Best Offers of the Year Ends Tomorrow - Don't Miss Out! Get an iPad Air with Smart Keyboard or Pixel 4a Smartphone!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Data Protection

Featuring 14 Papers as of January 4, 2021

  • Analyzing Malicious Behavior Effectively with ExtraHop Reveal(x) Analyst Paper (requires membership in community)
    by Dave Shackleford - January 4, 2021 

    In the past decade, the information security industry has learned a lot about what attackers do during campaigns against targets. Once a compromise has occurred, attackers attempt to maintain a persistent presence within the victims network, escalate privileges, and move laterally within the victims network to extract sensitive information to locations under the attackers control.

    ExtraHops Reveal(x) security analytics product, provides security analysts with a platform that can rapidly analyze huge quantities of data without acquiring full network packets. In this paper, Dave Shackleford reviews ExtraHops Reveal (x) and shares his insights on the many enhancements and new features that help intrusion analysis and investigation teams analyze malicious behavior in their environments more rapidly and effectively.

  • Measuring Cybersecurity Controls Effectiveness with Security Validation Analyst Paper (requires membership in community)
    by John Hubbard - December 7, 2020 

    Security vendors may promise the world when it comes to the capabilities of their products, but how do you know they will work as expected when the attackers come knocking? Without a strategy to validate the continuous health and operation of your data collection and security appliances you could be operating under false security assumptions with very serious consequences. Building an effective security validation strategy can help guarantee, regardless of the constant flux of your business and IT infrastructure, that your Security Operations Center (SOC) will be immediately alerted to any sign of compromise. If you're searching for answers in this area, join this webinar where we will discuss the need for testing your security controls and key features in order to find a security validation solution.

  • How to Leverage a CASB for Your AWS Environment Analyst Paper (requires membership in community)
    by Kyle Dickinson - December 17, 2019 

    As organizations move applications and data to the cloud, the number of applications they can leverage grows constantly, as do the areas where data can reside. Cloud access security brokers (CASBs) provide the convenience and means to integrate with modern technologies and implement security controls. Discover how CASBs help you make sense of auditing data, provide data protection and storage security, take advantage of common CASB features to secure deployments.

  • How to Build a Data Security Strategy in AWS Analyst Paper (requires membership in community)
    by Dave Shackleford - June 13, 2019 

    When organizations move sensitive data to the cloud, they absolutely must choose a provider that can ensure compliance with privacy regulations on a global stage. Data security strategies in the cloud must include encryption and key management, data loss prevention and the capability to classify and track data. By using the AWS Cloud, organizations can protect sensitive data at rest, in transit and in use.

  • Protecting Data To, From and In the Cloud Analyst Paper (requires membership in community)
    by Dave Shackleford - December 11, 2018 

    Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.

  • Building the New Network Security Architecture for the Future Analyst Paper (requires membership in community)
    by Sonny Sarai - January 22, 2018 

    With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.

  • Minerva Labs: Using Anti-Evasion to Block the Stealth Attacks Other Defenses Miss Analyst Paper (requires membership in community)
    by Eric Cole, PhD - December 4, 2017 

    Attackers routinely use evasion to evade baseline anti-malware tools and ultimately compromise endpoints. How can enterprises prevent such intrusions without relying on after-the-fact detection? This paper explores a unique approach to preventing evasive malware from infecting endpoints, using Minerva's Anti-Evasion Platform to automatically block threats without ever scanning files or processes. SANS Reviewer Eric Cole, PhD, shares his findings regarding the ability of Minerva's Anti-Evasion Platform to block such evasive threats.

  • Sensitive Data at Risk: The SANS 2017 Data Protection Survey Analyst Paper (requires membership in community)
    by Barbara Filkins - September 5, 2017 

    Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.

  • Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 Analyst Paper (requires membership in community)
    by John Pescatore - March 20, 2017 

    Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.

  • Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners Analyst Paper (requires membership in community)
    by Benjamin Wright - March 7, 2017 

    The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.

  • Back to Basics: Focus on the First Six CIS Critical Security Controls Analyst Paper (requires membership in community)
    by John Pescatore - January 24, 2017 

    Rather than a lack of choices in security solutions, a major problem in cyber security is an inability to implement mature processes - many organizations lack a defined and repeatable process for selecting, implementing and monitoring the security controls that are most effective against real-world threats. This paper explores how the Center for Internet Security (CIS) Critical Security Controls has proven to be an effective framework for addressing that problem.

  • Data Breach Impact Estimation Graduate Student Research
    by Paul Hershberger - January 3, 2017 

    Internal and External auditors spend a significant amount of time planning their audit processes to align their efforts with the needs of the audited organization. The initial phase of that audit cycle is the risk assessment. Establishing a firm understanding of the likelihood and impact of risk guides the audit function and aligns its work with the risks the organization faces. The challenge many auditors and security professionals face is effectively quantifying the potential impact of a data breach to their organization. This paper compares the data breach cost research of the Ponemon Institute and the RAND Corporation, comparing the models against breach costs reported by publicly traded companies by the Securities and Exchange Commission (SEC) reporting requirements. The comparisons will show that the RAND Corporation's approach provides organizations with a more accurate and flexible model to estimate the potential cost of data breaches as they relate to the direct cost of investigating and remediating a breach and the indirect financial impact associated with regulatory and legal action of a data breach. Additionally, the comparison indicates that data breach-related impacts to revenue and stock valuation are only realized in the short-term.

  • Keys to Effective Anomaly Detection by Matt Bromiley - October 25, 2016 

    Simply put, an anomaly is something that seems abnormal or doesn’t t within an environment. A car with ve driving wheels would be an anomaly. In the context of an enterprise network, an anomaly is very much the same—something that does not t or is out of place. While anomalies in an enterprise network may be indicative of a con guration fault, they are often evidence of something much more worrisome: a malicious presence on the network.

  • Data Breaches: Is Prevention Practical? Analyst Paper (requires membership in community)
    by Barbara Filkins - September 13, 2016 

    Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches – and what security and IT practitioners actually are, or are not, implementing for prevention.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.