Jim Butterworth | To protect networks, know thy data

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The Way Forward: Essential Steps for Strategic Planning Success
Presented By Euna Solutions
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Guidance Software’s director of incident response and federal services says a key to secure data is endpoint visibility — identifying and classifying data, and taking action on its disposition.

Guidance Software's Jim Butterworth

Jim Butterworth is Guidance Software’s director of incident response and federal services, but he focuses as much on preventing incidents as responding to them. He stresses a proactive approach to information assurance that begins with visibility and awareness.

He served more than 20 years in the Navy, including two tours in the Fleet Information Warfare Center at the Navy Center of Excellence for Information Warfare. Since joining Guidance, he has worked with incident response teams in the Defense Department and other U.S. agencies, and with foreign countries and NATO. “I see the same things repeated in all of them,” he said. “They carry different flags, but the problems are universal.”

GCN: Data breaches have become an increasingly high-profile issue in recent years. Is the problem becoming worse?

JIM BUTTERWORTH: The answer to that is twofold. First, due to the increased media reporting and the rise in public awareness, it has become a hot-button issue. And frankly, it’s a matter of public safety. What has become painfully apparent is that there is not a single industry that is immune to this problem. It has been my experience, however, that the commercial sector does a better job of protecting not only information, but their intellectual property as well.

GCN: Why is that?

BUTTERWORTH: I think they are better at quantifying the risk. The measure that they use is financial loss. It’s real, and there are heavy sanctions that are going to be imposed by their industry regulators. How does one bring a claim against a government agency for allowing a data breach to occur? I think the government does a decent job of holding everyone else accountable, but not always themselves.

GCN: What is the second reason for the high profile of data breaches?

BUTTERWORTH: Many security experts would agree with me when I say that the number of incidents being reported is mere fraction of the incidents that are actually occurring. This is because of the fear of public disclosure and the corresponding loss of public confidence; plus you can’t discount the possibility that these companies and agencies aren’t even aware that they’ve been breached. Is the problem becoming worse? Well, as of this interview [Jan. 22], PrivacyRights.org has compiled a list of 14 breaches this year, and within the last couple of days we have caught wind of the Heartland Bank having potentially the largest breach. What’s frustrating to a provider of solutions is the repeated cycle of exposure and the failure to secure the data. There is a black market for this information, and as long as there is an entity willing to pay for that information, we are going to continue to have a problem.

GCN: The Office of Management and Budget has prescribed steps to help agencies better protect personally identifiable information. How good a job are agencies doing at it?

BUTTERWORTH: I would give them high marks for establishing policies that recognize the importance of protecting the data, but I would give them low marks in their ability to actually execute on it. At the highest Cabinet positions, their goals are very well intentioned -- and that is, to protect the public, protect our research and protect our national secrets. They get it. The breakdown that I witness is in the implementation of the safeguards. We continue to emphasize access control and perimeter security, yet how do you apply access controls to an object you don’t even know exists? Or why are you relying on detecting data in motion? Isn’t that too late? The single biggest challenge in this problem is enabling the stewards of our data to identify, locate and remediate errant data.

It’s not our servers and data warehouses that are getting us into trouble. It is the data that exists on our networks that we don’t know about. It’s the employees who are storing things to their laptops and their workstations, the engineers who are making copies of their intellectual property off of the server. We need a fundamental shift in our approach to the problem. We need to ask ourselves how does the justice system go about locating information, and then model that capability to protecting our information. You can’t expect anyone to protect something they don’t know exists.

GCN: Is it necessary for agencies and other organizations to hold all of the sensitive data they do?

BUTTERWORTH: Ultimately that is up to the individual agencies to decide. I would encourage them to review their data retention policies, audit the data that is on their networks to see if they are within that policy, and then enforce the policy by either archiving or remediating the data. Rarely can a system administrator report the contents of a system with any accuracy beyond anything that is on a baseline image used to build the system in the first place. They don’t really know what’s on their systems. How can you determine the risk when after you roll the baseline image out, you stop paying attention to the device?

GCN: What is the greater risk: data at rest or in transit?

BUTTERWORTH: From my experience, it is the data at rest and the opportunity of the insider’s exploitation that poses the greatest risk. We permit access to insiders. That is the essence of a network. With that access comes exposure. How you control or audit that exposure ultimately determines your risk.

GCN: How do you protect against internal threats when most of our defenses are facing outward?

BUTTERWORTH: Ronald Reagan used an old Russian proverb that translates to: Trust, but verify. I think we should adopt a similar stance with regard to our data and our insiders. We grant them access, but shouldn’t we occasionally audit them to ensure that the access and the things they are doing aren’t being abused? The technology side of it is to implement multiple security layers consisting of a hybrid of solutions: some perimeter checks, access controls [and] you should look into encryption. But most importantly, you should have endpoint visibility. It ensures a good mix of detection coupled with good mitigation.

GCN: How do you identify risks before you are attacked?

BUTTERWORTH: You can’t make a determination of risk on the unknown. When you’re talking about data breaches, it is the data that is the risk. What often is done to cut exposure and your risk is to declare that, I may not know where everything is, but I can certainly control the gateway. This is what has led us to concentrating on perimeter solutions. But if you can be 100 percent certain that no critical information sits where it isn’t supposed to be, doesn’t the job of defending the network become easier? I hope that 2009 becomes the year of the endpoint, where organizations and agencies begin to recognize that the solution to their risk is in identifying the data, classifying it appropriately and then taking action on its disposition.

GCN: Security being imperfect, breaches are bound to occur. How can you spot a breach or possible breach before it becomes a problem?

BUTTERWORTH: Computers leave telltale artifacts behind that coincide with a specific action. A computer will not do something that it was not either programmed or asked by a user to do. So by searching for and identifying these artifacts early, an examiner can then make a determination as to the intent of what he is seeing. A skilled examiner equipped with the right tools can differentiate between normal computer behavior and an anomaly. Recognizing these anomalies early can provide a good indication and warning of impending activity. There are plenty of triggers out there that we should be exploiting.

GCN: What are the relative strengths of access controls and encryption in securing information?

BUTTERWORTH: They are both very well-suited for the purpose they were designed for. Both of those solutions are endpoint-centric. Access controls are well-suited to either allow or deny access to an object, as laid out by policy. Their weakness is that an access control implicitly is assigned to something that you know about. How do you supply a secure access control to errant data?

Encryption comes in many forms, such as data-in-motion, full-disk, file-based and so on. Our ability to encipher data in all of these forms is the strength of encryption. A weakness is the challenge of auditing that data, an unintentional consequence of encrypting it. You should not have to crack encryption to find out what the data is. The key is the integration of tools with encryption vendors so that you can have endpoint visibility and access the data legitimately. Guidance Software has been working with many encryption vendors to allow authorized users to see the data in an unencrypted format. Integrating the two solutions so they are not circumventing each other lessens the weakness of encryption.

GCN: You stress prevention. How important is response and forensics after the fact?

BUTTERWORTH: They are both vital. Unless an organization is able to learn from history, it is bound to repeat it. What an agency gains from incident response and forensics is a deeper technical understanding about the tactics, techniques and procedures of our enemies. There is a fine line between gains and losses with regards to how quickly an agency should put an asset back online. What they should consider is whether it is more important to their mission to put the system back online versus potentially losing opportunities forever to learn about what happened. How did the enemy get in? What did they take? There are many reasons an agency would desire to return to full operational capability as quickly as they can. I am not advocating that every computer be examined every time. I am advocating a process be put in place that allows those responsible for the mission to make that determination.

There is a psychological impact when an agency announces that it is adopting forensic technology throughout the infrastructure. It puts teeth to the consent-to-monitoring clause that is on every federal warning banner. It becomes a fantastic deterrent. But it has been my experience that the skilled practitioners who can do incident response and forensics are few and far between. Our agencies would be well served to identify people, train them and take this seriously.

NEXT STORY: U.S. must craft cyberwarfare battle strategy

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.