Data Regulations: Time to Step up Your Data Theft Protection

Today’s data-driven economy is being led by personal data, so naturally focus is turning more strongly to privacy and protection. New regulations have appeared over the last few years, with a rapid acceleration in regions such as North America and APAC.

While it’s only fair that regulators introduce these new laws with their associated fines for data breaches, companies are still finding it extremely challenging to ensure confidentiality of their data. Cybercriminals are smart guys – data theft and ransomware techniques are becoming more sophisticated – meaning traditional security solutions such as NGFW and IPS are unable to keep up. To efficiently detect data exfiltration hidden in network traffic, the most reliable method is end-to-end analysis of transactions going through the DNS.

GDPR-like Regulations in US & Canada: CCPA, CPPA and Others

Since its introduction in May 2018, GDPR has continued to hit hard. Example data protection fines include Facebook ($5Bn in July 2019), BA ($230m), and Equifax (over $575m). Travelex was another unfortunate ransomware victim, with threat actors claiming to have downloaded 5GB of sensitive company and customer data, including payment card information, birthdates and social security numbers. The European Data Protection Board (EDPB) has clarified that a ‘data breach’ does not just mean a loss of data, but it can also include data not being available, as was also the case of the WannaCry attack which affected the NHS.

Naturally, other countries have been monitoring GDPR and selecting relevant principles they wish to adopt. Among the many new regulations coming into force, the California Consumer Privacy Act (CCPA) took center stage. Other states quickly followed suit, with Nevada enacting its Senate Bill (SB-220) and New York modifying its SHIELD Act to strengthen data security and data breach notification laws. The US also uses regulations that cover specific areas of personal data, including the Health Insurance Portability and Accountability Act (HIPAA) for health data and the Children’s Online Privacy Protection Act (COPPA) to keep children protected online.

This year, Canada plans to strengthen data confidentiality with its Bill C-27: Consumer Privacy Protection Act (CPPA). The existing Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada carries penalties of up to $100,000 CAD per violation, and CPPA could increase those fines dramatically.

Another area that has become top of mind is protection of critical infrastructure.The Colonial Pipeline attack in the US is regarded as one of the most significant attacks on critical national infrastructure ever, and has led to further regulations. The US government, for example, has requested the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop performance goals for critical infrastructure. And on the other side of the pond, the European Commission is using the NIS Directive to tackle critical infrastructure protection across the EU through mandatory cybersecurity requirements such as incident notification obligation. The scope is being expanded by NIS2, to help increase the level of cybersecurity in Europe in the longer term.

Brazil, Thailand, India, China and Australia Have Jumped on the Bandwagon

Worldwide, data protection is being recognized as a top priority for governments. Brazil’s first General Data Protection Law, the LGPD, came into force on August 15th 2020, covering many principles of data protection. Thailand’s PDPA was also launched, and South Korea introduced a new omnibus law to supplement its current PIPA (Personal Information Protection Act). Other countries who augmented their existing regulations included India for its PDPB and Australia’s NDB. And last year the Personal Information Protection Law (PIPL) came into effect in China. The associated volume of privacy data is highly impactful for business, in particular the international supply chain.

More Companies than Ever Being Affected by Data Breaches

According to research from Bitdefender, 60% of businesses have experienced a data breach at some point, leading to worrying levels of breach fatigue for infosecurity managers. One major cause of this fatigue is the unacceptably high level of false alarms (over 50%) created by endpoint detection and response alerts. In addition, breaches are taking longer to detect, with malware often being hidden in normal network traffic. DNS in particular is a favorite target for hackers, as traditional security solutions like NextGen firewalls struggle to detect exfiltration of data until long after the event.

Why Cybercriminals Exfiltrate Data via DNS

DNS traffic is not analyzed by a third of companies (Cisco Security Report). In addition, the high volumes make it difficult to efficiently track with existing network inspection tools, so cybercriminals therefore manipulate the DNS protocol – to act either as a tunneling or a ‘file transfer’ protocol – for stealing sensitive data.

Basic Firewalls simply blacklist remote malicious IPs so are ineffective against exfiltration. And traditional detection algorithms, focusing only on DNS packet frequency, payload, data encoding, or entropy of the requests, are able to filter only part of the malicious traffic. NGFW, anti-DoS and IPS also have no understanding of client context during DNS query exchanges, making it nearly impossible to accurately identify DNS tunneling used for command & control and data exfiltration.

So to discover (before it’s too late) that data is being exfiltrated, behavioral threat detection based on real-time analytics of DNS traffic is the only smart way.

Close Back Doors to Data Theft with DNS Transaction Analytics

When viewed between cache and recursive functions, DNS queries look atypical compared with normal traffic. Thus embedding a DNS security layer at the heart of the protocol – in the DNS server itself – and applying real-time DNS transaction inspection, enables network managers to assess validity of DNS traffic in the specific context of each enterprise. This permits the closing of back doors to data theft, unlike with DLP solutions which often do not take into consideration exfiltration via DNS.

With DNS traffic analytics a powerful base of intelligence can be built, allowing unknown (“zero-day”) malicious domains to be identified. It also helps differentiate between legitimate customers and malicious actors, eliminating risks of blocking legitimate traffic. And finally, it creates actionable event information to be sent to SIEMs and SOCs for accelerating remediation.

Avoiding Regulatory Compliance Fines

To enhance effectiveness against data exfiltration, businesses globally have begun to supplement traditional network security solutions with purpose-built DNS security offering real-time monitoring and analysis of DNS traffic. So even attacks trying to stay under the radar can be rapidly detected. Protecting data confidentiality in this manner will help businesses go a long way towards ensuring compliance with Bill C-27 as well as all other upcoming scary new data regulations.