Why smart security leaders are using the Target breach to change their approach to detection

Two months after the Target data breach, emphasis remains on prevention. The smart security leaders are improving detection. Here are some insights on making the pivot.

Security is largely a game of defense. It means investing time and energy into preventing bad things from happening. Getting it right means making choices to address known, likely events. And then hoping.

Last year, attacking the memory of point of sale (POS) terminals was considered too “complex and sophisticated.” Target, Neiman Marcus, and others are proof that it’s possible.

Does that mean it's time to focus on this as a known, likely attack?

According to Ron Gula, CEO of Tenable Network Security, we should. He explained, "Attackers follow the money. POS systems have been targets a lot in the news. There have been skimmers and wifi attacks for the past several years against POS systems."

With warnings of more attacks of the same style, the more important question is what, if anything, have you done about it?

Shifting perspective: the importance of detection

Since writing Into the Breach, my perspective is shifting a bit (read it here). Overlooked on the upside of the Target breach (here) was the speed of the detection. It appears that detection was external.

What about internal detection?

The risk of attacking the RAM on POS terminals is at least four years old. More imminent threats surfaced in the last six months. That means internal detection was possible.

As "fast" as the external detection was, internal strikes me as a quicker -- and therefore less expensive and embarrassing approach. Even if you weren't looking for it before, there is no excuse to ignore it now.

To ease the process, Ron Gula recently posted insights on how to tune detection systems to look for indicators of compromise of the POS terminals (it's a technical read, but packed with insight here). 

Is detection just for the big guys?

In the wake of large company breaches, smaller organizations falsely conclude their lower profile puts them at less risk.

Ron Gula disagrees and explains that "Every retailer should be concerned. All POS systems are on networks. Anyone on these private POS networks could implant malware or could make a mistake and hook these devices up to the Internet." 

Ron also pointed out that "'Mom and Pop' shops are also likely to have malware" due to a reliance on insecure Windows systems connected to the Internet."

That means that larger shops need to evaluate the tools and techniques to make sure the right information is captured, analyzed and acted on. Smaller shops can either leverage tools like Nessus or work with practitioners that do.

Allocating attention and resources to detection could make the difference. Use the lessons of others to guide the strategy and investment in your detection capabilities.

Two actionable lessons from Target and Neiman Marcus

Smart security leaders are using the recent breaches to start discussions and ensure their programs are able to handle:

  • POS RAM attacks: we now have evidence that attackers are exploiting this successfully. And no, chip and PIN would not have prevented this sort of attack (link to my article). Are you now looking for this sort of attack? 
  • Passwords/access from systems: instead of focusing on questioning how it happened, consider, instead, how to detect this sort of attack? Ask your team what they would do if discovered early. It might take some work to get those answers squared away.

Action starts with a conversation

An important first step is to have this conversation with your executives and the team responsible for monitoring. Include the team responsible for response, too. Engage in regular, meaningful dialog based on evidence. Retail not your thing? The alleged method of compromise through connected systems applies to all organizations.

As part of the approach,  make sure you’re monitoring at least two things:

  • What we’re learning about: attack vectors from public breaches and if you're prepared to detect (and respond) to them
  • What you’re worried about: either because it’s high value, or because you realize it’s a vector that hasn’t been addressed yet through prevention

In addition to your own efforts (if any), rely on the resources of the industry. Tenable and others routinely share research and insights. Just remember that's the starting point.

Breaches are part of our fabric now. While prevention remains important, faster detection with the right response is essential.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies