Faster Unstructured Data Discovery: 4 Steps to Greater Visibility & Faster Response
7 MIN READ
Unstructured data poses new challenges for security and legal teams
When it comes to responding to major incidents or risks to the company, security and legal teams have always worked closely. Security manages day-to-day risk in the organization — and relies on legal to add another layer of protection for the business in the event of more serious risk. Legal relies on security to provide relevant details to expedite response.
But here’s what’s throwing a wrench in that coordinated response: the most valuable information most organizations have is now unstructured data — source code, design files, customer lists, market strategy and other trade secrets that drive competitive advantage. And the biggest threats to that unstructured data are now internal — their own colleagues.
Investigations are too long — response is too slow
Security teams are increasingly realizing that their existing security tools and processes fail to give them the immediate visibility they need to investigate users’ risky activity and answer the critical questions around who, what, when and where. They’re resorting to ad hoc investigations that take too long and cost too much — and ultimately leave legal without the ability to respond in time to stop potential damage to the business.
This guide outlines four simple steps for accelerating and enhancing your search for the relevant needles in the exponentially growing digital haystack of unstructured data. Arming your security and legal teams with a smarter approach to seeing and investigating risky activity is a powerful strategy for mitigating the growing insider threats facing your organization.
To Continue Reading…
Share a few pieces of information and we’ll personalize your experience with us
Structured data — structured protection
Traditionally, the most valuable and sensitive data in an organization existed in structured formats — things like customer records, patient records, payment information, etc. For security and legal teams, the approach to protecting structured data is very, well, structured. Structured data has defined formats that can be easily recognized — so its movement can be easily monitored and controlled. Because of this, the scope of protected, structured data is also easier to define. Conventional data security tools are built for this task — and modern DLP and CASB products are incredibly smart, sophisticated and just-plain-good at providing a structured approach to protecting structured data.
The problem with unstructured data
Protecting unstructured data requires a much more flexible and comprehensive approach. You’re dealing with a much bigger digital haystack than you ever imagined, thanks to three key factors:
It’s hard to define.
It lives everywhere.
There aren’t neat and tidy formats, definitions or boundaries around what your valuable, unstructured data is, where it lives and how it moves. Moreover, those definitions and boundaries evolve in real time. A file can go from early-stage, work-in-progress to highly sensitive trade secret in a matter of weeks or even days.
Unstructured data lives everywhere — not just within structured internal networks. More and more of it is created, iterated, shared and stored in the cloud — and sometimes that data never touches an internal network or device.
Unstructured data is both the fuel and the product of modern productivity, collaboration and innovation. It’s the work that your employees are doing — and the value they’re creating — every day. And that means it’s fully controlled by your users. They need to be able to create, move and share unstructured data — or work, as we know it today, simply doesn’t happen.
Conventional security tools aren’t built for flexibility
The same functionalities that make conventional security tools like DLP and CASB so good at protecting structured data mean that they are fundamentally not built for the kind of flexible, comprehensive approach needed to monitor and protect unstructured data.
HOW CONVENTIONAL SECURITY TOOLS FALL SHORT:
They only look for what you tell them to.
Their rules are rigid.
They can’t see into the cloud.
Conventional security tools are built around prevention. But they only protect what you tell them to protect, and they only prevent what you tell them to prevent. The evolving nature of unstructured data and the creativity of your users mean that you simply can’t think of everything — leaving gaps in your prevention policies.
Conventional security tools use rigid if/then logic to block risky user activities. They’re unable to consider the context surrounding an activity, so they leave security teams choosing between alert fatigue or a laundry list of policy exceptions that present their own risks.
Conventional security tools weren’t built for the modern cloud- and web-driven world of work. Their visibility and blocking capabilities are largely limited to on-premises data and activities — leaving a huge gap for cloud activity.
You don’t know when you’ve been beaten.
You’re overwhelmed by noise.
You’re flying blind.
When a user does something you weren’t watching for — whether it’s a creative workaround, or just a file you hadn’t considered — you’re left unprotected.
Your users are constantly moving, sharing and iterating on valuable files — and you’re trying to find the signal of risk amidst the incredible noise of legitimate everyday productivity.
A user can create and share a highly valuable file — a product roadmap presentation, for example — entirely in the cloud in minutes. And you have zero visibility.
Result: Security can’t answer the big questions
Applying a conventional, structured approach to unstructured data leaves dangerous gaps in visibility and control — and leaves security unable to quickly answer the big questions that drive a coordinated security and legal response to risk:
Who tampered with data?
Who accessed files?
Did they modify the files? When?
Did they move files? When and where?
If they moved them, who else had access in that new location?
4 steps to finding — and protecting — the needle in the haystack
The amount of unstructured data is growing exponentially in the typical organization, rapidly expanding the digital haystack that security and legal teams must contend with. Having the immediate visibility required to rapidly answer these questions – quickly unravel the full story around risky activity – is critical to enabling a rapid response that effectively mitigates risk to the data and the business. Here are four actionable steps to begin building an insider threat program that delivers the capabilities you need to quickly find and protect the valuable needles in your expanding digital haystack:
1. Focus on comprehensive visibility. Visibility is the foundation for smarter, faster investigation and response. That’s why the first step is to put tools and processes in place that give your security team comprehensive visibility of all data — both structured and unstructured, on-premises and in the cloud, on local devices and mobile devices, etc. Because your most valuable unstructured data can change from day to day, month to month and year to year, you need to build your program around the premise that all data matters.
2. Identify your valuable data. While the bounds and definitions of your most valuable unstructured data are fluid, that doesn’t mean it’s not worthwhile to at least identify your known valuable unstructured data as it exists today. Security teams should work with line-of-business (LOB) leaders to make lists of the most valuable — and most vulnerable — data and files owned by each department or team. Where possible, implement measures to make it easier to segment or identify this known valuable data — such as naming conventions, designated file storage locations, etc.
3. Put your data in context. Looking at the entire digital haystack is overwhelming — and nearly impossible. But you don’t have to — and you shouldn’t. Just as it’s worthwhile to identify your known valuable data, it’s important to start by identifying the biggest data loss risks in your organization. For most companies, this list starts with the following scenarios:
M&A and company reorganizations
High-risk employees/high-value data access
Once you’ve identified your biggest risks, you can use your security tools and processes to put unstructured data movement in context — differentiating user activity that’s associated with high-risk scenarios from activity that is not.
4. Focus on the data — not the people. It seems obvious that data security should focus on the data. But it seems just as intuitive that an insider threat program would focus on the insiders themselves. The reality is people are unpredictable — and insider threat risks can come from anyone, anywhere in the organization. Moreover, at the end of the day, you don’t care what your users do — you care what your data does. It’s your valuable data that you want to see and protect — so that’s where your insider threat program should focus. If you can see if and how your data moves, then you can:
Know exactly what risky actions have been taken — and hold users accountable.
Be prepared to answer any legal inquiries — from competitors, regulators or your own legal team — with total confidence.
Protect your business’ most valuable information.
See. Investigate. Respond. Quickly.
Both security and legal teams know that their job isn’t just to prevent risk — it’s to effectively respond to risk to mitigate damage to the business. Yet the conventional approach to data risk has been extremely prevention-centric. This approach worked well enough when the data Security and Legal were protecting was neatly structured, easily defined and conveniently contained within internal networks and devices. But as the focus shifts to unstructured data that’s hard to define, constantly evolving and dynamically moving well beyond internal networks, coordinated Security and Legal teams need to expand their approach beyond conventional prevention tools alone. The first step is recognizing that all data matters — and working to put tools in place to gain visibility into the expanding haystack of unstructured data living inside the network, on user devices roaming the world, and in the cloud. It’s no small challenge — but forward-thinking organizations are already building advanced insider threat programs that make a big impact by starting relatively small: Building simple workflows around seeing, investigating and responding to their biggest data loss risks — faster.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.