In this Help Net Security interview, Pranava Adduri, CEO at Bedrock Security, discusses how businesses can identify and prioritize their data security risks.
Adduri emphasizes the necessity of ongoing monitoring and automation to keep up with evolving threats and maintain the shortest possible MTTD/MTTR. He also discusses the role of AI in enhancing security measures while acknowledging the new risks it introduces.
How can businesses identify and prioritize their data security risks?
The first step to managing data security risks is to identify and understand what data you have. That means creating a comprehensive data inventory, one that includes all data stored across different systems and cloud environments, whether that data is structured or unstructured. Then you need to classify your data based on its sensitivity — confidential, restricted to internal access only, or public. Without this level of data visibility, managing data security risks is impossible, because data has no rules.
More than ever before, businesses generate and use data across a wide range of different use cases, users, and environments. Data is constantly growing, moving, and changing, making it both difficult to manage and irresponsible not to. At the same time that the data is expanding, malicious adversaries are taking advantage of this growing attack surface.
Attackers will use whatever tools and techniques are available to them to compromise this data. To make a meaningful impact on reducing data security risks, you need to ensure that your organization has the shortest MTTD/MTTR (meantime to detection/response) possible across all data. A continuous and comprehensive data inventory, coupled with robust monitoring tools and automation, helps ensure that security teams can keep up with the ever-changing threats on data easily, even as that data is created, shared, and used everywhere.
What are the primary components of a comprehensive data security strategy?
Regardless of the maturity of a data security program, the most foundational component is the ability to discover and classify data—everywhere, accurately, and cost-effectively. This data visibility serves as the foundation for quicker MTTD/MTTR, enabling rapid updates as data and threats inevitably change. That data governance must include automatic classification of data, including unstructured data, in order to ensure that sensitive data is appropriately protected. Understanding new data types and contexts is particularly important because it helps you implement appropriate security measures and address data privacy concerns as new regulations emerge.
As organizations mature, enabling a DDR (data detection and response) program validates observations of risks to data and enforces company best practices and regulatory policies automatically without requiring adherence to static data classification rules. This approach allows more dynamic data classification, which aligns to organizational needs as data growth continues to accelerate.
Finally, for more advanced programs, enterprises can reduce data security risk proactively by pursuing the principle of least privilege initiatives to ensure that only those who require data have access to it, reducing the overall data risk surface (that is, by identifying and minimizing unused data), by hardening data to make it more resistant to unauthorized access (such as data encryption, data masking, and anonymization), and identifying core IP assets to ensure that they are appropriately protected.
How is the increasing use of AI impacting data security positively and negatively?
AI is critical for ensuring security teams can keep up with the rapid progression of data growth and modern attack techniques. However, using AI is not just leveraging a “co-pilot”—it is transforming how the system can dynamically adapt and respond to threats at the speed of data growth and attack. AI can help by enhancing threat detection, automating threat response, improving the speed and accuracy of analysis of user behavior patterns and anomalies, and automation of routine security tasks.
On the negative side, AI introduces new potential attack vectors. Attackers may identify and use vulnerabilities in AI models or possibly even use them to manipulate the data that’s used for training or decision making. AI models can also lack transparency in terms of why a system flagged an event as suspicious, which could make it more difficult for security teams to analyze an event effectively. And of course, there’s also the risk that adversaries could use AI to launch large-scale cyberattacks or automate social engineering techniques. These risks highlight the importance of organizations using and implementing AI responsibly to effectively counter them.
What key performance indicators should organizations track to measure the effectiveness of their data security programs?
Most effective programs measure data security programs with these key KPIs:
- MTTD/MTTR – for data security and compliance issues.
- Operating costs – for ensuring the lowest MTTD/MTTR. High operating costs will force a poor MTTD/MTTR result.
- Human efforts/resources – this is required as constantly changing rules or co-pilot systems require people and training, increasing costs and MTTD/MTTR.
What emerging technologies or trends do you foresee impacting data security in the next five years?
Fundamentally, the cyber industry has been trying to protect everything that leads up to the data itself (network, identity, application, etc.). We see newer technologies that leverage AI to find data critical to the business, identify violations of policies, and take action without ongoing human intervention. More importantly, this will be a policy step that becomes independent of the underlying infrastructure (data in AWS, Azure, or Snowflake, for example), which today requires a vendor-specific approach. Imagine protecting data without having to say no to the business—and letting data sprawl safely.