Target, Neiman Marcus, Michael’s. There’s no doubt that the retail sector is under attack, but prominent retailers are not alone. Criminals are targeting banks, healthcare providers, government agencies and even high schools—anyone with high-value data or a reputation to protect. Whether your business is big or small, chances are that hackers have already penetrated your network.
But what do you do?
A new Gartner report, “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” advises: “All organizations should now assume that they are in a state of continuous compromise.” The challenges outlined are the insufficiency of blocking and prevention capabilities to protect against motivated, advanced hackers. I agree with Gartner’s assessment and advice. Reflecting on the media coverage of the Target breach can help make sense of their recommendations. Most of the coverage of the attack on Target focused on how the attackers got into the network. Gartner’s thesis is that 100% perfect prevention is not possible.
When it comes to the reporters who covered the Target attack, we recommend they ask “how could the attackers have been in the network for so long, doing so much and still go completely unnoticed?”.
The Target attack has a lot in common with a long con – a series of cons played out over a long period of time. A favorite long con movie is Ocean’s 11 where it took “a Boesky, a Jim Brown, a Miss Daisy, two Jethros and a Leon Spinks, not to mention the biggest Ella Fitzgerald ever” to pull off the heist. Just like in Ocean’s 11, today’s persistent attacks present multiple opportunities to detect them. ComputerWorld ran a story, Ira Winkler: 6 Failures that led to Target Hack, which did cover the multiple detectable events in the Target attack rather than focusing on the imperfection of perimeter defenses.
This is when you ask “so why aren’t these big attacks detected?”. Gartner observes in their research note that “most organizations continue to overly invest in prevention-only strategies” and they recommend investing in detection, response and predictive capabilities.
At Vectra, we are in the business of providing detective capabilities. I recently asked a customer “what keeps you up at night?” He answered “the unknown keeps me up because security is based on what has been seen before.” He went on to say “Vectra has enabled me to detect the unknown.”
Detecting and prioritizing the multiple phases of the long con, especially if it hasn’t been seen before, is pretty cool. However, doing so without signatures, without “eyes on glass”, without adding staff and without professional services is insanely cool.
“Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” by Neil MacDonald and Peter Firstbrook, 12 February 2014, ID G00259490, https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection, page 3
“Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” by Neil MacDonald and Peter Firstbrook, 12 February 2014, ID G00259490, https://www.gartner.com/doc/2665515/designing-adaptive-security-architecture-protection, page 1