One of the key stories of 2014 and one that I anticipate to dominate conference schedules and presentation for months and possibly years to come, is the Target breach.
Thanks to the excellent work done, particularly by security journalist Brian Krebs, we now know how many records were breached, how the infiltration was done and how sophisticated the malware was.
Some time ago, a name of a vendor who Target used was mentioned to me, as well as the fact that the technology was detecting and flagging the intrusion. I approached said company for an interview in regard to this article and they declined the opportunity, so I will decline mentioning their name directly.
Also this week, it was revealed that chairman and chief executive Gregg Steinhafel had been removed from his position, following CIO Beth Jacobs out the door when she left in March.
With these movements in mind, do we have to consider the reason for the infection not being spotted, or even ignored? Are security operation centres and managers so overworked so that they miss things, or is it a case of prioritising based on experience and knowledge?
Some called it the “Christmas tree” effect: lots of lights and all very distracting to look at. Terence Spies, CTO of Voltage Security, said that on alerting, it is always hard to tell how many things you are getting alerted about that were false positives, or how you get that thing configured with event systems.
Stephen Bonner, partner in the information protection and business resilience at KPMG, said that this one of those “post the event” situations. “Do they have the resources to investigate? No. The question is how many alerts were there, how many were they dealing with? Saying that they should have dealt with them is not important – it is easy to get a passport to failure. If you are the guy having to make the decision in one tenth of a second, that’s a bit unfair,” he said.
“In your environment are you dealing with every alert? There is an odd world where we do like to blame the victim which I do not find constructive, and it encourages people not to share. One of the ways we will get better is if we share the details and learn from it. If we punish people for being open about their problems people will be less open and we will be at a worse stage.
“Having been an operational CISO I can assure you there are always more things to do than there is time. I always remember the most difficult decision you have to make is “no I’m not going to worry about that”. You have to place your bets and use your judgement and you will make mistakes and they help you make bold decisions.”
Dave Lewis, secretary at (ISC)2, when asked if he felt that with this blame culture, saidthat the CISO is often playing “javelin catcher”, where someone will throw it and they’ve got to be the one who catches it.
“We see the same thing with CIOs, the average lifespan is 18 months. For CISOs, they are the sacrificial lamb and if something goes wrong they are the ones who end up getting the gate,” he said.
Bonner said that the issue of blaming the victim is a bit unfair, and no one person can be held responsible until you know the true circumstance, such as how many alerts was their tool base generating? How many did they deal with?
“If there is a
ny possibility of negligence, if they get one alert a year and spot it then that is not worrying, but if they get a million alerts a day and some might be of relevance, then there is no reason to blow snow.”
I shared emails with security researcher Conrad Constantine, who said he had been preaching a methodology around this for years, and it comes down to the capabilities off the shelf-tools have for prioritising stuff.
Constantine said that nearly every tool is ‘business process ignorant’. He gave the example that ‘user bob123 logged into host sourcecontrol’, but as Bob123 is probably a developer, he logs in there every day, but if bob123 logged into host sourcecontrol from marketingdesktop01, now we have an issue!
He said: “It’s impossible for any security person to understand every last security threat out there at a technical level, yet we try to prioritise things based on one-size-fits-all technical signatures.
“My methodology is all centred on the idea of ‘start with what you (should!) know – your own business processes’ and identify what are the things that should never happen if your own business processes are being followed correctly. Look for those.”
As Constantine said, you are looking for anomalies, but a term I heard a few years ago was “dashboards with chips”, are users overwhelmed with too many lights and alerts to watch – and the one that a specific technology flagged at the US retail giant was the one that led to the clever exfiltration of around 70 million records.
Manoj Apte, senior vice president at Zscaler said that too much time is spent on “silly malware” that should and could have been blocked by in-line devices. He said he had seen instances where he had seen a security operations centre team doing things they shouldn’t be bothered about while they were inundated with other things.
“Same with Target, and in-line security is not good enough as you will get so many alerts that it is impossible to figure out what is the more important part. That is what happens in every enterprise today,” he said.
“So getting analysis and continuous alerts is great, but if you get alerted for everything, like EICAR-level malware, or a known botnet or XSS vulnerability that Microsoft released a warning about, it makes the security operations centre’s world far worse. Your environment should identify it and block it and say it has blocked it and focus on what is the most biggest and dangerous to avoid. Focus on the unknown and what the behavioural analysis says, everything we do is run through sandbox and see what it is doing and trying to change, it all starts raising warning bells and we can investigate.”
This is useful advice but the issue persists – how could a security or IT manager see an intrusion reported and not act upon it? Of course Target’s team would not have known that the missed alert would turn into a breach that affected tens of millions of customer records, but should that have been dealt with?
Hopefully the departures of Steinhafel and Jacobs are not indicative of a trend of removing people because of the failures of technology and/or people, but it does seems that in this case, there was a wider issue that needed to be addressed. If Target deems people “falling on the sword” to be the solution then so be it.