It feels like almost every day we’re confronted by news of yet another high-profile breach, resulting in millions in damage and bruised reputations and there are many small breaches that we even don’t hear about.
These aren’t your run-of-the-mill organisations, either. They are large, well-established multinational corporations with sophisticated and very expensive security detection and prevention systems. And yet, they all have a similar story; breaches that may have claimed user passwords or identities, emails, customer credit card or healthcare information, proprietary business plans and even valuable product roadmaps. All gone, and probably for sale to the highest bidder somewhere on the dark web. It’s such a daily occurrence that it’s easy to become numb to the scale of the damage.
Many companies with operations in the U.S., such as Sony Pictures, Target and LinkedIn, quickly come to mind, not because their security systems are any worse than others, but simply because U.S. law demands that these organisations publicise information about data breaches involving customer information. That’s not always the case in other countries, although in the UK there is always the prospect of the information commissioner issuing hefty fines under the Data Protection Act. And, that raises an important point. If these large companies are susceptible to attack, then smaller companies are as well, with even greater risk of being breached. With smaller companies, however, these attacks are either going undetected, or they simply aren’t worthy of eye-catching headlines.
So what can enterprises learn from these large-scale breaches? When you think about most of the big, infamous hacks, you’ll notice a pattern. First comes a flurry of news and speculation about the extent of the hack. Initially this will focus on the number of customers impacted or the volume of records stolen. And then, something interesting happens. Things may go quiet for a while, but eventually there are follow-up stories revealing that a) the original hack actually took place months in the past, b) the scale of the damage is actually much bigger than originally estimated, and c) the root cause of the hack and its damage are not completely known.
The primary reason is because companies get hundreds of alerts every day, and the investigation process is not automated well enough to adequately investigate them all. The overwhelming number of alerts makes it impossible to investigate most of them on a daily basis. That means the hackers can stay uncovered for months before the breach is detected, by which time the damage may be extensive. Whether the hack was perpetrated using a phishing scheme, a SQL injection attack or even an SSL exploit like Heartbleed, it can take time to tell whether a hacker is ‘dwelling’ in the system or if they’re already long gone.
A 2016 global study released in June by IBM and Ponemon Institute revealed some eye-opening statistics. According to the study, the average time to discover a breach was estimated at 201 days, while the average time to contain a breach was estimated to be an additional 70 days. It’s not hard to imagine how much damage can be done in that amount of time.
A key takeaway is that EVERY organisation’s security armour has chinks that can be exploited. One of the areas that’s sure to gain more attention is IoT. Most early IoT devices were not built with network load or security in mind, and their high rate of adoption has caused some unintended consequences. The number of these devices, the amount of data they send over networks, the number of connections they use and the 24x7x365 nature of the activities certainly presents unique challenges. Not to mention the fact that the first generation of these devices was not really designed with future firmware upgrades or patches in mind, and your organisation may be giving hackers an easy foothold into the network. With IoT, we are pushing the edge of our networks further and further, increasing the risk of security breaches. IT teams in almost every company are already stretched to oversee and safeguard the applications (and Shadow IT) on employees’ laptops and smartphones. With that in mind, how many of these companies do you think have adequate policies and practices in place to manage and update their IoT devices? It’s a huge challenge.
At the macro level I’ve noticed in the last year that cyber security is being talked about more, especially at the CISO level. It’s good to talk, but I still don’t see a radical change in the tools or methodologies being employed to secure critical assets. As we’ve seen time and time again, companies fail to understand that existing IDS/IPS/SIEM and firewall technologies are not foolproof. So what can a company do if prevention fails? Companies need to have a comprehensive Incident Response plan in place, which includes the people and the security tools they employ to get this important job done.
The right Incident Response tools in the hands of experienced investigators will ensure that the enterprise is prepared to rapidly remediate an attack. Network forensics and analytics are very important pieces of this Incident Response workflow. Packets don’t lie, and when you have to go back months to investigate a breach, the only way to know what exactly happened is to have access to network packets. Have a workflow in place to intelligently store key network data, such as alerts and associated logs and ‘suspicious’ packets. Ultimately, the goal is to get the business back up and running as quickly as possible, while ensuring the least amount of damage.
So in summary, there are five key takeaways that will help keep your organisation safer, and allow you to respond quickly if and when a breach does occur.
1. Updates and patches: Even well-known vulnerabilities often go unpatched, so make it a priority to have all network-connected devices updated regularly.
2. Training: Invest in internal training that shows employees how to spot and avoid potential scams such as phishing.
3. Practical IoT policies: Develop and implement a practical IoT policy that includes the necessity for timely firmware upgrades and patches.
4. Tools: Failing to plan for a breach is like planning to fail. Make sure that your enterprise is equipped with incident response tools that help automate the investigation process.
5. Skilled Team: Have trained investigative staff (or external experts) ready to identify and resolve the breach as quickly as possible.
Mandana Javaheri, Chief Technology Officer, Savvius, Inc.
Image source: Shutterstock/Titima Ongkantong