July Newsletter 2019

Quote of the Month

The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data.”

Ed Mierzwinski, Federal Consumer Program Director, U.S. Public Interest Research Group on Equifax Settlement


The Backstory

The United States Federal Trade Commission (FTC) announced earlier this month that Equifax has agreed to pay up to $700 Million USD in fines and monetary relief to consumers over the company’s 2017 mega data breach:

  • $300 million to compensate affected consumers who bought credit-monitoring services (and an additional $125 million if that isn’t enough)
  • $175 million to state and districts
  • $100 million to the Consumer Financial Protection Bureau in civil penalties

Does the Equifax Settlement Go Far Enough?

Reactions to the news are mixed. Equifax is satisfied, calling the proposed settlement “a positive step for consumers.”

FTC Chairman Joe Simons said, “this settlement requires that the company take steps to improve its data security.” Those steps include the implementation of a comprehensive information security program at Equifax, albeit after-the-fact. The reality that Equifax had such poor security controls in the first place is irksome. The breach never should have happened.

The root cause of the data breach was an IT security hygiene issue where Equifax did not have up-to-date patching for the Apache Strut vulnerability, which had been identified and released months before. Equifax was, in fact, two cycles behind. There were other controls that failed as well. Because of that, criminals were able to manipulate and then exfiltrate a great deal of critical data.

Ed Mierzwinski, Federal Consumer Program Director of the U.S. Public Interest Research Group is not happy with the settlement. “Equifax appears to have made a calculated decision that losing the Social Security Numbers and birth dates of some 148 million consumers to identity thieves was worth only about $700 million or a little less. The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data.”

He went on to say, “Failure to protect privacy has a real harm; we think Equifax should have paid real money, not ‘just go-away’ money, and promised real changes to its sloppy last-century practices.”

Similarly displeased are two states who refuse to participate in the proposed settlement, Indiana and Massachusetts. “Equifax must pay a penalty commensurate with the worst data breach in American history, which compromised the private information of more than three million Massachusetts residents,” says Maura Healey, the Massachusetts attorney general. “Our litigation is ongoing.”

The Tip of The Proverbial Penalties Iceberg

Whitepaper: Network Behavior Analytics is the Next-Generation Defense

Network Behavior Analytics Whitepaper

 

Read this whitepaper to understand why Gurucul Network Behavior Analytics is a highly effective means to quickly identify suspicious or risky activity on a network. Network Behavior Analytics uses data that NetOps team are already collecting, so there is low overhead to deploying this solution.

  • Monitor and build behavior baselines using various attributes such as source IP address, destination IP address, source port, destination port, TCP flags, bytes-in, bytes-out, etc.
  • Spot new, unknown malware, zero-day exploits, and attacks that are slow to develop
  • Identify rogue behavior by network insiders

Network Behavior Analytics is the Next-Generation Defense


Press Releases


Articles

What Call Center Fraud Can Teach Us about Insider Threats | Infosec Island
Call centers are often the weakest link in networks, because of the human dimension. They’re staffed by people who make mistakes and are prey to scams writes Gurucul’s Saryu Nayyar.

Fraud Getting Harder to Detect | Professional Security Magazine
Fraud detection capabilities are improving as advances in technologies from big data to machine learning have coalesced to build new approaches, explains Gurucul CEO Saryu Nayyar.


In the News


What’s New On Our Blog

Would You Take Company Information if You Were Leaving Your Job? Would You Take Company Information if You Were Leaving Your Job? What would you do if you knew you were leaving your job? Would you send company information to your personal email address? Would you go even further and delete files or change passwords? Well no, you personally wouldn’t do that of course. But, as it turns out, not everyone is like you Read More.
Counter Today's Cyber Threats with Actionable Threat Intelligence. Counter Today’s Cyber Threats with Actionable Threat Intelligence. In the ongoing battle against ever more advanced cyberattacks, defenders must innovate to remain a step ahead of the newest threats. After all, yesterday’s defenses are no match for today’s attacks. Forward looking organizations need real-time, actionable intelligence about the threats they face. Read More.
The Evolution of Cybersecurity: Unconventional Controls Reinforce Successful Security Programs. The Evolution of Cybersecurity: Unconventional Controls Reinforce Successful Security Programs. While a privacy program is traditionally compliance driven, a successful security program must be risk-driven. This requires an understanding of the threat landscape, investing in security intelligence, as well as consistently altering and adjusting controls based on changes in threat actor tactics. Read More.
ABC's of UEBA: I is for Insider Threat. ABC’s of UEBA: I is for Insider Threat. Insider threat detection is one of the top use cases for User and Entity Behavior Analytics (UEBA). The only way to detect malicious insiders is by monitoring their behavior – to notice when it becomes anomalous. The old adage rings true here: you can steal an identity, but you can’t steal behavior. Behavior is the “tell”. Read More.
Different Insider Threat Personas and How to Detect Them. Different Insider Threat Personas and How to Detect Them. This month we were a sponsor and exhibitor at the Gartner Security and Risk Management (SRM) Summit. As always, it was a great opportunity to meet with leading cybersecurity experts and discuss the challenges they face in the daily battle against ever more sophisticated cyberattacks. Read More.

Join Us

Black Hat USA. August 7-8, 2019. Las Vegas, NV. Visit Gurucul at Booth #1100 for a demo of our Behavior Based Security Analytics platform. We predict, detect and stop Insider Threats! Let us show you how.

Gartner Security & Risk Management Summit. August 26-27, 2019​. Mumbai, India. Join Gurucul at this conference to understand how to make security and risk omnipresent across your organization.

FS-ISAC 2019 Americas Fall Summit. November 17-20, 2019. Washington, DC. Join Gurucul at this event for actionable information on how to address evolving threats, develop new strategies and meet changing regulations.

Share this page: