Who’s to Blame for the Target Data Breach?
Why are we still discussing the Target data breach that occurred in March 2014? In a world where ‘news’ literally lasts minutes – OK maybe hours or in special cases days – here we are still discussing a data breach that started around November 27 – December 15, 2013! What is so special about the Target data breach that warrants all of this media attention?
Well let’s start by putting the importance of this data breach in context. At the RSA Conference, TripWire did a survey that revealed the Target data breach has had a larger impact than Edward Snowden’s leaks on cybersecurity budgets and executive awareness. That, in and of itself, underscores its significance. In short, it had a major impact on the business. Executives realized that data breaches can be incredibly expensive. There are remediation costs of course, but more importantly, reputational costs. The damage to a company’s reputation dwarfs the monetary costs of remediation. We speak with security professionals every day who dismiss the reputational costs to an organization following a breach. Well, to then we say, why not ask Target about how insignificant their reputation damage has been.
Yesterday, BusinessWeek issued its take on the Target data breach. The article shows just how mainstream cyberattacks have become. In their March 13, 2014 story titled “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” BW does a nice job telling the story, complete with a graphic of a target with data spewing out of it. However, I found something else mentioned in the article that was even more interesting.
Here are a couple excerpts:
“Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon.”
“…as they [cybercriminals] uploaded exfiltration malware to move stolen credit card numbers – first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia – FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …Nothing happened. For some reason, Minneapolis didn’t react to the sirens.”
“…But then, Target stood by as 40 million credit card numbers – and 70 million addresses, phone numbers, and other pieces of personal information – gushed out of its mainframes.”
For as long as I have been involved in computing (since 1985), we have had performance monitors that alert IT professionals to issues or situations. In security, we have had IDS/IPS and SIEM tools for more than 10 years. So what is this article saying? That even with the newest and coolest security software solutions from FireEye, we still just send alerts and hope somebody takes action!
OK, maybe someone was supposed to do something and didn’t. The article seems to point to the Bangalore operation of Target for not reacting to the FireEye alerts:
“If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path.”
BW also says that the Symantec EndPoint protection Target used had detected the malware.
Let’s see, if my fire alarm goes off and I am not home, I wonder who hears it?
Wait, if I do come home – by chance – and my alarm has gone off – my alarm quickly identifies where the smoke is coming from and helps me prioritize what room I need to go to. Wait – that doesn’t happen either.
Oh, and when the alarm goes off, my sprinkler system immediately goes off and the fire department comes. OK, on that last point, the fire department comes because I have an ADT system (not a standalone smoke alarm). And no, I don’t own a sprinkler system.
So, the fact the alarms went off with FireEye and ‘no one noticed’ isn’t so crazy. That happens every day in our own lives.
But let’s be more specific.
Alarms go off with IT products, and specifically security products, every day. All the time. Today’s security professionals need information that is actionable. Security professionals need to have usable threat intelligence information that identifies, prioritizes and then targets in the indicators of compromise and stops or mitigates the attacker’s behavior. That the Target systems sent alarms and no one ‘noticed’ is not so amazing. The BW article should ask why the FireEye system didn’t do something without manual intervention, no? Why isn’t the detection system actually responding, instead of just triggering an alert?
The traditional definition of the steps for security are protect, detect, respond and recover. Target and its vendors clearly had the detection part down. However, without the other three steps, it did nothing to stop the Target data breach or limit the damage caused. In Target’s case, that is considerable damage to its reputation. For FireEye, potential customers may now be asking themselves, why choose a product that did not prevent the massive Target data breach.