It is a year since Target failed to spot a piece of malware and lost the personal information of over 70 million customers and over 40 million payment card numbers. In that time, the industry has debated and discussed the major issues, forensic investigations have taken place, and security experts across the board have had their say. So why are retailers still falling prey to the same problem? Kmart, Staples, Home Depot – the list goes on. All of these companies have left exactly the same holes in their systems, and the hackers have helped themselves.
The cost of security breach to these retailers has been huge and reaches far beyond the initial fall out. Target, for example, is offering free shipping over Christmas 2014 in a bid to rebuild relationships with consumers still wary after the Thanksgiving 2013 event – all on top of the estimated clean-up costs running into hundreds of millions of dollars.
Featured Download: Social media access at work. Do your employees know the rules?
These are patently major business-damaging events. Yet the response from the breached retailers has been a metaphorical shrug of the shoulders and a ‘what can we do?’ attitude, with one CIO stating that the reason for a breach was that AV software didn’t pick it up. How is that a valid excuse? Tell that to the customer who has to deal with fraud on his credit card or the shareholder who is forced to watch his investment value plummet.
New Model
This is plainly not good enough. And it is also somewhat disingenuous. Simply blaming AV software is a poor excuse when there are proven ways of preventing such breaches from escalating. So why are customers, regulators and shareholders not holding retailers to account and forcing the industry to take a different approach?
The bottom line is that these breaches could and should have been detected in near real-time. Post-event analysis reveals that these Trojan attacks leave plenty of clues, with the creation of new system files, services and registry changes. And yet the attacks continued unnoticed for weeks – two and half weeks in the case of Target.
How on earth did this incursion go unnoticed for so long? Because Target, like the majority of retailers, works from the out-dated ‘stop the breach’ perspective, relying on a combination of AV, firewall and routine vulnerability scanning to safeguard the IT estate.
Vulnerability scanning technology has its merits, but it also has clear limitations. Firstly, as a breach detection mechanism, it is simply too resource-intensive. There is no option but to analyse the entire file system each time it scans in order to compare the results to the previous baselines. This process takes time and affects system performance which means retailers can only run the scans overnight and, in reality, for any large retail environment, that means scans on each server probably only occur once every two to four weeks. Now consider the two and a half weeks the Target hackers went about their business unchallenged.
The other problem is that in today’s continually changing retail IT environment, there is simply too much noise and too much activity to undertake any sensible analysis. The result? Retailers continue to get breached even if they are running the best vulnerability scanner on the market.
Real Time Visibility
So what is the alternative? Without a doubt, it would make far better security sense to be continually scanning for breaches, but vulnerability scanning is just too inefficient, too resource intensive, and will never be the real-time breach detection solution that retailers need. By contrast, real-time, continuous, change detection with file integrity monitoring (FIM) is low resource activity that can be run all the time and hence be used to detect and alert breach activity within seconds of an incident.
The key difference is that, unlike the vulnerability scanner, the FIM process takes a one-time baseline of all system and configuration files. This includes registry settings, installed software, running processes and services, user accounts, security and audit policy settings – in other words, all the attributes that will reflect breach activity. From then on, only changes will be tracked, which requires minimal resources. The result is continuous, real-time breach detection without the resource overhead and stop-start operation of the scanner. To put it into context, with this approach, changes behind made by the malware that infiltrated Target would have been picked up within minutes and enabled the company to investigate and save its reputation and bottom line.
There are other benefits too: the process is continually learning and improving. The baseline scan and initial changes detected typically reveal all sorts of unexpected and unknown activity; once this is understood to be acceptable and legitimate, the FIM policy can be improved, providing greater focus on the unusual and irregular activities more likely to indicate a breach. It is a process of continual improvement alongside non-stop breach detection.
Conclusion
The security world is preoccupied with the idea of stopping breaches, yet the evidence reveals that this is not happening. Modern IT environments don’t conform to Security Best Practices because lots of changes are being made and not always in the best interest of maintaining security. Even in a well-run and secure estate, breaches are still happening through phishing, zero-day malware, and insider attacks.
It is time to stop pretending that current security policies can stop any breach from working its way into key systems. It is time to find a new model that gives retailers – and their customers – a better way of responding to the continually evolving security threat. And that has to be better breach detection capabilities. It is only by spotting the breach in time that an organisation has any chance of effectively managing it.
By Mark Kedgley, CTO, New Net Technologies
About New Net Technologies
New Net Technologies is a global provider of data security and compliance solutions. The company is firmly focused on helping organizations protect their sensitive data against security threats and network breaches in the most efficient and cost effective manner.
New Net Technologies’ easy to use security monitoring and change detection software combines Device Hardening, SIEM, CCM and FIM in one integrated solution, making it straightforward and affordable for organizations of any size to ensure their IT systems remain secure, malware-proof and compliant with the corporate build-standard at all times.
New Net Technologies safeguards customers’ systems and data, freeing their clients to focus on delivering on their corporate goals.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.