Don’t count on people to prevent data breaches

Your company has been breached and your executives are in denial.

That is the phrase that came to mind the other day during breakfast at RSA with Intel’s security organization where I overheard the following story. My ears perked up when I heard the word “spearfishing,” which was key to a personal story being told by one of the Intel executives. Spearfishing is when an attack specifically targets someone in the firm in order to steal their credentials and/or compromise their hardware.  

Apparently, the Intel exec received an email with a PDF document from an alleged Chinese graduate student. The email contained personal information on the graduate program the executive had been in and enough personal information about the school that it looked legitimate. It requested he review the attached dissertation in PDF form. The PDF itself didn’t trigger any alarms and looked harmless but instead of opening it he sent it down to the McAfee lab to see if it was hostile.  

It was and, according to the lab, it contained multiple instances of never-before-seen malware. In other words, not only had they spearfished the executive, they had designed a package that was unique so that malware detection systems wouldn’t see it as hostile. We were warned years ago that PDFs were particularly dangerous, but even with the interim patches the danger, based on this event, hasn’t been mitigated.

What I find particularly scary is that the malware was coded specifically to go after a security firm executive. Security firm executives are attractive because if they are compromised the information gained may provide a key to getting access to all of their clients.  

We can’t depend on people doing the right thing

In this instance the executive did the right thing, but how many of his peers in his firm or another received some variation of this attachment? And the bigger question, how many of them opened their own personalized attachment and, as a result, how many security firms are now compromised?

We know our kids’ computers are likely compromised, and since both our PCs and gear often resides on the same networks our systems could become compromised. We could then become carriers when we ignorantly carry these systems back into the office.   Granted, if we are smart these machines are scanned before being allowed onto the network, but scans often can’t identify unique malware specifically written for one or more individual employees.  

We know our own executives aren’t that smart so the odds that we are breached just got dangerously close to certain.

The ‘Golden Hour’

The Intel folks were talking about “the Golden Hour,” or the time you have between when a breach occurs and you need to have it identified and mitigated. One of the other folks at the table was talking about the fact that major banks are being driven to make instantaneous funds transfers, which means that the typical one to five day grace period that allowed the banks to look into a transaction will soon be gone and that Nigerian prince that is so generous with his fake money is about to be very rich with yours.  

If we think about this idea of already being breached we would approach security very differently. Right now are focus is basically on prevention, but that clearly isn’t working.   If you know a hostile entity is already operating inside the company you focus more on aggressive identification (McAfee SIEM) and response (Invotas) and securing the information itself better (Varonis).

Or put differently, if burglars are already in your home it is too late to put stronger locks on the doors. Instead you focus on hiding your valuables and coming up with a way to get the burglars to leave.

Same thing here, if we accept that we’ve been compromised we make sure our intellectual property can’t go anyplace we don’t want it to go and then we focus on finding and eliminating this illegal access.  

SIEM (Security Information and Event Management) technology wrapped up under a universal console (what Intel/MacAfee is providing), tied to an automated response system, which is what Invotas provides gives you a “kick them out” weapon, along with having your IP protected by Varonis gives you time to execute before your valuables make their way out of the building.  

The best data breach defense involves 3 layers of protection

While I know Sony has deployed some of these tools after their breach I haven’t yet found anyone that has deployed this specific mix. I think you need all three components: SIEM, Automated Threat Response and Automated Unstructured Data Protection in order to make sure you have time to and can mitigate a breach in progress.  

The vendors I highlighted were selected because they are the ones I’m familiar and sometimes work with and would be a good place to start (McAfee, Invotas, and Varonis). I picked McAfee because of their Intel connection and the related strategy change focusing them on interoperation; Invotas because they seem the most aggressive in threat response; and Varonis because they are currently the best at unstructured data protection. However, the ideal mix will likely have as much to do with how well the individual components (particularly the first two) interoperate.

In the next few weeks I’m going to try to look for someone that has deployed this mix of capabilities and report back on what an actual ideal product mix would be.

Until then, you may want to remind all of your executives and IT folks to avoid opening attachments from anyone they don’t know, or that they weren’t already expecting (in case that person they know was spoofed) on anything but an isolated sandboxed PC unless they want to be infamous inside the firm.

And if they’ve already opened an attachment (particularly a PDF) they weren’t expecting the attachment should be sent to your security team for evaluation. If it was safe, good, if not, the security folks need to immediately start the process of mitigating the damage and making sure this event is isolated and won’t recur.  

I have a feeling this is a bad decade to be a CSO.