• United States




Don’t count on people to prevent data breaches

Apr 24, 20156 mins
Data Breach

As malware gets more sophisticated and hostile, columnist Rob Enderle says we can’t always count on people to do the right thing. He offers his plan to deal with the weak link.

Your company has been breached and your executives are in denial.

That is the phrase that came to mind the other day during breakfast at RSA with Intel’s security organization where I overheard the following story. My ears perked up when I heard the word “spearfishing,” which was key to a personal story being told by one of the Intel executives. Spearfishing is when an attack specifically targets someone in the firm in order to steal their credentials and/or compromise their hardware.  

Apparently, the Intel exec received an email with a PDF document from an alleged Chinese graduate student. The email contained personal information on the graduate program the executive had been in and enough personal information about the school that it looked legitimate. It requested he review the attached dissertation in PDF form. The PDF itself didn’t trigger any alarms and looked harmless but instead of opening it he sent it down to the McAfee lab to see if it was hostile.  

It was and, according to the lab, it contained multiple instances of never-before-seen malware. In other words, not only had they spearfished the executive, they had designed a package that was unique so that malware detection systems wouldn’t see it as hostile. We were warned years ago that PDFs were particularly dangerous, but even with the interim patches the danger, based on this event, hasn’t been mitigated.

What I find particularly scary is that the malware was coded specifically to go after a security firm executive. Security firm executives are attractive because if they are compromised the information gained may provide a key to getting access to all of their clients.  

We can’t depend on people doing the right thing

In this instance the executive did the right thing, but how many of his peers in his firm or another received some variation of this attachment? And the bigger question, how many of them opened their own personalized attachment and, as a result, how many security firms are now compromised?

We know our kids’ computers are likely compromised, and since both our PCs and gear often resides on the same networks our systems could become compromised. We could then become carriers when we ignorantly carry these systems back into the office.   Granted, if we are smart these machines are scanned before being allowed onto the network, but scans often can’t identify unique malware specifically written for one or more individual employees.  

We know our own executives aren’t that smart so the odds that we are breached just got dangerously close to certain.

The ‘Golden Hour’

The Intel folks were talking about “the Golden Hour,” or the time you have between when a breach occurs and you need to have it identified and mitigated. One of the other folks at the table was talking about the fact that major banks are being driven to make instantaneous funds transfers, which means that the typical one to five day grace period that allowed the banks to look into a transaction will soon be gone and that Nigerian prince that is so generous with his fake money is about to be very rich with yours.  

If we think about this idea of already being breached we would approach security very differently. Right now are focus is basically on prevention, but that clearly isn’t working.   If you know a hostile entity is already operating inside the company you focus more on aggressive identification (McAfee SIEM) and response (Invotas) and securing the information itself better (Varonis).

Or put differently, if burglars are already in your home it is too late to put stronger locks on the doors. Instead you focus on hiding your valuables and coming up with a way to get the burglars to leave.

Same thing here, if we accept that we’ve been compromised we make sure our intellectual property can’t go anyplace we don’t want it to go and then we focus on finding and eliminating this illegal access.  

SIEM (Security Information and Event Management) technology wrapped up under a universal console (what Intel/MacAfee is providing), tied to an automated response system, which is what Invotas provides gives you a “kick them out” weapon, along with having your IP protected by Varonis gives you time to execute before your valuables make their way out of the building.  

The best data breach defense involves 3 layers of protection

While I know Sony has deployed some of these tools after their breach I haven’t yet found anyone that has deployed this specific mix. I think you need all three components: SIEM, Automated Threat Response and Automated Unstructured Data Protection in order to make sure you have time to and can mitigate a breach in progress.  

The vendors I highlighted were selected because they are the ones I’m familiar and sometimes work with and would be a good place to start (McAfee, Invotas, and Varonis). I picked McAfee because of their Intel connection and the related strategy change focusing them on interoperation; Invotas because they seem the most aggressive in threat response; and Varonis because they are currently the best at unstructured data protection. However, the ideal mix will likely have as much to do with how well the individual components (particularly the first two) interoperate.

In the next few weeks I’m going to try to look for someone that has deployed this mix of capabilities and report back on what an actual ideal product mix would be.

Until then, you may want to remind all of your executives and IT folks to avoid opening attachments from anyone they don’t know, or that they weren’t already expecting (in case that person they know was spoofed) on anything but an isolated sandboxed PC unless they want to be infamous inside the firm.

And if they’ve already opened an attachment (particularly a PDF) they weren’t expecting the attachment should be sent to your security team for evaluation. If it was safe, good, if not, the security folks need to immediately start the process of mitigating the damage and making sure this event is isolated and won’t recur.  

I have a feeling this is a bad decade to be a CSO.


Rob Enderle is president and principal analyst of the Enderle Group, a forward looking emerging technology advisory firm. With more than 25 years’ experience in emerging technologies, he provides regional and global companies with guidance in how to better target customer needs with new and existing products; create new business opportunities; anticipate technology changes; select vendors and products; and identify best marketing strategies and tactics.

In addition to IDG, Rob currently writes for USA Herald, TechNewsWorld, IT Business Edge, TechSpective, TMCnet and TGdaily. Rob trained as a TV anchor and appears regularly on Compass Radio Networks, WOC, CNBC, NPR, and Fox Business.

Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group. While there he worked for and with companies like Microsoft, HP, IBM, Dell, Toshiba, Gateway, Sony, USAA, Texas Instruments, AMD, Intel, Credit Suisse First Boston, GM, Ford, and Siemens.

Before Giga, Rob was with Dataquest covering client/server software, where he became one of the most widely publicized technology analysts in the world and was an anchor for CNET. Before Dataquest, Rob worked in IBM’s executive resource program, where he managed or reviewed projects and people in Finance, Internal Audit, Competitive Analysis, Marketing, Security, and Planning.

Rob holds an AA in Merchandising, a BS in Business, and an MBA, and he sits on the advisory councils for a variety of technology companies.

Rob’s hobbies include sporting clays, PC modding, science fiction, home automation, and computer gaming.

The opinions expressed in this blog are those of Rob Enderle and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author