You can't always stop a breach: but you should always be able to spot one
By Mark Kedgley.
December 15th is the anniversary that Target's infamous security breach was discovered; but has anything really changed in the year that has gone by? Retailer after retailer is still falling foul of the same form of malware attack. So just what is going wrong?
The truth is that there is never going to be a 100 percent guarantee of security: and with today's carefully focused zero day attacks, the continued reliance on prevention rather than cure is obviously not working. Organizations are blithely continuing day to day operations while an attack is in progress because they are simply not spotting the breaches as they occur.
If an organization wants to maintain security and minimise the financial fall out of these attacks, the emphasis has to change. Accept it: the chances of stopping all breaches are unlikely at best with a prevention only strategy. Instead, with non-stop, continuous visibility of what is going on in the IT estate, an organization can at least spot in real-time the unusual changes that may represent a breach, and take action before it is too late.
In the year since Target failed to spot a piece of malware and lost the personal information of over 70 million customers and over 40 million payment card numbers, the industry has debated and discussed; forensic analysis has taken place; and security experts across the board have had their say. So why are retailers still falling prey to the same problem? Kmart, Staples, Home Depot, the list continues: all of these companies have left the same holes in their systems; and the hackers have helped themselves.
The cost of security breach to these retailers has been huge - and continues far beyond the initial fall out. Target, for example, is offering free shipping over Christmas 2014 in a bid to rebuild relationships with consumers still wary after the Thanksgiving 2013 event - all on top of the estimated clean-up costs running into hundreds of millions of dollars.
These are patently major business continuity events; damaging the organization both financially and reputationally. Yet the response from the breached retailers has been a metaphorical shrug of the shoulders and a 'what can we do?' attitude: with one CIO stating that the reason for a breach which, again affected customer records and card numbers, was that the AV software didn't pick it up. How is that a valid excuse? Tell that to the customer who has to deal with fraud on his credit card; or the shareholder watching his investment value plummet.
This is plainly not good enough. And it is also somewhat disingenuous. Simply blaming the AV software is a poor excuse when there are proven ways of avoiding such breaches from escalating. So why are customers, regulators and shareholders not holding retailers to account and forcing the industry to take a different approach?
The bottom line is that these breaches could, and should, have been detected in near real-time. Post event analysis reveals that these Trojan attacks leave plenty of clues, with the creation of new system files, services and registry changes. And yet the attacks continued unnoticed for weeks: two and half weeks in the case of Target.
How on earth did this incursion go unnoticed for so long? Because Target, like the majority of retailers, works from the out dated 'stop the breach' perspective, relying on a combination of AV, firewall and routine vulnerability scanning to safeguard the IT estate. Or not.
Vulnerability scanning technology has its merits but it also has clear limitations. Firstly, as a breach detection mechanism, it is simply too resource intensive. There is no option but to analyse the entire file system each time it scans in order to compare the results to the previous baselines. This process takes time and affects system performance which means retailers can only run the scans overnight and, in reality, for any large retail environment, that means scans on each server probably only occur once every two to four weeks. Now consider the two and a half weeks the Target hackers went about their business unchallenged…
The other problem is that in today's continually changing retail IT environment there is simply too much noise and too much change activity to undertake any sensible analysis. The result? Retailers continue to get breached even if they are running the best vulnerability scanner on the market.
Real time visibility
So what is the alternative? Without doubt it would make far better security sense to be continually scanning for breaches - but vulnerability scanning is just too inefficient, too resource intensive and will never be the real-time breach detection solution needed. In contrast, real-time, continuous, change detection with file integrity monitoring (FIM) is low resource activity that can be run all the time and hence detect and alert breach activity within seconds of an incident.
The key difference is that, unlike the vulnerability scanner, the FIM process takes a one-time baseline of all system and configuration files. This will include registry settings, installed software, running processes and services, user accounts, security and audit policy settings; in other words, all the attributes that will reflect breach activity. From then on only changes will be tracked, which requires minimal resources. The result is continuous, real-time breach detection without the resource overhead and stop-start operation of the scanner.
To put it into context, with this approach the changes behind made by the malware at Target would have been picked up within minutes: enabling the company to investigate and save its reputation and bottom line.
There are other benefits too: the process is continually learning and improving. The baseline scan and initial changes detected typically reveal all sorts of unexpected and unknown activity; once this is understood to be acceptable and legitimate, the FIM policy can be improved, providing greater focus on the unusual and irregular activities more likely to indicate a breach. It is a process of continual improvement alongside non-stop breach detection.
The security world is preoccupied with the idea of stopping breaches: and yet the evidence shows that this clearly is not working. Modern IT environments don't conform to security best practices: lots of changes are being made, not always in the best interest of maintaining security. Even in a well-run and secure estate, breaches are still happening through phishing, zero day malware and insider attacks.
It is time to stop pretending that current security policies can stop any breach from working its way into key systems. It is time to find a new model that gives retailers - and their customers - a better way of responding to the continually evolving security threat. And that has to be better breach detection capabilities. It is only by spotting the breach in time that an organization has any chance of effectively managing it. Fingers crossed that it will be stopped is just not good enough.
•Date: 25th November 2014 • World •Type: Article • Topic: ISM
To submit news stories to Continuity Central, e-mail the editor.
Want an RSS newsfeed for your website? Click here