The reality is that there is never going to be a 100% guarantee of security – and with today’s carefully focused zero day attacks, the continued reliance on prevention rather than cure is clearly not working. Organisations are blithely continuing day to day operations while an attack is in progress because they are simply not spotting the breaches as they occur.
As Mark Kedgley, CTO, New Net Technologies says, if an organisation wants to maintain security and minimise the financial fall out of these attacks, the emphasis has to change. Accept it: the chances of stopping all breaches are unlikely at best with a prevention only approach. Instead, with non-stop, continuous visibility of what is going on in the IT estate, an organisation can at least spot the unusual changes that may represent a breach in real time and take action before it is too late.
Same Again
It is a year since Target failed to spot a piece of malware and lost the personal information of over 70 million customers and over 40 million payment card numbers. In that time, the industry has debated and discussed; forensic analysis has taken place; and security experts across the board have had their say. So why are retailers still falling prey to the same problem? Kmart, Staples, Home Depot, the list continues – all of these companies have left exactly the same holes in their systems; and the hackers have helped themselves.
The cost of security breach to these retailers has been huge – and continues far beyond the initial fall out. Target, for example, is offering free shipping over Christmas 2014 in a bid to rebuild relationships with consumers still wary after the Thanksgiving 2013 event – all on top of the estimated clean-up costs running into hundreds of millions of dollars.
These are clearly major, business damaging events. Yet the response from the breached retailers has been a metaphorical shrug of the shoulders and a ‘what can we do?’ attitude – with one CIO stating that the reason for a breach which, again affected customer records and card numbers, was that the AV software didn’t pick it up. How is that a valid excuse? Tell that to the customer who has to deal with fraud on his credit card; or the shareholder watching his investment value plummet.
New Model
This is clearly not good enough. And it is also somewhat disingenuous. Simply blaming the AV software is a poor excuse when there are proven ways of avoiding such breaches from escalating. So why are customers, regulators and shareholders not holding retailers to account and forcing the industry to take a different approach?
The reality is that these breaches could and should have been detected in near real-time. Post event analysis reveals that these Trojan attacks leave plenty of clues, with the creation of new system files, services, registry keys and values. And yet the attacks continued unnoticed for weeks – two and half weeks in the case of Target.
How on earth did this attack go unnoticed for so long? Because Target, like the majority of retailers, works on the out dated ‘stop the breach’ approach, relying on a combination of AV, firewall and routine vulnerability scanning to safeguard the IT estate. Or not.
Vulnerability scanning technology has its merits but it also has clear limitations. Firstly, it is extremely resource intensive because it inspects the entire file system each time it scans and then compares the results to the previous baselines. This process takes time and affects system performance which means retailers can only run the scans overnight and, in reality, for any large retail environment, that means scans on each server probably only occur once every two to four weeks – hence the two and a half weeks the Target hackers went about their business unchallenged.
The other problem is that in today’s continually changing retail IT environment there is simply too much noise and too much change activity to undertake any sensible analysis. The result? Retailers continue to get breached even if they are running the best vulnerability scanner on the market.
Real Time Visibility
So what is the alternative? Clearly it would make far better security sense to be continually scanning for breaches - but vulnerability scanning is just too inefficient, too resource intensive and will never be the real-time breach detection solution needed. In contrast real-time, continuous, change detection with File Integrity Monitoring (FIM) is low resource activity that can be run all the time and hence detect and alert breach activity within seconds of an incident.
The key difference is that unlike the vulnerability scanner, this approach takes a one-time baseline of all files configurable attributes including: registry settings, installed software, running process and services, user accounts, security and audit policy – all the attributes that will reflect breach activity – and from then on tracks only the changes, which requires minimal resources. The result is continuous, real-time breach detection without the resource overhead and stop-start operation of the scanner. To put it into context, with this approach the changes behind made by the malware at Target would have been picked up within minutes – enabling the company to investigate and save its reputation and bottom line.
In addition, the process is continually learning and improving. The initial baseline scan typically reveals all sorts of unexpected and unknown activity; once this is understood to be acceptable and legitimate the FIM policy can be improved, providing greater focus on the unusual and irregular activities more likely to indicate a breach. It is a process of continual improvement alongside continual breach detection.
Conclusion
The security world is preoccupied with the idea of stopping breaches – and yet the evidence reveals that clearly is not working. Modern IT environments don’t conform to Security Best Practices – lots of changes are being made, not always in the best interest of maintaining security. Even in a well-run and secure estate, breaches are still happening through phishing, zero day malware and insider attacks.
It is time to stop pretending that current security policies can stop any breach from working its way into key systems. It is time to find a new model that gives retailers – and their customers – a better way of responding to the continually evolving security threat. And that has to be better breach detection capabilities. It is only by spotting the breach in time that an organisation has any chance of effectively managing it. Fingers crossed that it will be stopped is just not good enough.
