A year ago, the Equifax breach that exposed personal data of over 145 million people to cyber attackers shocked the country. Everyone from cyber security firms to Congress weighed in, making predictions about what went wrong and how cybersecurity would adapt to prevent such attacks in the future. Most notable about the incident, was that the initial breach took place in March 2017, four months prior to Equifax administrators discovering the attack in July 2017, and a full six months before Equifax publicly disclosed the breach in September 2017.
Now, at the one-year mark, we beg to ask the question: Did anything actually change? Have organizations taken the necessary steps to protect themselves from cyber threats? On one hand, the boom of UEBA and other threat response tools seem great, but the network – at the core of the solution – seems to have gotten lost in all that noise. Here, we identify steps network teams can take to tighten up security and be better equipped to handle threats, if and when they arise.
NOC & SOC: Together forever
First and foremost, network and security teams need to better collaborate. The siloed nature of these teams poses major security risks. Today’s network problems increasingly require more than a single engineer, or more than one team to resolve, but a NetBrain survey revealed that a lack of collaboration and coordination across teams is the number one obstacle engineers face when it comes to effective troubleshooting. In fact, lack of collaboration and communication among teams played a key role in the Equifax breach, according to a recent report from the U.S. Government Accountability Office (GOA). The report notes that when Equifax was alerted to the initial vulnerability, due to a flaw in its U.S. website’s open-source Apache Struts framework, the company sent out a notice to its system administrators to patch the issue. However, the individuals responsible for installing the necessary patch, did not receive the notice. Therefore, the patch vulnerability remained open and hackers took advantage.
At the core of the collaboration problem is a lack of visibility into all network operations and a lack of sharing diagnostic results. With today’s hybrid networks constantly undergoing change, traditional network diagrams become obsolete quickly, while critical design notes and other documentation are often incomplete, or even more likely, nonexistent. With an outdated map, teams lose valuable time trying to locate the source of an issue and define the context of a security threat. Automation tools, however, are changing that. Dynamic and event-driven mapping allows engineers to visualize everything they need to effectively troubleshoot the network, including its configuration file, routing protocols, and connected devices. With everything in one place, network engineers can easily share information across teams, finding and fixing security vulnerabilities faster.
Tech that talks to each other
In addition to the importance of collaboration among teams for improved network security, the abundance of technology used to manage today’s growing networks – including security tools like Splunk, and other network monitoring and troubleshooting tools – needs to work together. By integrating all management functionality instead of providing the functionality in multiple separate parts, teams can more efficiently troubleshoot for optimum network performance, detect security vulnerabilities and access the impact of planned maintenance on existing services and customers – while reducing operational costs. Network system integration is critical to increase overall network security.
Automation to the rescue
Many network teams are just beginning to implement workflow automation into their security processes, but with the emergence of promising technologies like SDN, NFV and even intent-based networking, the need for automation will only increase. While these technologies can certainly provide many benefits, without implementing automation, they also have the potential to further complicate certain network workflows, particularly troubleshooting. Automation is key to strengthening network assets and close vulnerability gaps. But should an attacker penetrate the network, automation can also help teams isolate and mitigate threats quickly, to minimize damage.
When a potential threat is identified, speed is of the essence. The quicker the threat can be located, isolated and mitigated, the less chance there is for actual damage or loss to occur. This is where Equifax could have benefitted from leveraging automation to not only identify the breach more quickly, but to have responded and mitigated the extent of the damage. Once an alert is triggered and the organization detects potentially malicious traffic, automation should immediately be applied to the diagnostic response, minimizing the process of tracing the path from hours or days, to seconds.
Equifax brought the world’s attention to the very real danger and frequency of cyber-attacks, but until we get it right at the network level, organizations – and consumers – are still exposed. If organizations haven’t already implemented the necessary collaboration, visibility and automation strategies into their network security processes, they are at risk for a major cyber-attack. As today’s networks continue to evolve, the most successful organizations would be wise to reflect on what took place with the infamous Equifax breach and take action to protect themselves against similar threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.