Saryu Nayyar | forbes.com »
On March 31, Marriott confirmed a data breach involving the personal information belonging to roughly 5.2 million guests. It was the third time in the past 18 months that the hotel chain had experienced some kind of system hack.
Marriott said it “identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.” In late February 2020, one of the company’s apps used for accessing customer preferences had “unusually high usage” from a property in Russia. Upon further investigation, Marriott said the activity may have been going on since the beginning of January.
The Wall Street Journal reported that last October, in a letter to the California Attorney General’s Office, Marriott reported hackers “gained access to at least 1,552 company employees’ names, addresses and Social Security numbers through a former vendor that handled official documents such as court orders and subpoenas.“
According to a report published by TechCrunch, the central reservation system of Marriott subsidiary Starwood was hacked in 2018, “exposing the personal data and guest records of 383 million guests. The data included 5 million unencrypted passport numbers and 8 million credit card records.” A user with administrator privileges compromised the system, but forensic analysis revealed that someone other than the authorized owner had been able to command the account.
All three data breaches shared the same, now very familiar, attack technique: account compromise. So why do large organizations, with the resources necessary to invest in advanced cybersecurity controls, continue to be victimized by these large data breaches?
Unfortunately, preventing cybercriminals from compromising employee or vendor/contractor accounts is virtually impossible for even the most technology-savvy companies. Users click on phishing links in emails, download malicious attachments and click on infected website ads. This is not intentional, but regardless of the tactics used (and they are always being refined), cyberattackers will continue to compromise users’ accounts.
Compromised accounts may belong to privileged users with administrative access or regular users. Hackers do not discriminate. In most cases, the path must go through a regular user account first, but attackers will ultimately seek to compromise administrative accounts. These accounts have elevated privileges and permissions an intruder can use to discover and exfiltrate confidential data, sabotage systems, and install malware and/or backgrounds for future access. From my experience, compromised privileged accounts are often the root cause of data breaches.
A traditional approach for addressing account compromise risks has been to deploy data loss prevention (DLP) systems and web proxies. These technologies restrict users from being able to email attachments, use USB drives and visit cloud-based file-sharing sites. However, applying these types of controls is an obstacle to business processes in an increasingly digital and cloud-first world.
Monitoring user and machine behaviors is emerging as an effective new weapon in the fight against account compromise attacks. For example, a large manufacturing company we have worked with fed its SAP information along with network and firewall logs into our behavior analytics engine. The findings revealed its product bill of materials had been compromised and that a foreign nation had been accessing it for more than 18 months.
Organizations looking to implement behavior analytics should take a phased approach that begins with well-known use cases that will yield early results. In addition to account compromise, these include insider threat, data exfiltration and privileged access misuse.
Behavior analytics relies on consuming data from multiple sources in the network, such as systems, devices, applications and directories, to deliver security intelligence. Prebuilt data connectors can be used to extract syslog data, for example, to be filtered, aggregated, correlated and linked to a single identity.
Combining identity with activity data can expose who or what is on the network, what access permissions they have and what they are doing. When compared with baselined and peer group behavior patterns for each user or machine, anomalies that pose a potential security risk will emerge and can be investigated. To ensure the right data is being collected to support each use case, the correct configuration of log files is essential.
When it comes to researching potential solutions, consider vendors with a demonstratable track record implementing behavior analytics projects for your size organization, industry and use cases. Furthermore, given the big data nature of these deployments, make sure to understand each provider’s pricing model for data consumption and functionality. Ideally, from my experience, a fixed-price, transparent infrastructure will work in your favor.
As we’ve learned from the Marriott breaches, detecting account compromise is often not possible using traditional security approaches until after the data has been exfiltrated. Fortunately, advances in data science, analytics and machine learning algorithms are making it possible to combine “threats crumbs” left by attackers and piece them together to expose the otherwise latent hacking activity.
External Link: Why Data Breaches Of Large Organizations Still Occur