓

Email Security Solution

Email

✓

Web Proxy

Network

✓

Vendor Management Tool

Network

✓

Backups

Data

✓

✓

SIEM

Data

✓

UEBA

Endpoint

✓

File Integrity Monitoring

Data

✓

✓

Google Cloud Dataplex is a fully managed data lake service that can be leveraged for organization, preparation, and analysis of data in the GCP environment. Dataplex provides a central repository for data that provides tools to clean, transform, and integrate data for analysis. Important for data protection, Dataplex has tools to automate data discovery and manage access, track usage, and enforce policies. Dataplex can be leveraged to obtain the following capabilities:

Google Cloud Data Catalog API can be leveraged as a data discovery and cataloging service. This tool enables developers to manage and discover metadata about data assets. It provides programmatic access to create, update, and delete entries in the data catalog. The API allows users to search for and retrieve metadata information, such as tables, views, and columns, from various data sources. It also supports integration with other Google Cloud services, enabling seamless data discovery and governance workflows.

Mandiant can provide the following independent security assessments to gauge organizational cybersecurity maturity.

Additionally, Mandiant can perform rapid security reviews of the three major cloud environments to assess data security practices.

Link to RSS feed

Determine your cyber defense effectiveness

Validated by ESG

Take The Assessment

Mandiant experts are ready to answer your questions.