How to refocus your cybersecurity team’s assumption of compromise paradox to a data protection model

About the author

From solutions architecture to security, Gumbs Gumbs brings deep technical experience to his position as Chief Innovation Officer at Spirion. He leads the Spirion team through strategic product development to create technologies that push data security forward in an increasingly complex digital world.

“The test of a first-rate intelligence is the ability to hold two opposed ideas in mind at the same time and still retain the ability to function.”
-F. Scott Fitzgerald

Fitzgerald lived long before the internet and the need for cybersecurity, but he summed up well the security outlook of most CISOs and cybersecurity professionals. Most security teams operate through the assumption of the compromise paradox.

The assumption of compromise paradox states that the way security professionals approach their job from a protector’s point of view assumes that you have already been compromised. What that means is we assume someone is already inside and/or it’s not difficult for them to get in at all, whether it be through a phishing attack, drive by attacks or any other multitude of cyberattacks.

Yes, attackers have some advantages over cybersecurity. They know how they are going attack, when they are going to attack, what they are after and how long they’ll need to stay in the system to achieve their goals. But it is up to the cybersecurity teams to protect the data and keep the bad guys out.

Yet, we still continue to operate under the assumption of compromise rather than an assumption of prevention. That led us to deploy tools optimized for detection and response, giving rise to SIEM, SOAR, EPP, and many technologies that focus on compromise. Yet, at the same time we focused on compromise, we also relied on technologies such as DLP and IRM/DRM to protect us from exfiltration.

I am proposing that we re-frame the way we approach data security, with a renewed approach to exfiltration detection and prevention. If we have to assume that we are already breached and we are preventing data exfiltration from that perspective, how do we leverage what we already have in security controls to reduce and/or eliminate exfiltration? The way we’ve been approaching exfiltration hasn’t been working. We need to look at it in that last mile phase, when it is ready to leave the network, and we need to look further upstream to the behaviors surrounding the data during the process of exfiltration.

That begins with looking at how protected data is shared so we are familiar with its regular transmission. Questions you need to investigate and be able to answer include:

  • How do you share protected data internally?
  • How do you share protected data across hybrid environments?
  • How do you share internal data externally (with partners)?
    • VPN
    • Secure tunnels
    • Securely shared data repos

When you can answer those questions, then decide where do you find opportunities for improvement in how data is shared and what technologies can help with your goal to protect data.

If we’re assuming that outsiders already are compromising your network, the logical next step is to enact zero trust. Your security systems are working at perimeter levels, so it is time to take the protection right to the data. This should be pushed across the entire company, on every device, on every application, wherever data is in motion or stored. The assumption of compromise often looks at the outside actor, but you have malicious insiders, as well, that have to be considered in the data protection process.

In the end, you want to create a zone around the data itself, and not just the network. You will never stop the river of compromise and threats from flowing, but you can build a dam to hold your data inside and keep it well protected from floating away.