Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:45 PM
Connect Directly

How Security Leaders at Starbucks and Microsoft Prepare for Breaches

Executives discuss the security incidents they're most worried about and the steps they take to prepare for them.

In today's increasingly crowded threat landscape, it can be difficult to determine which threats companies should prioritize. For those who are stuck, it's helpful to consider what major organizations are worried about and the steps they're taking to combat those types of attacks.

This was the premise behind "Preparing and Responding to a Breach," a panel that took place at last week's RSA Conference in San Francisco. Security leaders from Starbucks, Microsoft, WhiteHat Security, and SecurityScorecard discussed the lessons they learned from the many breaches that took place in 2019 and how they plan to learn from these incidents to defend against threats of the future.

Last year brought 5,283 security breaches, said moderator John Yeoh, head of research for the Cloud Security Alliance, kicking off the panel. Organizations collectively lost 7.9 billion records, he said, and incidents indicate "the same things that are happening over and over again." What types of attacks were most frequent, he asked, and what did organizations learn from them?

"As far as types of attacks we see, [they] generally tend to either be application security attacks, phishing attacks, misconfiguration of cloud environments, these kinds of things," said WhiteHat CTO Anthony Bettini. And while these threats are old news to security pros, his fellow panelists agreed they are also the ones organizations should have at top of mind for defensive strategies.

"The reason you keep hearing about phishing from speakers like us … it's not because we want to bore you with repetition," said Microsoft's cybersecurity field CTO Diana Kelley. "It's because phishing still works." Application vulnerabilities, misconfiguration, and phishing are the three areas where attackers are having the greatest success, which is why they should be prioritized.

Some leaders, like SecurityScorecard CISO Paul Gagliardi, are most worried about how attackers use the data they steal. "One thing I often see is the somewhat sophisticated criminal groups are starting to use the aftermath of breaches to do even more targeted social engineering or phishing attacks at scale," he explained. "It's not just the fact a breach occurred; it's that all of our company's data is somehow in there."

Credential reuse is a primary concern for Starbucks global CISO Andy Kirkland, who spoke to a concern prevalent in the retail and hospitality industries. "Whenever these credentials become available, we become a place where people want to see if they work," he said. The sharing of usernames and passwords across multiple platforms is "a big thing to watch" for companies. Cloud misconfigurations, which Kirkland calls "the rebranding of shadow IT," are another worry.

"Just about anyone can get an S3 bucket and do whatever they want with it; potentially put whatever they want in there," Kirkland noted. The onus is on security professionals to identify these instances within an organization when they happen.

Practice, Practice, Practice
Panelists spoke to employee and customer training strategies, tabletop exercises, and other steps they take to better prepare for security incidents. One key takeaway was the importance of working employee training into the corporate culture for everyone. As organizations change over time, and new people are onboarded, there will be gaps in cybersecurity knowledge.

"I have to take cybersecurity training at Microsoft just like everybody else," said Kelley. "We don't just assume because somebody has a title, they get to be exempt from that training." She advised annual or biannual security training for all employees. "Psychologically, humans are much better at learning when we've got a little bit of an adrenaline pump." If an employee is caught getting phished, they may remember to be more cautious next time.

"The best training is in-the-moment training," Kirkland emphasized. While some trainings are done for compliance, the unexpected phishing emails deliver real learning moments.

He also advocates tabletop exercises with all executives in order to plan for cyberattacks. Senior execs schedule a four-hour block during which they create an entire breach narrative. Sometimes, he said, it's the first time in a while that leadership has come together to decide how they would respond to a security incident – and the results have had an effect beyond cybersecurity.

"The decisions, and the things that they've learned in those tabletop exercises, have informed the way that we respond as an organization to all manner of incidents; not necessarily those that were cyber-related," Kirkland said. Learning how business leaders collaborate "is not only educational for them; it's educational for you as a security professional," he added.

Tabletop exercises should inform a standard operating procedure for cyberattacks, said Kelley. Whether it's online or printed, every business should have guidance on how employees can escalate potential incidents and how they should respond to them. These procedures don't need to be 100% accurate – after all, every breach is different – but they should provide basic information on which internal and external organizations (cloud providers, law enforcement) need to be notified.

"You'd be surprised, with these kinds of activities, how easy it is to forget what needs to be done," she explained. If an employee doesn't know the right information or can't access it, they may have no idea how to move forward in the right direction.

Practitioners also pull lessons from previous security incidents: to inform annual trainings in incident response and business continuity, Gagliardi goes back into historical breach data to assess what security looked like before an incident. Breach disclosure is mandated under HIPAA and GDPR, he pointed out, and there are thousands of breaches that aren't publicly reported but are just as significant. Businesses "can get a lot of value" in lessons from these events.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.