"Breaches happen. Expect to be hacked. Expect to lose data. It’s all about how quickly you respond." True. We've all heard this rhetoric shift from absolute compromise avoidance to acceptance of a new reality that the security industry can finally see when an attack has taken place and we should own up to the fact that perimeter defenses no longer prevent them. That reality has set the tone for demonstration of "due care" in managing day-to-day security operations.
With visibility tools such as IDS, IPS, SIEM, and malware detection in place in many companies, the standard of due care has also changed. If you can see that you are under attack, or that your customer data is compromised, you have to do something about it -- like block it. Or, if the alert came after the fact, at least contain it and prevent more data from being exfiltrated.
Target is a case in point. FireEye was not only in place, it detected the malware and the IT operations team in Minneapolis was alerted. This intelligence likely came through a trusted source, either from the vendor (FireEye) or from inside Target's infrastructure, security, or procurement teams, based on the information reported in the now renowned Businessweek cover story, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It."
People, process, and technology
I'm inclined to go along with the assertions and assume that the alert took place, on multiple dates, and that the alerts did not get managed to resolution. But the real question, in my mind, is what are the possible reasons why this didn't happen?
Tools don't solve the problem. Period. Ever. The combination of people, process and technology do. Tired of hearing this from your auditors? Well, get over it because they're right and it’s time we all embraced the concept. Each and every time I get called into a security consulting engagement in a large enterprise, I get push back when my team tries to evaluate process and supporting "policy decisions" as part of the overall security program.
Usually this comes from mid-level IT managers or directors who simply want to see a penetration test, and for us to move on. The general agreement of large enterprise security teams is that they have the best tools and the best people. So since their risk management program requires a third-party assessment, please just do the pen test and get moving. Target is now our new illustrative case as to why we don’t, because, by most criteria, Target did it right. Millions of dollars in security tool spend, tens of security team members. Strong leading-edge tools like FireEye in place. Yet, how did that work out for them?
Stop missing the bulls-eye
The bulls-eye is not checking the box on deploying all the latest and greatest tools. Recently, articles from Dark Reading and The Motley Fool touted that buying more tools is the solution. Not surprising, yet very disappointing. Tools will not solve this issue. The solution is simple. Beyond simple. The big secret is that this issue can be solved in four simple steps:
Step No. 1: Define the security service catalogue.
Step No. 2: Identify the policy decisions that are informally in place in how incidents are categorized, classified, and managed to resolution.
Step No. 3: Only measure metrics that matter (a.k.a.: "outcome-based metrics").
Step No. 4: Discuss the output in a real way, make a decision, document the decision in the "policy decisions matrix," and re-visit these decisions monthly.
From the time I first heard about the Target incident, I had no reason to think that it would become one of the pivotal moments that would shape precedent, case law, and the way organizations define due care and due diligence. According to Harvard Law Review, "The care others exercise should at most be only evidence of the care that a reasonably prudent man would exercise under the circumstances." What is the expectation of due care when applied in the Target Breach? How would it apply to your company? Let's chat about it in the comments.