2018 hacks indicate importance of threat detection

(Image credit: Image source: Shutterstock/igor.stevanovic)

At the end of November, an official statement revealed that the Marriott International's guest reservation database of its Starwood division had been compromised. Initial assessment by Marriott suggested that some 500 million guest records were affected. This included the exposure of personal information including addresses, phone numbers, passport numbers and encrypted payment card details. Although in recent days the number has been revised to 383 million, the breach still remains one of the biggest corporate cyberattacks worldwide, surpassed only by the Yahoo hack of 2013 and Adult FriendFinder in 2016.

Besides the sheer scale and variety of the data that was compromised, what’s most worrying is the fact that hackers (recent reports suggest Chinese Intelligence) have had unauthorised access to the hotel’s networks since way back in 2014, raising some serious questions around the capabilities of businesses to detect breaches on their networks.

Of course, Marriott, like all companies whose breaches have made headlines, has expressed commitment to improving its security and to taking decisive steps to ensure containment of the attack. However, little detail as to how they’ll be achieving this, and what technologies they’ll be employing, has been forthcoming.

What went wrong?

Today, cyber attacks make headlines on a regular basis – a clear indication that any organisation which deals with sensitive, personal information (virtually all of them) can expect to be compromised at some point.

Although all companies, regardless of size, are legally obliged to protect their customer and employee data, multinationals, which store and process large amounts of such data on a day-to-day basis, are under even greater pressure. A lacklustre approach to security can result not only in legal consequences and fines, but can also court media scrutiny, leading to severe reputational damage.

Yet, cyber security still seems to be a low-priority element of daily operations. The sophistication of the attack on Marriott cements the fact that cybersecurity remains too low a priority in daily operations.

A large number of organisations still lack the appropriate measures to meet the challenges of new cyberthreats and struggle to ensure instantaneous threat detection. All the biggest companies, equipped with numerous firewalls, antivirus software and intrusion prevention systems, might appear to be well-prepared for a potential cyberattack, yet Marriott shows this to be incorrect.

In theory, a basic set of tools is supposed to deter hackers and create a deceptive impression of safety. However, current cyber criminals can easily breach perimeter defences. In practice, as Marriott’s case demonstrated, sole prevention is not an effective approach to cyber defence as hackers not only managed to compromise the network, but also stayed undetected for almost four years. 

Companies continue to fail to detect anomalous network activity, but it’s not often this kind of activity has been going on for so long without being flagged. It is extremely concerning, particularly as thousands of companies could be using their networks unaware their defences have been penetrated.

Detection is key

It’s unfair to point the finger solely at Marriott here, as cyberattacks on the likes of British Airways and Dixons Carphone have also shone a spotlight on the prevalence of ineffective threat detection practices. In 2019, the question that every effective leadership team should be asking is whether their security operations team can detect and neutralise a breach as soon as it happens. One of the essential ingredients for this will be providing them the tools to streamline this process.

However, most IT departments, using modern workflow automation, are not supported by sophisticated analytics enabling accurate threat detection, and in consequence, have limited chances of a well-timed response. A substantial improvement to response times can only be achieved by more comprehensive security programs and by blending current security solutions with automated threat detection.

For example, innovations in machine learning can enhance cyber protection by reducing manual effort, lowering chances of human error and shortening the time to identify, react, and recover from hostile incidents. Combining this with advanced analytics can prevent any indicators of internal threats from going unnoticed due to staff inefficiency and overload.

Applying automation and analytics to security

Machine learning enables systems to apply statistics and algorithms to large amounts of data and recognise patterns within it. Considering the vast volume of different activities occurring in the systems, the capabilities of automation will be increasingly viewed as vital. Companies can benefit from complementing security with automation because the system will be able to learn the patterns of normal set of activities and identify any changes to the existing pattern.

Automation has another advantage – it can also predict the development of a new pattern. In other words, it allows scanning atypical activity in order to flag emerging threats so they can be stopped before attackers achieve their intended goals. However, automation on its own may not achieve much as it is just one tool and needs a more comprehensive environment to be effective. The supporting technologies should provide the context to security, so that when used simultaneously, machine learning generates the risk information crucial to prioritise next steps for the security team.

One of those technologies is security information and event management software (SIEM). A NextGen SIEM solution can collect and correlate data from many separate databases, such as human resources or asset management systems and feed this data into the machine learning program.

However, detecting potential threats also requires understanding and baselining user behaviour. It can be tricky as it needs to be done whilst reducing false-positives to highlight. That is why user and entity-based (UEBA) solutions is a growing market. UEBA is largely based on advanced profiling and anomaly detection using a range of analytics approaches, usually a mix of basic analytics methods and more sophisticated ones such as supervised machine learning.

It is highly efficient as it can compare incoming actions with the existing profile because of the previously established baseline behaviours and patterns and a combination of statistical models as well as machine learning algorithms. UEBA offers reports which outline patterns of unauthorised activity, allowing the security operations team to swiftly react to those anomalies through either manual or automated actions. Unless NextGen SIEM and User and Entity Behaviour Analytics are a part of an organisation’s security ‘toolbox’, companies are risking playing catch-up with the cybercriminals and possibly allowing them to roam the networks for months or even years. 

A wake-up call

Recent incidents, without a doubt, have exposed shortcomings of currently applied cyber security solutions, especially in the context of detection. The failures of large companies, such as Marriott or British Airways, should be a wake-up call and motivate organisation in all shapes and sizes to start taking a more holistic approach to network protection. However, the outlook for the near future should be positive, and hopefully organisations will draw lessons from the attack, take action and prevent such leaks from repeating.

Ross Brewer, Vice President and Managing Director, EMEA, LogRhythm
Image source: Shutterstock/igor.stevanovic