Skip to main content

Defect Discovery: Why Data Breaches Must Be Found Internally

By September 29, 2014Article

According to recent studies, 64 percent of all data breaches are discovered by someone outside of the affected organization. Such was the case with the recent Home Depot data breach, which was discovered by a third-party technology journalist. The sources cited in the article turned out to be multiple financial institutions looking for a common denominator while investigating widespread credit and debit card fraud. 

Losing control over what is said publically is almost as damaging as a security breach itself. A headline reading “Leading Retailer Hacked” or “Consumer Data Stolen from National Financial Institution” without any details will immediately cause consumers extreme distress, as everyone that has patronized the company will believe themselves to be compromised. And, lack of concrete evidence will keep the story in the news. 

Adding insult to injury, companies that cannot stand up and report who, what and when are forced to dribble details as they come to light, further eroding consumer confidence. In Home Depot’s case, the breach was first reported September 14, and it took over two weeks for the company to announce the fact that the payment data breach exposed 56 million credit and debit cards.  

An ounce of prevention… 

Of course, the best way to keep your name out of the papers is to prevent the breach in the first place. Unfortunately, that may not always be possible. To limit the risk of exposure, organizations need a comprehensive approach to intrusion detection to ensure that — at the very least — they are the first to discover the problem.    

While many companies have attempted to build a fortress around their data (in the form of firewalls, intrusion detection, encryption, anti-virus software and more), most have neglected to protect against the “threat from within.” Hackers that gain access to user login information — be it from a trusted employee, partner or vendor — can simply bypass these defenses. In fact, over 67 percent of data breaches involve stolen credentials.  

Infrastructure solutions alone will not protect against user-based attacks. According to Andrew Walls, research vice president of Gartner, “The development of effective security intelligence and control depends on the ability to capture and analyze user actions that take place inside and outside of the enterprise IT environment.” 

To quickly and efficiently ferret out insider threats before they can be made public, companies need a holistic solution designed to uncover the “who, what, when” mysteries that surround large-scale security breaches — and hopefully preempt them. To start, they need to be able to “follow” authenticated users as they travel the network, access files and use applications, and they need to record every keystroke, preference and option they select. Companies can then analyze those activities against user profiles, job descriptions, known usage patterns and other intelligence to sniff out anomalous, suspicious and out-of-policy behaviors.  

Of course, installing a system that analyzes real-time monitoring feeds is one thing. To detect a problem, suspicious behaviors need to be brought to someone’s attention for a threat to be properly assessed. Reviewing the video footage of what the user did to trigger an alert will enable a security professional to determine if the action warrants a response. More importantly, it will provide the forensic evidence companies need to determine exactly what the hacker stole, which customer records were comprised and which systems are still vulnerable. 

Most companies do not have this level of security in place. Not only does this make it hard to preempt issues, but it also makes it difficult to understand what happened once a breach is announced. Such was the case for Home Depot. When its security team went back and investigated the situation — no doubt piecing it together from fractured system log files and third-party financial records — they found that their payment systems had been compromised back in April. This left their customers vulnerable for five months. With 56 million customer accounts affected, it eclipsed that of Target’s breach last year, which affected about 40 million credit and debit cards. 

These days any security breach is bound to make the headlines, and investigative reporters everywhere are looking to be the first to write them. Being caught unaware will seriously damage corporate credibility and cost millions in restitution. Home Depot promised “significant new protection for customers” in a recent statement, an endeavor that will cost the company $62 million. 

Today companies must do everything in their power to both prevent a breach and ensure that they would be in a position to control the message in the event a problem does occur. After all – having your head of security report exactly what occurred and how it was corrected is far better than forcing the CEO to stand in front of the cameras with a blanket apology and a weak promise that the company will do everything in its power to determine what happened.    

Gaby Friedlander is co-founder and CTO of ObserveIT.  Gaby has built ObserveIT into an industry-leading provider of user activity recording and auditing technology in use by more than 800 corporations in 70+ countries. Connect with Gaby on Google+ or follow the company @ObserveIT.







Copy link
Powered by Social Snap