Be Careful Beating Up Target

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/attacks-breaches/be-careful-beating-up-target-/d/d-id/1127839
?

A flurry of stories surfaced recently, including those in Bloomberg
BusinessWeek and InformationWeek, highlighting signals of compromise that
Target apparently "missed" or even "ignored," resulting in the theft of 40
million credit card accounts. Clearly the Target breach was serious and
wide-ranging, as it affected a large number of customers and even hit
Target's fourth-quarter revenue and earnings.

Before we get carried away with all that Target could or should have done
to prevent its breach, we should examine all that was done and take a
closer look at just how different Target's preparation and response were
from those of almost any other Global 1000 firm. What we'll find is that
Target was actually better prepared than the vast majority of its peers
across all industries, leading to the clear conclusion that the problem
lies not with Target, but with the current state of threat intelligence and
IR (incident response).

First, Target did a lot of things right. It had dedicated security and IR
teams using multiple advanced tools; according to Congressional testimony
by Target's CFO, the retailer "...spent hundreds of millions of dollars
protecting... data and employed more than 300 people on the issue." This was
an investment relatively few entities can match.

As with any breach, Target had some missteps and vulnerabilities. First,
management was apparently unwilling to move to new, more secure
smart-chip-based card systems common in Europe, due to cost concerns.
Second, the retailer is alleged to have ignored pleas by its security team
to do a more thorough review of its payment system -- likely in part due to
the timing of the request, coming a short time before the critical
post-Thanksgiving shopping season. Third, many have criticized Target's
failure to wall-off its payment systems from the rest of its corporate
network, through which hackers were able to gain access to payment details.

But was Target's security posture and IR process really that much different
from those of other large corporate and government entities? As The Wall
Street Journal points out, "The sheer volume of warnings retailers receive
makes it hard to know which to take seriously." But this dynamic is not
unique to retailers: Every corporate and government entity today receives
more alerts than they can handle -- even with sophisticated anti-malware
systems and hundreds of employees dedicated solely to security. It's the
downside to big data: Too much information in a cybersecurity context can
be, and often is, harmful.

Exacerbating this situation is the incredibly manual, ad hoc nature of
today's IR. An entity like Target likely gets hundreds if not thousands of
alerts every day, from myriad systems, including anti-malware tools (e.g.,
FireEye), next-gen firewalls (e.g., Palo Alto Networks), and SIEMs (e.g.,
ArcSight, Splunk, etc.) to name just a few.  Alerts aren't correlated
across each other or typically checked against known good lists, bad lists,
or indicators of compromise (IoCs), similar to criminal "watch lists" of
mug shots with fingerprints and rap sheets. Each alert typically has
minimal detail, is not confirmed against the system(s) in question, and is
not prioritized. Thus alerts tell a security analyst very little and all
look alike... yet they must be investigated to at least a minimal degree.

Worse yet, gathering even minimal investigative details requires an
entirely manual process: Security analysts must manually compare the alert
against IoCs, access the system(s) in question, manually confirm that the
alert is real (i.e., the system in question are in fact compromised) by
grabbing data from the system in question, and then manually comparing this
evidence to other bits of data from completely different systems before
forming a judgment as to the veracity and severity of the alert.

For an entity like Target, this manual, error-prone process is replicated
hundreds if not thousands of times each day, each a largely separate
investigation. While hackers need only slip through once to wreak their
havoc, Target must be right 100 percent of the time.

The issue isn't Target's security team or investment in tools, but rather
the current state of the threat intelligence and IR practices as employed
by Target and virtually all enterprises and government entities globally.
These IR practices can be summed up in two words: un-integrated and manual.
Until both are fixed with more integrated and automated approaches, we will
find ourselves continuing to wonder why firms like Target "missed" or
"ignored" alarm bells.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!