Jim Maloney

President and CEO, CyberRisk Securities, and

Mark Evertz
Security Solutions Manager, Tripwire

Data Protection 2.0: It’s Not Just

Names and Numbers Anymore

WHITE PAPER
Introduction

CISOs and their security programs face nearly overwhelm-
ing pressure to take a renewed focus on data protection.
The external forces of advanced threats and a multitude of
compliance obligations, combined with the internal forces of
new business initiatives, lead to a complex set of data protec-
tion requirements. These requirements are then overlaid on
an explosion in the volume of data generated and a variety
of locations where that data may reside. And if that’s not
enough, the scope of data to be protected includes not only
customer data, but internal data and system data as well.
A vigorous focus on data protection by the information
security industry and a migration of organizational CISOs
toward an information-centric approach can be traced back
to early 2007. At the February 2007 RSA Conference, lead-
ers of two of the largest security vendors began to bang
the drum for a data protection mandate in their keynote
presentations. Both speakers highlighted the need for a
deliberate focus on protecting data—as opposed to a focus
on protecting systems—to address a rapidly disappearing
perimeter. Their views reverberated then, and can still be
felt today.
Driven by expanding compliance obligations, increasingly
sophisticated external threats and ever-changing business
requirements, organizations are rediscovering the founda-
tional concepts of information security—objectives that
focus on the protection of data. By its most literal defini-
tion “information security” means the protection of data.
But today both the volume and scope of the data to be pro-
tected is much greater.
In terms of the sheer volumes of data to be protected,
from 2009 to 2020 the amount of data in the ‘Digital
Universe’ is expected to grow by a factor of 44 times to 35
trillion gigabytes.1 And although identity, financial account
and credit card data are the most sought after—even sur-
passing illicit drugs as organized crime’s most desirable
commodity—the compromise of system data (configura-
tions, settings and log files) can be the gateway for access
to this data. In terms of data scope, clearly system data
needs to be on the radar for protection.
From the beginning of the modern era of information
security in the late 1960s, information security has evolved
to include protection of computing platforms, applications
and networks, with the focus on data protection becoming
somewhat diluted. Certainly computer, application and net-
work security are key contributors to information security,
but businesses should not lose sight of the fact that one of
the main reasons computers, applications and networks are
protected is to safeguard the data that is being stored and
processed.
Corporate security teams who build a security program
around a clear objective such as data protection will tend
to have better focus, clearer direction and a faster path
to identifying threats and vulnerabilities before data is
compromised. Just as in problem solving, where root-cause
analysis provides better focus, a root objective such as data
protection can be useful in driving security initiatives and
providing improved focus for a security program.
Even if a particular security initiative is specific to one
particular aspect of information security, such as protecting
a network, the justification and objectives for that initiative
can always be traced back to data protection. Recognizing
data protection as the underlying objective for informa-
tion security programs and initiatives allows IT Security,
Compliance and Operations teams to better align with a
bridge-building end goal—protecting the business and its
customers.
The remainder of this paper provides an overview of the
many data protection challenges CISOs face and suggests a
sequence of five actions to take to address these challenges.

2 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
The Evolution of Information Security

The first comprehensive information security presentation

was part of a session chaired by Willis H. Ware of RAND
Data Protection Objectives
Corporation at the Spring Joint Computer Conference of A useful working definition and set of objectives for infor-
1967.2 It could therefore be said that the modern era of mation security is provided in the ISO/IEC 27001 standard:
information security is about four decades old. Information the preservation of confidentiality, integrity and availability
security rapidly evolved as both a discipline and an industry of information. This is sometimes referred to as the CIA
in parallel with the broad-based adoption of computers for Triad. Although debate about including other information
government, business and then personal use. protection attributes such as accountability, authenticity,
In the early days of information security, when there was non-repudiation and reliability has been almost continuous,
limited networking and no Internet, there was some reason- the security community generally agrees on the original
able correlation between the more established concepts of three attributes as key objectives.
physical security and the emerging ideas around information Information security is a moving target; declaring victory
security. Early implementations of information security put after meeting these CIA objectives a single time is inad-
controls around data and systems in a manner similar to equate. Data and the systems that store and process it live
protecting a physical perimeter. in an ever-changing environment. Threats and threat agents
Within two years of the first information security pre- constantly try to exploit new vulnerabilities, surfacing when
sentation, the first ARPANET link (the predecessor to the changes in both technology and business operations intro-
Internet) was established. The link connected the University duce potential new vulnerabilities. As thought leaders in the
of California, Los Angeles, and the Stanford Research security industry have said many times, information secu-
Institute and occurred at 22:30 hours on October 29, 1969.3 rity is a journey, not a destination.
The omnipresence of data and data processing, along with
the notion of a disappearing perimeter as demands for
data sharing increased, marked the beginning of the end
for perimeter-centric security models for information secu-
rity. In some sense, the level of protection that might be
directed at the data itself can be thought of as the new
“micro-perimeter,” in contrast to a traditional perimeter
focused on protecting the data’s environment.
As time went on, the scope of information security pro-
gressed through the core elements of a computing system,
beginning with mainframes and internal networks, and
eventually encompassing external networks, servers, desk-
tops, system services, applications, and even the end user.
Along the way, the focus shifted more toward protecting
systems and farther away from the original objective of pro-
tecting data.

Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 3
The Pervasiveness of Data

How much data is out there? Lots. How fast is it growing?

Very fast. Where is it coming from? Everywhere. Here are
Increased Scope of Data
some eye-opening statistics and projections recently pub- Not only is the volume of data increasing, the scope in
lished in the Digital Universe report by IDC.4 terms of types of data that need to be protected is increas-
ing as well. Customer data and sensitive internal data are
• In 2009 the amount of data in the “Digital Universe” grew
the first to come to mind, but system data, comprised of
by 62% to nearly 800,000 petabytes (a petabyte is a mil-
system configuration, settings, and log files, must also be in
lion gigabytes).
scope for data protection. The importance of system data,
• By 2020, the Digital Universe will be 35 trillion giga- and the impact on security is driving the development of
bytes—44 times larger than it was in 2009. “The Common Configuration Scoring System (CCSS): Metrics
• Nearly 75% of the Digital Universe is a copy—only 25% is for Software Security Configuration Vulnerabilities” by NIST.
unique. In the introduction of the document, this sobering comment
• While enterprise-generated data accounts for 20% of the is made:
Digital Universe, enterprises are liable for 80% of the data “Because of the number of vulnerabilities inherent in
that is created (the majority created by end-users). security configuration settings and software feature misuse
possibilities, plus the number of software flaw vulnerabili-
• By 2020, more than one third of all the information in
ties on a system at any given time, there may be dozens or
the Digital Universe will either live in or pass through the
hundreds of vulnerabilities on a single system.”
“cloud.”
The 2010 Verizon Data Breach Investigations Report also
From this research, clearly an extremely large and growing
noted that hackers are increasingly exploiting configuration
body of data resides in many locations, making the achieve-
weaknesses and programming errors rather than software
ment of data protection objectives even more challenging
vulnerabilities in order to steal information from computer
tomorrow than it already is today.
systems. This same report noted a trend towards “anti-
forensics” with respect to log files, consists of the criminal
tampering with or deleting logs to hamper detection and
investigations.5
Some examples of data within the categories of customer,
internal and system data include:
Customer Data Internal Data System Data
Firewall
Personal data Business plans configurations
Intellectual Router
Financial data property configurations
Platform
Health records Customer lists configurations
Accounts &
Cardholder details Employee lists Permissions
Criminal records Contracts Event logs

4 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
Compliance Obligations,
External Threats and Internal
Change—A Data Protection
Mandate
Protecting data has always been the right thing to do. But
various government and industry entities, prompted by
instances of large data breaches and growing user privacy
concerns, have decided to further motivate business and
government in this area via laws, regulations and industry
standards. The majority of these compliance obligations
focus on protecting data related to individuals (maintaining
privacy, protecting identities) and businesses (prevent-
ing industrial espionage, maintaining continuity of critical
services). In some cases the compliance obligations are
directed at the computing systems themselves, placing
emphasis on maintaining system availability and protecting
system data.
Examples of compliance obligations
Another facet of compliance is the body of laws related
to breach notification. The first breach notification law was
passed in 2003 (California SB 1386) in response to con-
cerns about the rise in identity theft. Following California’s
lead, forty-six states, the District of Columbia, Puerto Rico
and the Virgin Islands have enacted legislation requiring
notification of security breaches involving personal informa-
tion (as of April 12, 2010).6 A US federal law is also being
considered.
Breach notification is indirectly focused on data protec-
tion by requiring disclosure of data breaches—or in some
cases, simply the suspicion of a data breach—to those
impacted individuals. Trying to avoid the potential impact
on brand and reputation provides additional motivation for
a business to prevent the breaches from happening in the
first place by utilizing various data protection techniques.
Two additional elements of the mandate for data protec-
tion are external threats and internal change. External
threats continue to evolve into increasingly sophisticated

Compliance Item Primary Locale Industry Data Focus

UK Data Protection Act United Kingdom All Customer Data
Data Protection Directive European Union All Customer Data
Privacy and Electronic
Communications European Union All Customer Data
Federal Information
Security Management Act United States US Federal Agencies System Data
Privacy Act of 1974 United States US Federal Agencies Customer Data
Health Insurance
Portability Act United States Health Customer data (Health Care)
HITECH Act United States Health Customer Data (Health Care)
Customer Data (Identity
Identity Theft Red Flags Rule United States Financial Information)
Customer Data (Financial
Gramm-Leach-Bliley Act United States Financial Information)
Customer Data
Payment Card Industry Firms that are part of the (Cardholder and Sensitive
Data Security Standard All credit card processing cycle Authentication Data)

Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 5
forms including advanced persistent threats, new forms of
phishing and social engineering via new messaging chan-
nels, and targeted, adaptive malware. Internally, business
needs that include the continued demands for sharing data
with partners and leveraging the financial benefits of cloud
computing drive the further erosion of the organization’s
network perimeter. The combination of compliance, external
threats and internal change create an extremely challenging
environment for data protection.
Improved data protection can also enable better and
faster internal decision making when data such as process
metrics, internal trends and external trends is shared with
confidence across an organization. Competitive positioning
can also be enhanced via improved trust relationships with
customers, employees, partners and suppliers.
Finally, improved data protection as it applies to system
data can improve the overall security and operational pos-
ture of an organization. As noted in Visible Ops Security7,
by protecting configuration data and settings via restricted

More Than a Mandate—Data system access and more rigorous change control, systems
become more secure and more stable.
Protection as a Business
Enabler Tripwire VIA Applied to Data
Compliance with laws and regulations forces businesses and
Protection
their information security programs to implement specific
Although people and process are critical elements of any
aspects of data protection following some level of prescribed
security solution, technology is often the key to making a
guidance. As the number of compliance obligations grows,
solution more timely, more accurate and scalable. How can
security programs find themselves being driven into a reac-
technology help? While some technologies aim to protect
tive mode by a nearly continuous stream of internal and
customer and internal data (encryption-based tools and
external audits related to compliance and the corresponding
data loss prevention systems) and many protect systems
audit findings. This compliance-driven approach to security
(firewalls, IDS, IPS, anti-virus), fewer address the problems
is typically a piecemeal, bottom-up approach that is rarely
specifically associated with protecting system data. And in
efficient or effective.
a world with a rapidly disappearing perimeter, a focus on
What if data protection was used as an overall objective
protecting system data provides a needed, critical layer of
for a security program and driven top down in a proac-
defense.
tive manner? The first effect might actually be improved
A good example of technology to deal with protection
compliance with less pain. A security program driven by
of system data is the Tripwire® VIA™ suite. The emphasis
maintaining the confidentiality, integrity and availability
of this suite is to provide the visibility, intelligence and
of data at the appropriate levels will meet most of its com-
automation that IT security and IT operations need to
pliance obligations, leaving only occasional exceptions to
detect and analyze system changes—both malicious and
address.
accidental—that could ultimately impact data protection
It is intriguing to also consider that improved data
objectives. The Tripwire VIA suite combines information
protection can add value as a business enabler, unlike com-
from Tripwire® Enterprise and Tripwire® Log Center in a way
pliance-related activities that generally add no value to the
that rapidly identifies vulnerabilities from non-secure or
business. From a customer-facing perspective, improved data
non-compliant configurations as well as any resulting data
protection can lead to the development of new products
breaches. By automatically correlating change and configu-
and services. A great example is online banking, a service
ration data from Tripwire Enterprise with the log and event
that many banking customers use and greatly appreciate,
data from Tripwire Log Center, the Tripwire VIA suite pro-
but that is only feasible with the appropriate levels of data
vides visibility across these silos of system data.
protection.

6 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
Specifically, the Tripwire VIA suite:
• Assures system integrity at all times;
• Assesses configurations against policies, best practices
and regulatory mandates;
• Remediates any configuration errors, patch vulnerabilities,
and security policy shortfalls on demand;
• Combines log and event data with real-time change data
to immediately reveal events of interest that impact poli-
cy or threaten data protection;
• Supports data breach investigation by providing access
from a Tripwire console to log and event data related to a
file or configuration change;
• Offers global search capabilities to identify patterns of
activity and threats to data that might relate to specific
system changes;
• Provides visibility to downstream impacts of a given
change, such as all changes or events associated with the
addition of unauthorized users; and
• Enables instant audit logging across Tripwire Enterprise-
monitored infrastructure without installing additional
code on individual systems.
The Tripwire VIA Suite in
Action
Noted here are two examples of how the Tripwire VIA
suite contributes to the protection of data in a complex IT
environment.
• Accidental configuration change—If an alert is generated
that a server has failed a PCI DSS compliance policy test
due to an FTP port being opened, the following actions
can be taken. First, Tripwire Enterprise is used to test the
failure against the policy. Then using Tripwire Log Center,
the investigator can toggle back and forth between a
complete history of versions and changes in Tripwire Log
Center, revealing potential attack footprints and aligning
them with any actual permission changes in the system.
If the investigator sees something that resembles an
attack or a configuration error that puts data at risk, he
Data Protection 2.0: It’s Not Just Names and Numbers Anymore | WHITE PAPER | 7
or she can immediately remediate the problem using the
Tripwire Remediation Manager module.
• Advanced persistent threat—One of the characteristics
of an advanced persistent threat is the use of a “low and
slow” technique to breach a system. A typical example of
an attempt to access a database of sensitive data might
be as follows. First, the attacker scans the system look-
ing for a vulnerability related to an unpatched system.
Finding an opening, the attacker uploads a small text
file to see if this is detected. If not, a tool to assist in
the upload of software is installed. Following this, a
database upload tool is installed and a small amount of
data is extracted and transferred to an external server
controlled by the attacker. Finally, the entire targeted
data set is copied to the external server. All of this
occurs over a period of several months with gaps of a few
weeks between steps. Using the combination of Tripwire
Enterprise to detect the upload of the text file, with fire-
wall log and system event data from Tripwire Log Center,
the organization detects the attack early, before any sen-
sitive data is compromised.
This ability to correlate change and configuration data with
log and event data ensures data protection by identifying
and helping to remediate vulnerabilities before they are
exploited. And by detecting breaches much sooner, organi-
zations are able to minimize the time from detection of a
vulnerability to exploitation, potentially eliminating com-
promises of sensitive data.
The Future of Data Protection
So far the past and present of data protection have been
discussed with just a glimpse into the future by acknowl-
edging the exponential increase in the volume and types of
data. What might the future of data protection look like?
Here are a few thoughts:
• It is clear that the future will include more customer,
internal and system data, in more locations, with more
replication (as noted in the previously referenced IDC
report.) Having visibility of the current status, locations
and change activity related to data will help make the
Digital Universe more manageable and secure.
• Protecting data irrespective of its location will enable the
distribution of data while maintaining the required level
of protection. In other words, intelligent controls for data
protection should follow the data instead of being depen-
dent upon the data’s current environment to provide the
controls. This approach becomes even more important as
data is transferred through and stored in clouds that may
have inadequate security controls relative to a particular
type of data.
• More emphasis on recognizing patterns of acceptable and
unacceptable user and system behavior will be necessary.
Instead of implementing exponentially increasing volumes
of specific signatures, a behavioral-based approach can
make monitoring, detection and response more scalable,
further enhancing data protection. Some behavioral-
based solutions are in place already, but expanding this
approach to data protection will become increasingly
important.
• With security professionals and hackers in a constantly
escalating battle, it seems that development of data
protection controls that can automatically adapt to new
situations would make systems self-healing and more
resilient. This is an area of research that deserves more
attention.
In other words, pushing the concepts of the Tripwire VIA
suite—visibility, intelligence and automation—even further
could lead to some very interesting and effective improve-
ments in data protection.
Final thoughts
A renewed focus on data protection is really a trip back to
the roots of information security and a reasonable approach
for the future. This statement is especially true for a
future that includes clouds of storage and processing where
networks, platforms and applications are combined into
remote services that may not be owned or controlled by the
enterprise.
As a takeaway, the following five elements, or “Data
Protection 101,” should be applied with new vigor to the
“data protection 2.0” world. Although these are fairly
simple and intuitive actions to take, the Verizon report
8 | WHITE PAPER | Data Protection 2.0: It’s Not Just Names and Numbers Anymore
noted that only 4 percent of the breaches in their caseload
required preventative measures that were “difficult and
expensive.”8 So even as some attacks become more complex,
the basics of data protection are still relevant.
• Integrated requirements—Identify and consolidate all
relevant obligations for data protection compliance.
• Situational awareness—Establish a situational aware-
ness process for monitoring external threats and internal
changes to the business that could have an impact on
data protection.
• Critical data inventory—Inventory and track the locations
of critical data, how it is being used and by whom.
• Risk assessment—Assess data protection controls (peo-
ple, process and technology) against compliance obliga-
tions, external threats and internal business needs.
• Mitigation and measurement—Update controls as needed
and use metrics to determine the efficiency and effective-
ness of data protection controls. Treat system data with
the same care as customer and internal data.
If data protection is once again used as a primary objec-
tive for information security programs, IT organizations will
increase their ability to reduce compliance burdens, improve
customer relationships, and introduce new products and
services.
1 2010 Digital Universe Study, Version: 4-26-2010, page 1, IDC
http://gigaom.files.wordpress.com/2010/05/2010-
digital-universe-iview_5-4-10.pdf
2 Computer Security Basics, Deborah Russell and G. T. Gangemi
Sr., page 28 (Sebastopol, CA: O’Reilly & Associates) 1992.
3 http://en.wikipedia.org/wiki/History_of_the_Internet
4 2010 Digital Universe Study, Version: 4-26-2010, pages 1, 4, 10, 11, IDC
http://gigaom.files.wordpress.com/2010/05/2010-
digital-universe-iview_5-4-10.pdf
5 2010 Data Breach Investigations Report, pages 29 and 52.
http://www.verizonbusiness.com/resources/reports/
rp_2010-data-breach-report_en_xg.pdf
6 <http://www.ncsl.org/Default.aspx?TabId=13489>
7 Visible Ops Security, Gene Kim, et al, pages 26-38,
(Eugene, OR, IT Process Institute 2008.
8 2010 Data Breach Investigations Report, page 56.
http://www.verizonbusiness.com/resources/reports/
rp_2010-data-breach-report_en_xg.pdf
 ABOUT TRIPWIRE
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and
government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated
solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive
suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way
organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through
Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter.

©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPDP1a