Image Credit @ [Pixabay.com]
Cybersecurity is a team sport. Whether your organization has a dedicated security team, Chief information security officer (CISO), or an IT leader who is managing security in addition to other responsibilities, they cannot succeed without the support of the management and the entire IT organization. Servers, databases, networks, and other IT assets are all interdependent, so effective IT security depends on collaboration.
As a data professional, you are responsible for one of your organization’s most valuable assets—your data. The good news is that you do not need to become a security expert to help protect your data. There are a lot of things that every data professional can do to help secure your company’s data platform.
The hardest part is figuring out where to begin. It is so easy to get overwhelmed by all the information out there – new vulnerabilities, malware, high-profile data breaches, and new solutions from a huge field of security vendors and service providers.
There are three main areas where you can help your organization improve its overall security posture using the expertise that you already have:
- Incident Prevention – making it harder for attackers to find their way into your systems.
- Incident Detection – identifying suspicious activity when it occurs.
- Incident Response – taking action to identify, contain, and eradicate an intruder.
In this article, I will discuss briefly how to improve your overall security posture, as well as how to protect your data which is the most valuable asset for any organization.
Prevention is about reducing the attack surface of your systems. You may be facing threats that range from targeted attacks by sophisticated attackers to the commodity drive-by attacks that greet every new open port on the Internet. The simplest things you can do to reduce the attack surface area is the following:
- Make sure you are receiving your security advisories from Microsoft and other vendors.
- Agree with your stakeholders on SLAs for patching based on severity level (i.e. 24-48 hours for a critical patch, longer periods for non-critical patches) to simplify decision-making when a patch is released.
- Look closely at the users and privileges for your applications. Regularly weed out unused accounts and keep privileges to the bare minimum that an account needs for legitimate use. This can be hard on older applications and systems that have been running for a long time, but these are also some of the most vulnerable attack vectors. Microsoft has detailed guidance on exactly what permissions each version of SQL Server needs.
- Keep up-to-date information about your assets (servers, databases, etc.) and the software you are running. Particularly if you can do this in an automated fashion, it will have many non-security benefits as well.
Detection is not all on you, but there are things you can do to make it easier. Most security incident detection relies on the correlation of data from multiple systems to identify potential incidents.
Companies use Security Information Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solutions such as Azure Sentinel (cloud-native), or Splunk, IBM QRadar, etc. to process and correlate logs from networks, servers, and applications. You can help this effort by talking to your security team about what data they need from your systems and how they collect it. Doing this work upfront will be valuable in the event of a major breach because your security team will already have a reliable copy of your logs and will not be trying to retrieve them from production systems.
Responding to a security incident may include locking down systems, gathering forensic information, and a variety of other activities. If you are not sure how your organization handles security events, ask your security team. It may be possible for you and your colleagues to participate in “red team exercises” or other drills that simulate a security event. Hands-on experience will be way more valuable than any article you can read on the Internet.
In addition to these specific areas, improving your operational processes will make it easier to help protect your data. The increased agility that comes with adopting Data Ops practices makes it easier to test and roll out changes, giving you more options and reducing risk when you need to quickly apply patches or make changes in response to a security event.
Data security is hard. There’s a lot of information that’s out there and it’s hard to know what to implement and what to skip over. In addition, it seems like we hear a lot about the numbers behind the data breaches, but not the technical details of how the breach occurred. However, it’s the latter that’s of value to those in information technology and information security.
If you’re interested in a closer technical look at some data breaches that impacted database systems, check out the upcoming SentryOne webinar, Learning From Data Breaches – An Overview.
In this webinar, fellow MVP Kevin Kline will look at different data breaches that we know the technical details about. He will discuss how attackers got in and how they got out with the data, and what vulnerabilities the attackers took advantage of and how to shore up those weak points.
About the Author
This blog post is authored by Beth Linker (Director of Product Management), Beth oversees the SentryOne cloud product lines, and has led product teams responsible for bringing SaaS offerings to market at leading technology companies including DELL EMC and Acquia.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.