Published on May 12th, 2015 | by admin
Closing the Door Quickly on Breaches and Attacks
With cyberattacks netting millions of data records per breach, it’s becoming imperative to stop the hemorrhaging of data quickly. While it doesn’t take long to copy or download data, it does take time to find the most valuable data. And, just because you’ve been down that rabbit hole before, doesn’t preclude you from taking the ride again.
Sally Beauty Holdings, Inc. experienced a cyber-breach in February 2014 when the attackers had eight days to forage through data records and steal customer credit card information. May 4, 2015, they reported another breach; however, it’s too early in their investigation to determine the total impact from this one. Some early media speculation is suggesting that the latest attack is a follow-on to the original attack and that the attackers weren’t sufficiently purged from their network.
Sally Beauty isn’t the only one experiencing déjà vu. White Lodging Holding Corporation, with franchises of Marriott, Holiday Inn, Sheraton, and others, reported a network breach in February of 2014 and is now researching yet another. This time the focus was on the point-of-sale systems in their food and beverage establishments. Even with the use of an outside security firm, the measures taken were unable to stop the second attack.
These two attacks on two previously breached companies highlight the fact that standard security measures aren’t enough to keep networks safe. While security professionals tend to agree that it’s next to impossible to keep attackers out, how you go about protecting your network can have the biggest impact on controlling what and how much is stolen. The differentiator is the ability to identify network traffic outside the norm, and acting on it immediately.
Without security applications that map network traffic and identify normal patterns prior to a breach, notification of a breach usually comes from financial institutions or third parties investigating fraudulent activity. This indicates the damage is already done and the attackers have sold off or started using account information.
The solution then has to come from within the company prior to a targeted attack. The only way to limit the amount of data accessed or stolen is to quickly identify deviant traffic and remove access. Additionally, the tools being used must have the ability to identify all points on the network contacted by the deviant traffic to locate malicious code or malware that could reassert itself at a later time. This last piece could be what Sally Beauty and White Lodging are re-experiencing.
While tools can be put in place after a breach, the best plan is to have it in place before it’s needed. If it takes days, weeks, or in some cases months, to identify a breach has been made, the focus will be on cleaning up in the aftermath while protecting remaining data and limiting access. What is needed is a holistic approach to protecting a network and its assets, and it must include the entirety of the threat lifecycle, starting with the entry.
Tools like SS8’s Communications Insight for Enterprise can be used to complete the forensics after a breach, but its real value comes from installing it beforehand. As this blog title implies, the goal, short of stopping the breach before it ever gets a foothold, is to identify the breach as quickly as possible and block any further access or further loss of data. Communications Insight for Enterprise provides the capability of identifying the threat actor’s entry and subsequent actions on your network after an attack. This is accomplished by using powerful analytics and workflows that are easy to use without any performance impact to your network.
As cyberattacks have gotten more sophisticated, a new approach is needed to respond immediately and limit the malicious behavior. Media headlines such as, “Hackers Thwarted in Attempt to Steal Credit Card Information,” play much better to boards of directors and customers than “Hackers Spend Months Harvesting Customer Information Prior to Breach Identification.”
Which headline will be yours?