I’m going to play devil’s advocate and challenge the notion that Target’s security team was an epic failure.
The March 13, 2014 Businessweek article, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” did a great job explaining what happened leading up to the Target breach. But it didn’t provide context about the reality of what an ‘alert’ means to a security team guarding a network as large and complex as Target’s.
Was Target negligent or did they just have too many noisy alerts to chase? What does that mean?
Here’s an analogy that may help make sense of it.
I’m sure you’ve seen shoplifting sensors at the front doors of nearly every retail store. What happens when they go off? Does the store security guard rush forward and tackle the shopper? Do the cashiers holler for help? Do iron bars descend to block the exit? The truth is nothing happens because the alarms beep all the time. Everyone in the store, including the store personnel and other shoppers, have learned to tune them out because 99.9% of the time they mean absolutely nothing.
Now step back and consider an organization the size of Target. They have more than 360,000 employees worldwide, about 2,000 stores, 37 distribution centers and a heavily trafficked retail web site. Their network is massive. A network that size may issue up to hundreds of thousands of alerts a day.
It’s essential to understand that an alert does NOT equal confidence that a device is infected. To prove infection, you need to correlate the alert with other activity or have a human being investigate the endpoint to see if it is infected.
Consider the prevention device mentioned in the Businessweek article. It monitors incoming traffic and if it sees suspicious files in motion, it executes the file in a ‘sandbox.’ Then it issues an alert.
So why didn’t the security team rush to the front door and tackle someone? Just like in the shoplifting example, the beeping alarm doesn’t mean anyone walked out the door with stolen goods.
The reality is no organization can respond to every alert. Even with a security staff of 300+ people, it’s impossible. You can’t scale any team to do that, not to mention it’s impractical for the business.
And remember an alert doesn’t equate to confidence that something is infected, much less that damage has been done.
The Businessweek article makes note that Target’s prevention device enabled it to delete malware as it was detected but Target opted to turn that feature off. While this may sound foolish, in reality if that feature were turned on it would have an astronomical effect on the business. Individual alerts have a high risk of false positives. Imagine if every time the shoplifting alarm went off, a store security guard tackled each customer that walked out the door. Do you think that would impact store operations?
So what’s the answer? As much as we would like to think there is a silver bullet that would have prevented the Target breach there simply isn’t. Today’s threat actors are highly sophisticated and always have the first move.
Enterprises should try to prevent as many threats from entering the network as possible. But they should also assume that prevention will fail.
Then what? The discussion shifts to how quickly you can detect an actual infection and respond to it.
Damballa has a different idea than most about how to approach today’s threats. We don’t just find malware and issue alerts. We rapidly identify truly compromised devices based on a case of evidence and provide certainty that the device is infected. Security teams have confidence that when Damballa says a device is infected it is, which provides responders the ability to react promptly so they can prevent damage.
In our own labs, we find twice as many infections as the leading sandbox solution. A sandbox is a single means of detecting malware. While helpful, it doesn’t provide conclusive evidence that malware has infected a device.
Damballa uses eight different detection methods and automatically correlates real-time activity across them before verifying something is infected. Security personnel don’t have to chase alerts. Rather they receive definitive evidence about an infection. On top of that, they receive a risk score comparing the different infected devices, not a severity score. How severe is severe?
That reminds me of a line from the movie “A Few Good Men.” In a courtroom scene Tom Cruise, playing a Navy lawyer, asks Jack Nicholson’s character, playing a Marine Colonel, if the crime victim was in “grave danger.” Nicholson replied, “Is there any other kind?”
In cyber security, any malware may warrant a ‘severe’ alert but what risk does it pose to your organization specifically? There are lots of factors in play.
Damballa uses nine risk profilers to determine the actual risk based on activity of the malware, the importance of the device and threat actor attribution. When we hand off confirmed infections to a response team, we’re not only 100% confidence in the infections, but we prioritize each infected device against all other infected devices we see in the network. That information is powerful. Incident responders can now rush forward and tackle the actual bad guy before he gets out of the store with the goods.
Without first-hand knowledge of Target’s security processes and solutions, we can’t comment that Target did everything right or wrong to protect their customers; but we can appreciate the challenges that face enterprises today.
Threat actors always have the first move and they are relentless. It’s a clear call to security vendors that we have to do better. We must do better. It isn’t sufficient anymore to “beep” every time something looks or seems suspicious. It is critical that solutions start providing confidence in their detections and provide a higher level of certainty that a threat is real.
Further, security solutions must also triage the risk. Someone walking out of the store with an unpaid stick of gum is very different than someone walking out the store with an iPad. Security and risk teams need to not only know a device is compromised, but also what risk does it pose to the organization. That’s the approach we take at Damballa.
Brian Foster, CTO, Damballa
No amount of malware prevention is 100% effective against advanced attacks. Damballa discovers active threats that bypass all security prevention layers. We identify malicious network traffic in real time, rapidly pinpointing compromised devices that are a high risk to your organization. Our automated breach defense system detects and terminates criminal activity on any device, stopping data theft, minimizing business disruption, and reducing the time to response and remediation
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.