Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

5/2/2014
01:00 PM
J.J. Thompson
J.J. Thompson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Perimeter Defenses Are No Longer Enough

When it comes to corporate information security and data protection, the new normal is "due care" in managing day-to-day operations.

"Breaches happen. Expect to be hacked. Expect to lose data. It’s all about how quickly you respond." True. We've all heard this rhetoric shift from absolute compromise avoidance to acceptance of a new reality that the security industry can finally see when an attack has taken place and we should own up to the fact that perimeter defenses no longer prevent them. That reality has set the tone for demonstration of "due care" in managing day-to-day security operations.

With visibility tools such as IDS, IPS, SIEM, and malware detection in place in many companies, the standard of due care has also changed. If you can see that you are under attack, or that your customer data is compromised, you have to do something about it -- like block it. Or, if the alert came after the fact, at least contain it and prevent more data from being exfiltrated.

Target is a case in point. FireEye was not only in place, it detected the malware and the IT operations team in Minneapolis was alerted. This intelligence likely came through a trusted source, either from the vendor (FireEye) or from inside Target's infrastructure, security, or procurement teams, based on the information reported in the now renowned Businessweek cover story, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It."

People, process, and technology
I'm inclined to go along with the assertions and assume that the alert took place, on multiple dates, and that the alerts did not get managed to resolution. But the real question, in my mind, is what are the possible reasons why this didn't happen?

Tools don't solve the problem. Period. Ever. The combination of people, process and technology do. Tired of hearing this from your auditors? Well, get over it because they're right and it’s time we all embraced the concept. Each and every time I get called into a security consulting engagement in a large enterprise, I get push back when my team tries to evaluate process and supporting "policy decisions" as part of the overall security program.

Usually this comes from mid-level IT managers or directors who simply want to see a penetration test, and for us to move on. The general agreement of large enterprise security teams is that they have the best tools and the best people. So since their risk management program requires a third-party assessment, please just do the pen test and get moving. Target is now our new illustrative case as to why we don’t, because, by most criteria, Target did it right. Millions of dollars in security tool spend, tens of security team members. Strong leading-edge tools like FireEye in place. Yet, how did that work out for them? 

Stop missing the bulls-eye
The bulls-eye is not checking the box on deploying all the latest and greatest tools. Recently, articles from Dark Reading and The Motley Fool touted that buying more tools is the solution. Not surprising, yet very disappointing. Tools will not solve this issue. The solution is simple. Beyond simple. The big secret is that this issue can be solved in four simple steps: 

Step No. 1: Define the security service catalogue.
Step No. 2: Identify the policy decisions that are informally in place in how incidents are categorized, classified, and managed to resolution. 
Step No. 3: Only measure metrics that matter (a.k.a.: "outcome-based metrics"). 
Step No. 4: Discuss the output in a real way, make a decision, document the decision in the "policy decisions matrix," and re-visit these decisions monthly. 

From the time I first heard about the Target incident, I had no reason to think that it would become one of the pivotal moments that would shape precedent, case law, and the way organizations define due care and due diligence. According to Harvard Law Review, "The care others exercise should at most be only evidence of the care that a reasonably prudent man would exercise under the circumstances." What is the expectation of due care when applied in the Target Breach? How would it apply to your company? Let's chat about it in the comments.

J.J. Thompson is the CEO and Managing Director at Rook Security and specializes in strategy, response, and next-generation security operations. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jjthomps
100%
0%
jjthomps,
User Rank: Apprentice
5/5/2014 | 11:03:39 AM
Re: Pivotal moment for "due care"
"...proof that internal policies were followed" <- exactly. My guess here is that Target had a policy that stated something like "... events categorized as X,Y,Z are escalated according to table A, with the following SLA's in table B."

Was their policy and supporting proceedures designed that way? If so, did they follow their defined process? If not, then what? Is the standard of due care in following the process as DESIGNED? In tests of operating effectiveness, Target "passed" for PCI, either their auditor did not properly test the controls, ignored residual risk issues, or that they reported on these issues and Target ignored the feedback. PCI does not do a good job forcing assessors to consider residual risk (the way accounting firms have to). Even if they did, then allowing QSACs and P's to opine on residual risk would be a mismatch in skills to activity being expected of the QSAPs.

Going back to design, what if the process and controls are not designed correctly, then who is responsible for determining that and what impact would that finding have? Right now the consumer and AG's are the option for accountability as there is no regulatory function in place to adequately manage this situation when it comes to consumer protection. 
Bprince
100%
0%
Bprince,
User Rank: Ninja
5/5/2014 | 1:13:02 AM
Re: Pivotal moment for "due care"
Seems like the bare minimum of due care would be compliance standards and proof that internal policies were followed. But does there need to be more, since as the Businessweek article points out there were signs that were missed? What if your internal policies aren't strong enough to prevent a breach? Should there be a law that says if alert X is triggered due to an unuauthorized act and an organization doesn't take action Y to remediate it they are liable? That could be very difficult to do right.  

 
jjthomps
100%
0%
jjthomps,
User Rank: Apprentice
5/2/2014 | 6:43:58 PM
Re: Pivotal moment for "due care"
Marilyn,

When I said "that would shape precedent, case law", I was saying that the pending legislation against Target, and the resultant decisions by the court, will shape case law moving forward about standards of due care and negligence. Please see case 14-CV-2069 Trustmark National Bank v. Target and Trustwave. As this is pending, we need to wait and see the outcome as well as the other suits being filed by state AG's. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
5/2/2014 | 4:54:30 PM
Pivotal moment for "due care"
Thanks for the blog , J.J. I'm curious to learn more about the legal precedent you mention. Is there litigation pending against Target based on the due care standard? 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Botnet Infects Hundreds of Thousands of Websites
Robert Lemos, Contributing Writer,  10/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8260
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure &lt; 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
CVE-2020-8261
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure &lt; 9.1R9 is vulnerable to arbitrary cookie injection.
CVE-2020-8262
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
CVE-2020-8263
PUBLISHED: 2020-10-28
A vulnerability in the authenticated user web interface of Pulse Connect Secure &lt; 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
CVE-2020-8239
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Secure Desktop Client &lt; 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC.