From Equifax to Equi-‘enterprise’

If the Equifax breach yesterday did not shake you to your core, I would really like to analyze your body and soul composition for specimen research purposes! For the rest of us, this should have really served as a wakeup call. Yeah – we may have shrugged off Yahoo, OPM, TJ Max even Target! Why? Because while it may have been big – maybe even impacted some of us – it was not all encompassing in terms of the depth and breadth of the breach. This one takes the cake as it exposes everything we have built painfully from our youth to our adult life in the US – SS numbers, past addresses, CC numbers, employment history – EVERYTHING! Anyway, this blog is not about that breach per se but more about how as consumers we reacted to it (if you have not do it now) and then get to the analogy of the enterprise of today.

Let’s start with the first step you as a wary customer would have taken a priori:

A credit monitoring service

For the uninitiated, this is a paid service offered by these credit monitoring agencies (as well as by other 3^rd party providers) that claim to watch out for you. Look for unusual behavior, suspicious transactions in unusual locations (Cayman Islands?) and alert you appropriately so you can take corrective action.

Post-breach

Remember Thursday, Sep 7 when this news broke – that is an example of post breach reaction) – Initiate a credit freeze – aka no access to your credit files by anyone (including yourself without a proper PIN). 

And possibly request for a copy of your credit report to see any unusual transactions or accounts opened.

Hold your hands together and pray!

Yes, I am getting to the enterprise equivalent now.

For an enterprise, when a breach of such magnitude happens (note that I said when, not if), and their vital organs are on the street – customer information, financials, personnel records, tax documents – what recourse do they have?

If that gives you pause to think, welcome to the party. There is technically no much they can do. Maybe check with their lawyers on how much insurance they have against class action lawsuits, have the hapless CEO create a YouTube video (much like the Equifax CEO did – quite a disaster IMO) falling on the sword, offer band aids to their customers who need invasive surgery – frankly not much at all.

On second thought, let’s try to draw an analogy to the consumer actions and maybe there are some conclusions we can draw

Pre-breach precautions

Like a credit-monitoring service on the consumer side, what can an enterprise do to stay ahead of the game?

Identify any unusual behavior

Yes, with SIEM tools and other alerting mechanisms this is a possibility. However too often, with a one size fits all approach, the information may be overwhelming so there is a boomerang “dial-back the alerts” reaction which leaves the enterprise vulnerable. All is not lost however – newer technologies are emerging which take a much more ‘customized’ view of your world and baseline activity based on your reality before drawing any conclusions.

Much like me going to Cayman islands monthly for discreet activities may be normal but not for Mr. Sandoval. And this includes all the ‘high-risk’ users in an enterprise – privileged users across Infrastructure, Platform and Software layers.

Identify all the ‘high-risk’ assets in an organization

This could be PII (personally identifiable information), Customer transactions, Health Records etc.

And having something that does it proactively, consistently and constantly is key. And yes, encrypts all this data keeping the keys separate with no single godfather administrator.

And finally, tying these two together by marrying unusual activity on critical assets is a good practice to keep tabs on.

Post-breach actions

Much like the ‘initiating a credit freeze’ or ‘requesting a credit report’, there are some impactful steps an enterprise needs to take post-breac. Assuming that all of the hygiene described in 1 have been followed, this is fairly straightforward.

Revoke or re-key all your critical assets

Once a breach has been detected, a key revocation or a rekey action is usually a good first step to ensure that even if the hacker has access to your data (or some of it), by proactively revoking the keys or initiating a new encryption action with a fresh set of keys, any continued infiltration would be rendered impotent. If they have made do with a copy of the records, the encryption should provide sufficient safeguards (yes, quantum computing is coming but we will deal with that challenge later). Think “credit freeze.”

Detailed forensic logs review

Looking at any critical actions taken on infrastructure or the other layers and how each action may have changed the environment and draw conclusions from the same. This is painful and time consuming but is a necessary step to identify, mitigate and educate. Think of it as “requesting your credit report”…

So there you have it! Much like what any hapless consumer of the Equifax breach (yours truly) feels outraged and violated, that same feeling will hit the enterprise with multiplicative force and the guidelines above should serve as a wake up call to sit up, take notice and act with gusto.