Will You Win The War Against Rising Data Breach Attacks?

Deploying AI tools, next-gen technologies and a holistic approach could substantially improve your ability to prevent, detect, thwart, and contain sophisticated stealth attacks.

Data breaches are on the rise, and hackers are increasingly more aggressive, with hacking incidents almost doubling since 2013^2,3 (see Figure 2). “2016 was a record year for data breaches”¹⁹ with more than 4,000 incidents logged and over 4.1 billion customer records exposed, a 40% increase (in incidents) from the year before. Across numerous industries, from entertainment to banking, insurance to retailers, shipping to logistics/transportation, Fortune 500 and smaller companies have suffered massive financial losses and reputational damage⁴. Anthem (80M records)^3,14, J.P. Morgan Chase Bank (83M), and Sony (1TB+) are just a handful of companies who have become recent victims of super–sized (mega) data breaches with tens of millions of sensitive client records stolen. Data stolen ranges the whole gamut, from Social Security¹⁹, employment records, dates of birth, to financial history and investment records.

Hackers do not discriminate.

Large or small^4,11 publicly traded or not, financially successful or not, hackers are motivated to cause havoc by monetizing stolen records and/or holding companies’ digital assets for ransom. Blue Toad, a small digital publishing firm that hosts around 5,000 worldwide publications joined Target and other victims as hackers stole more than a million identification numbers for Apple mobile devices from the firm. Data targets includes both unstructured (email, communications, file shares) and structured data (CRM systems, core database systems, source code repositories).

Figure 2 – Hacking incidents have more than doubled since 2013²

As companies and industries shift to digital business they increasingly amass a wealth of valuable digital assets along with electronic client data making them a prime target for hackers. Recent data breaches have not only resulted in super–sized numbers of stolen records but have also caused substantial negative publicity, wasted executives’ time on PR and putting out fires and financial damages (Target, Home Depot and Anthem each sustained $18.5M, $19.5M and a whopping $115M in data breach settlements)^7,8,14. It has also been estimated that ongoing costs for Anthem will exceed $100M for things like credit watch monitoring for their compromised customers. Hackers are increasingly sophisticated and have been able to penetrate perimeter security undetected for several months. When customers hear that their personal information has been exposed for months, and the exposure has been undetected, the reputational damage is much higher.

Figure 3: Super–sized data breaches have occurred across industry in recent years. From banks to retailers and insurance carriers, tens of millions of records containing PII (social security, date and place of birth, etc.) and other sensitive data have been stolen. As hacking threats increase at break–neck speed, it is not a matter of if but when a company will be next on the victim list.³

Defense in Depth

Preventing against all attack vectors may be challenging, if not cost prohibitive or impossible. Persistent and highly motivated hackers may be able to compromise your network, and win the battle¹². However, if you can stop them from removing your data, you could win the war¹⁰. A multi–layered defense posture may allow you to lose the occasional battle, but it would better protect your crown jewels.

Traditional and standard security solutions seeking to defend perimeters with the use of static hardware appliances are no longer sufficient. While network prevention may be necessary as the first line of defense, companies need to shift to new innovative ways and embrace a multi–layered and robust data exfiltration prevention program that ensures not only protection of the perimeter, but also robust protection of its most valuable data assets, the crown jewels — structured and unstructured sensitive data — and have mechanisms in place to detect, and stop an attack. It’s only by protecting your crown jewels will you win the war.

You can win the war

Fortunately, new technology enabled by artificial intelligence (AI) based tools coupled with real–time alert mechanisms allows companies to detect and respond faster. A multi–layered defense posture, including pre–infection measures to keep threats out, real–time monitoring capabilities to detect intrusions, and a predefined incident response plan (IRP) to find and contain active infections and illegal data transfer, will not only improve a company’s ability to prevent and defend against aggressive stealth attacks but also thwart and contain any attack in progress.

A multi–pronged defense strategy encompasses multi–layered systems that include traditional security solutions but also technological capabilities to protect both structured and unstructured data. The strategy must also include strong governance, pre–defined and standardized procedures to handle emergency situations and attacks. This is to avoid costly operational errors as a result of the “fog of war” that arises during a state of chaos, lack of employee awareness and training, and employee insensitivity towards data security. This insensitivity requires culture change in order to cultivate the right attitudes towards data security). For smaller companies, a less cost–prohibitive cloud–based solution that packages some of these capabilities as services may be appropriate (see inset — About Cloud Security Solutions)

Existing perimeter defense systems need to be able to respond to Zero Day attacks in a timely manner, without a large effort in patching hardware appliances. Threats can go global in minutes. Signatures, where used, must be continuously and automatically updated to ensure the protection against the latest threats. Additional heuristics are needed to alert to new types of traffic flows through the perimeter infrastructure, which may signal an attack.

Data Loss Prevention (DLP) is necessary to trap sensitive data leaving the organization, as any data exfiltration attack will need to extract the data from your organization. DLP forms another layer of defense, as attackers may have intruded your environment, but may not yet have extracted that data. It is also imperative that all SSL traffic is inspected. Over half the Internet is now encrypted via HTTPS, so it is no longer sufficient to just ignore encrypted traffic. Attacks occur from encrypted sites, and data may be extracted over SSL secured transmissions.

The “perimeter” must also be extended to include mobile devices, as much of the work users do is now done on mobile devices, so it is not sufficient to protect them when they reconnect to the corporate network. Mobile devices must be protected both “on net” and “off net”.

Within the perimeter, additional layers of protection are needed closer to the “crown jewels” of customer data. For unstructured data (network shares and SharePoint), tooling should include the ability to detect unusual traffic patterns from internal users. These patterns may indicate data siphoning by a disgruntled team member, or an unwitting ransomware attack in progress. For structured data (databases), new application servers, or new traffic patterns from existing application servers may indicate a SQL Injection attack designed to steal data. Both these defense mechanisms must be able to alert security personnel in real time, as “time to respond” is critical in any attack.

It is also essential to plan for when you lose a battle. Backups are essential to provide “point in time” protection should you be compromised, and data is corrupted by an attacker.

Rapid Response

The first few minutes after detection may be the most critical time to contain the infection, and it is important to have a pre-defined plan that caters to the type of incident. The response to a Ransomware attack is likely to be different to finding that all your client data has been stolen, but it is imperative that a pre-defined plan¹³ (with call trees, contact points and procedures) is followed in those first few critical minutes.

People

People considerations need to be factored into the strategy. Sophisticated technologies, security and technical expertise and well–defined procedures alone are insufficient for an effective strategy. Proper training programs and addressing your organization‘s attitude towards security is necessary to ensure your multi–layered strategy will be effective.

Training employees about data privacy and security is critical¹⁷. 56% (up from 38% in 2015) of attacks use a method called phishing^15,19 where employees are tricked into clicking an email link to give hackers access to corporate systems and data. Take University of California Davis Health‘s incident in May of this year as an example. An employee who responded to a phishing email allowed a hacker to obtain data that compromised 15,000 patients’ personal health information (PHI). Had the employee been educated to identify characteristics of a phishing email, this attack could conceivably have been avoided.

Training is necessary to help employees and workers identify suspicious activities or behaviors. This includes executives, who are often primary targets of spear–fishing¹⁴ attacks.

Cultivation of the right (employee) attitudes and behaviors is just as important. Employee training, combined with the reinforcement of the right behaviors is key to improve a company’s overall security posture. The responsibility for data security cannot be contained to just the CISO or security team. Like good citizens of a society, it is everyone’s responsibility to recognize and report illegal or suspicious activity, and a company’s employees and contractors can and should be able to do the same.

Conclusion

Each company’s risk¹² for an attack is different, as is the degree of losses at stake. To determine a holistic solution that best fits your risk profile and needs, consider implementing an approach that factors in the elements^9,12 depicted in the framework (Figure 4) below.

Data Exfiltration Capability Self–Assessment

Is your organization sufficiently prepared to prevent, defend, detect and contain stealth attacks?

Here’s one way to find out. How many of these questions can you respond to with confidence if asked by your board of directors or senior management team⁴

• What are our biggest data security risks?
• What is our strategy to mitigate those risks?
• How frequently do we assess our risks?
• Are our risks assessed continuously?
• What are our crown jewels?
• Where do they reside/are they stored?
• Who are our critical data owners? What level of engagement do we have with them?
• What mechanisms do we use to properly classify data?
• On a scale of 1–10, how well protected should our crown jewels be? On a scale of 1–10, how well protected are they currently?
• What is the gap between where we should be and where we are today?
• How are those gaps being addressed?
• Are those gaps being addressed using the best defense, detection and containment capabilities and technology available?
• Have we tested how well protected we are recently?
• Can we detect stealth attacks?
• How frequently should we be testing our protection?
• How do we know our systems are infected?
• How quickly can we detect an infection?
• What is our incident response plan?
• How quickly can we contain an attack?
• What is our mitigation plan?
• What is our backup plan?
• Do we have the expertise in–house to do all that is needed to secure our data at the levels needed?