Author: Nilesh Dherange, CTO, Gurucul
Sep 14, 2017
As repercussions of the Equifax breach continue to unfold, the experts will continue to weigh in on this seismic event for some time because of its wide-reaching impact on consumers in general and on the policies of C-level and board members at the executive level. At a high level, of course, Equifax suffered a security breach from its website, due to the exploitation of a weakness in one of the web applications. The PII (personal identifiable information) of over 143 million people, mostly Americans, was stolen. The PII included first name, last name, address, social security numbers, driver’s license numbers, and more. In some cases, credit card information was stolen – in totality, a mother lode of data to fuel a plague of nefarious activity. A major spike in identity theft and fraud is predicted which could extend for years. Equifax’s stock has dropped significantly, trending downwards to a one year low. As well, the company’s chief information officer and chief security officer have ‘retired’. Overall, there has been a huge cascading impact on customers, partners and the company’s reputation, trustworthiness and business.
The reaction of security experts is one of the notable phenomena of this breach. Some experts now openly question the viability of social security numbers as having any continuing value, while others demand a complete revamping of security strategies for organizations. Senator Mark Warner, vice-chair of the senate intelligence committee, has called on Congress to reframe data protection policies, to discourage businesses from collecting and creating large, centralized pools of highly sensitive data. That’s unlikely to happen anytime soon. And compliance to new regulations in no way guarantees security.
In this instance, the fact that a web application vulnerability was exploited by threat actors only represents the tip of larger, underlying, and fundamental security concerns for Equifax. It was revealed that prior to this breach, Equifax had other security weaknesses reported to them which were not addressed completely or in a timely manner. In addition, as one expert observed, it would likely have taken hours, if not days, to download all that information from Equifax’s database. As one of the three key enterprises in the country dealing with this volume and class of data, Equifax should not only have had the strategy and advanced state-of-the-art security analytics technology solutions to predict, detect and prevent such incidents, but also to provide capabilities for security monitoring and remedial response.
But Equifax is not alone. With Yahoo’s infamous, worst data breach of all time, where prior to the breach the internal nickname at Yahoo for their security team was “The Paranoids”, they too adopted the ‘wing and a prayer’ strategy for security. The rest is history in the hall of shame. Too often companies focus on developing new products and services, intending to stay competitive in the market place, but time and again it has been proven that such a one-sided growth is not sustainable at the cost of security.
This concerning de-prioritized attitude towards security from upper management brings to mind an article from SC magazine (January 2013) entitled “A Seat at the Table”, with insights from contributor Devin Bhatt, now the CISO and CPO at a U.S. federal agency. Bhatt observed at the time how CISOs were the ‘new kid on the block’, new to the corporate structure, and generally at odds with the goals and objectives of the CIO – through whom they often reported – as well as the C-Level executives and board of directors. All of upper management’s priorities were focused on accelerating the business and delivering more profits, as opposed to the CISO’s mandate. This represents a profound conflict of interests, where the CISO is continually striving to protect the valuable data that makes all that profit potential possible, against the dynamic and sophisticated threat actors riding the next wave of technology innovation. And while a survey SC magazine conducted at the time was encouraging, finding that CISOs were getting better reception in the executive suite, reality tells us that never really took place in a systemic way. The CISO’s challenges endure, while the livelihood of their enterprises hangs in the balance.
So while many pundits are busy assessing the “what” of this story, and many technical minds need to know the “how” of it, possibly the most important perspective to explore is the “why” of it. With that achieved, responsible security leaders, and their bosses, are in a better position to understand “what’s next” and hopefully take measures to address that challenge as effectively as possible. The “why” of it is that if executives in organizations do not commit budget and full support to invest in advanced technology solutions, then the “what’s next” is what’s happening today, more breaches, with increasing systemic damage to businesses and a compromising of the fabric holding modern commerce together.
State-of-the-art security analytics solutions are now available which can deliver near real-time risk-based actionable intelligence using the power of machine learning algorithms, leveraging the underlying big data architecture. These analytics address the two critical aspects of typical security weaknesses noted earlier. First, it provides the required tools and technologies to continuously detect any unusual behavior in an organization’s borderless IT landscape (including applications and platforms within enterprises, as well as in cloud). Second, it leverages the artificial intelligence of the solution to analyze data, predict any risks, and make intelligent remediation decisions based on dynamic risk scores. This significantly reduces dependency on manual efforts to implement security policies in silos, monitor an overwhelming number of alerts without a holistic context, and take appropriate remediation actions to prevent or contain the risks.
The tipping point in security strategies has arrived, and with it, the urgent need for advanced security analytics. Those decision makers recognizing the need stand to weather the coming storm with some prospect of hope. Those ignoring the signs, with all of the telltale indicators in front of them, will have to look in the mirror and judge their worth as forward-looking leaders of their organizations.
To learn more about Gurucul Risk Analytics, click the link. To gain more insight into the security challenges faced by CIOs and CISOs and their perspectives on advanced security analytics, read Borderless Behavior Analytics – Who’s Inside? What’re They Doing?, by Gurucul’s CEO, Saryu Nayyar. Along with containing other resources, it provides seven chapters where expert CIO and CISO contributors share their qualified observations about security from a wide range of industry vertical perspectives. In addition, there’s a sneak preview of the second edition of the book, which contains a section with Devin Bhatt — www.borderlessbehavioranalytics.com.