Former DuPont Security Chief: Safeguarding Data Is A Daily Struggle

Two-factor authentication and tighter controls around intellectual property are the only ways to safeguard a company's critical assets, according to a longtime security expert.

Larry Brock, former chief information security officer at DuPont, saw the organization grow and struggle to keep pace with the evolving security landscape. Over his three decades at DuPont, Brock, a former National Security Agency official, helped roll out stronger authentication and gain control over data spread out over multiple business units and across disparate systems.

It was a constant struggle and one that DuPont dealt with daily, Brock said. With internal strife over former employees pilfering the company's databases of sensitive engineering research and external attackers attempting to copy engineering and design documents from the R&D team, Brock seemed to be under a constant barrage of attacks.

[Related: The Top 5 Causes Of Corporate Data Breaches (Video) ]

"We saw trade secrets spread out over many different areas, and on the technical side there is the foundational technology that comes out of the research and engineering of how to build a manufacturing facility to take that research information and turn it into a product," Brock said. "Our adversary realized it only needed to collect parts of the information and not all of it."

Brock, who now heads his own consultancy, Brock Cyber Security Consulting, will talk about data protection issues in a Webinar May 22 being sponsored by security vendor Verdasys. In 2007, DuPont reportedly lost hundreds of millions of dollars' worth of research documents when a former researcher accessed systems more than a dozen times to steal documents and other data. Several years later the firm was one of several hundred targeted under the Google Aurora attacks, believed to be a cyberespionage operation undertaken by China. When hacktivists leaked emails associated with the HBGary Federal data breach, Brock's name was referred to in an email between vendors about the Night Dragon cyberespionage attacks. Brock called the email breach an embarrassing time for everyone involved.

"I was getting strong support to improve our controls, and we had some pretty energetic discussions with these vendors," Brock said. "We were mostly upset with vendors trying to aggressively push their products and influence others."

Brock believes the massive size of DuPont and its various business units made it extremely difficult to tightly control its sensitive data and keep track of where it resided. DuPont had a data classification system that had been around for many years, Brock said. Top-secret level information was classified and executives thought it was tightly guarded.

"Clearly, when you get down to the individual within the business unit that owns the data, they understand the importance but, from a global or corporate perspective, we did not have an inventory," Brock said.

NEXT: Where Does The Data Reside?

Many organizations fail at data discovery and classification because they leave it up to an IT team to undertake the project, Brock said. The business needs to own it and policies eventually have to be driven down to ensure that the business owner takes accountability for the crown jewels, he said.

Once each business owner was identified, the company started the more difficult process of analyzing how to protect the individual corporate assets. DuPont started with rolling out stronger encryption and moved to data leakage protection.

"We looked at all those different tools and in each case we found that you had to get the owners and users to find the right way to protect it," Brock said.

The biggest issue at a high-tech company with a massive research development budget is how to protect the research without placing too many restrictions and stifling creativity and ultimately innovation, Brock said. When building security controls around research information, the company got technical leaders within research to become control points to identify who should have access to data.

"The research organization was very concerned about the potential of restricting collaboration," Brock said. "It's very difficult to determine where the next breakthrough is going to come from; the breakthrough in business unit A may come from something that business unit B discovered in the way certain polymers and processes are being used in that business."

According to Brock, two-factor authentication and other multifactor authentication technologies are vital to thwarting attackers and reducing the risk of a data security breach. An important approach to truly strong authentication is to use an out-of-band type of technology, which makes it even more difficult for an attacker to target, Brock said. DuPont was an early adopter of two-factor authentication, using RSA SecurID in 2002 and 2003. The organization started a migration in recent years to PKI with certificates on USB drives to authenticate users into Microsoft SharePoint using a solution from Symantec and its VeriSign unit.

"With phishing and drive-by exploits we knew you can easily bypass a firewall, so the issue was how to keep the data in," Brock said.

How did Brock keep his job after so many security incidents? Brock credits his long history at DuPont working in various roles and a strong understanding of the organization's various business units.

"I had a broader perspective than just IT, which enabled me to build collaborative relationship across the businesses and really drive the ownership well beyond what IT can do," Brock said. "It takes business leadership and functional leadership to be very focused."

PUBLISHED MAY 13, 2013