To say that the Equifax breach has been thoroughly covered by the media may be an understatement. Pick a medium – TV, YouTube, LinkedIn, news websites, social media – it’s been covered upside, rightside, and backwards.
With such voluminous coverage, what have we learned that can guide us towards more secure, capable and mature technology environments?
I venture that the areas of greatest teachings are vulnerability management, incident response, and good old-fashioned logging and monitoring.
In this modern era of constant attacks, it’s expected that public-facing services will be attacked day in and day out. As such, organizations with a well-designed and thoughtful vulnerability management program will do several things, including:
- Scan public-facing systems immediately upon notification of critical vulnerabilities (same day).
- Quickly patch known vulnerabilities for critical public-facing services. Many clients are now setting service level agreements (SLAs) of 72 hours, or even 24 hours or less when the systems are of critical importance. The common standard of 30 days from release to deployment of the patch is not enough for a modern program, especially when public-facing systems are in question. The good news is that, as organizations revamp their legacy infrastructure to take advantage of cloud services and newer architectures like microservices or application/server decupling, the vulnerabilities become easier to remediate in a timely fashion.
- Track and verify patch deployment as part of a comprehensive governance process. It’s not enough to push a patch out. There needs to be a comprehensive and timely governance process that can confirm the risk has truly been mitigated.
Things go wrong, even for companies with substantial investment in both controls and security personnel. This is why a planned and tested incident response plan is so critical.
- Organizations should be prepared to initiate incident response immediately upon discovery of an incident.
- Incident response should include a carefully considered plan for public notification in case of a breach.
- All parties should understand the plan and their specific roles.
- In testing the plan, it is important to determine whether the response is quick enough and appropriate.
- In notifying the public, care should be taken to avoid compounding the problem. For example, a site set up to inform the public of their rights and actions they can take to protect themselves should itself be secure and sitting on the company’s official domain to avoid looking like a phishing site, which can cause additional confusion for those potentially impacted.
Logging and Monitoring
It’s one of life’s great truisms that often the information you need is right in front of you. In my experience, companies are often great at logging, or collecting data; when it comes to monitoring those logs and knowing how to recognize trouble, however – not so much. Given the sheer volume of information being logged on corporate networks these days, it is important to prioritize monitoring efforts, establish alerts to flag anomalous activity, and respond to those alerts in a timely fashion. Here are some leading practices to consider:
- Determine critical “crown jewels” data that must be protected, and prioritize logging and monitoring of systems with access to that data.
- Recognize that critical data is not the only likely target. Ransomware and other attacks against the availability and integrity of critical systems are likely to increase as criminals seek new ways to monetize their attacks. Ensure these critical functions are included in your monitoring strategy.
- Develop prioritized use cases, or questions, to determine what to log and monitor. Ask, “What data do we have that can identify whether and when an event occurred?”
- Ensure that use cases for systems with access to personally identifiable information (PII) generate alerts to trigger timely incident response procedures if PII is stolen.
- Once the questions (use cases) have been identified and prioritized, ask, “Do we have the right logs to answer the questions we care about?” Some good places to start: antivirus logs, intrusion protection logs, netflow logs, VPN logs, and domain login attempts (both denied and successful). This review process should be ongoing and refined day to day to reflect the changing threat landscape.
- Boost detective controls for breach detection. The time between a breach and its discovery is still 3 months on average, and nearly half of breaches are discovered by a third party. In this day and age, with so much information at stake, this is staggeringly late. My colleague Adam Brand wrote recently about the need for internal audit specifically to be proactive in that regard, and I couldn’t agree more. Many organizations think they can outsource breach detection to a managed security services provider (MSSP) but this only solves the problem if there is tight communication between the company and the MSSP and minimal process breakdowns – something we don’t see often. Breach detection is an area that must be addressed effectively, however companies decide to do that.
- Many organizations are beginning to capitalize on the data being produced by end users and service accounts. User and entity behavior analytics (UEBA) is a method that employs advanced statistical modeling and machine learning techniques against the data to determine if events are occurring that are out of line with “normal” behavior for either an individual or a user group by comparing to past behavior. When paired with use cases, UEBA can often prove quite valuable.
- Finally, the value of monitoring should be made tangible through thoughtful “red” or “purple” team activity, which seeks to challenge the effectiveness of the current controls and identify areas of improvement.
By using the Equifax event as a trigger to review their own processes and capabilities, organizations can proactively determine whether they can withstand a breach or adjust course quickly in case of one, and prioritize the improvement of their breach detection capabilities. Given the now high visibility around these capabilities, the recent event should prompt discussions, at the least, and concrete and timely improvements at best.