By Mike Hemes, Regional Director of Western Europe, A10 Networks.
HBO’s wildly-popular series “Game of Thrones” follows several factions’ quest to rule the Seven Kingdoms. It’s a numbers game. it’s an exercise in one-upmanship. And it’s likely to culminate in a brutal fight to the death.
As Daenerys Targaryen leads her army (and her dragons) and plots to battle Cersei Lannister to claim the Iron Throne as the one true queen, any leak of information could spell certain doom. Deceit is not a foreign concept in “Game of Thrones,” meaning there’s great potential for Daenerys’ or Cersei’s plans to fall into the wrong hands to be exploited.
In an example of life imitating art, hackers recently stole 1.5 terabytes of data from HBO, including full episodes of popular shows like “Ballers” and at least one script from an upcoming episode of “Game of Thrones.” The thieves also made off with internal company documents and HBO employee data. Some of the data has already been shared online.
HBO isn’t alone. The headlines are filled with companies that have had data and information stolen, whether it’s customer data, employee information, classified product data and more.
Types of Data Theft and Exfiltration
To understand how to prevent data theft, like the HBO hack, it’s important to first look at the different ways data can be stolen from an organisation.
Data breaches can occur either physically or digitally "over-the-wire." Physical data leakage can occur when someone transfers data from a user's device to a USB drive and then walks it out the door, or transfers it via a rogue wireless network. However, that vector is typically used by employees with a motive.
An over-the-wire data breach can occur with various degrees of complexity, duration and effort. Exploits that potentially give access to the stolen content might be as simple as taking advantage of improper security measures to bypass authentication for streaming services, or exploits that give command and control over a host to the intruder.
Other vectors used to steal data include spear phishing or deeper penetration into the corporate network or from a connected subsidiary or partner. If the main attack is through an intermediate and compromised system, there is a delicate balance that an intruder might consider in deciding at which rate to exfiltrate the data. The longer the intrusion, the higher chance of being discovered or inadvertently losing access because of nightly patching or the power state of the compromised system. However, if the intruder sends large amounts of data too quickly, it might raise some eyebrows and generate alerts from security solutions.
Preventing Breaches and Leaks
So how can companies prevent data breaches like these from happening?
When it comes to preventing data breaches and leaks, analytics and visibility are critical and can help detect data exfiltration events.
Detailed telemetry solutions that have good analytics are key to monitoring traffic that is leaving the network, and can detect any traffic flows that are outside the norm. From there they provide insight into what’s happening and act to stop any malicious activity.
In a case where data is exiting the network via fast exfiltration, IT management can use security solutions that create rules to lock down traffic in extreme circumstances, or even proactively set up policies that limit traffic. Additionally, Data Loss Prevention (DLP) systems that use the Internet Content Adaption Protocol (ICAP) to connect to the network can help prevent unauthorised data exfiltration.
If a data theft event uses encrypted traffic to transfer stolen data, protection systems can provide visibility and can often prevent such breaches. They can decrypt encrypted traffic so it can be inspected by security tools, and then re-encrypts the inspected traffic and passes it to its intended destination. It can uncover “over-the-wire” data thefts.
Protection systems can log the bytes being sent through encrypted traffic, and if it’s determined to be outside the norm, they will discover that and give insight into what’s happening.
The best protection system will decrypt across all ports and protocols and supports ICAP connectivity, meaning it passes traffic to a network’s existing DLP systems without the need for additional solutions.
It also supports service chaining, to enable selective redirection of traffic, based on application type, to different service chains with fine-grained policies. This can reduce latency and potential bottlenecks with a decrypt once, inspect many times approach, consolidating decryption and encryption duties.
The correct protection can protect your data from theft (but probably not from dragons).