A new article in Business Week today provides an in-depth glimpse into the infamous Target breach. Although Target had “best-in-class” security technologies and a huge information security team, they completely missed all the alerts and alarms. How did this happen, and what does this tell us about the state of corporate security programs?
The Target Breach is unique among breach events primarily because we know so much about it. Target deserves kudos for being extremely transparent about this breach (although some may argue they had no choice.) This transparency is providing not only good insight into Target’s issue, but helping security practitioners around the world learn from their mistakes. That is exactly the kind of collaboration and sharing the community needs.
The details of the breach are generating a lot of questions. Particularly, what does the breach say about corporate information security in 2014? Moreover, what lessons can we learn from this event?
1. Security Controls are Only as Good as their Users
One of the most recent revelations was regarding how Target used their security controls. Like many other large companies, Target had invested heavily in many cutting edge security technologies. One of those, FireEye, is a sophisticated malware detection platform.
However, Target implemented this sophisticated platform in a manner that it did not actually protect anything. It was deployed in “monitor only” mode, where it could not actively stop anything. (Incidentally, Anitian specifically advised the industry against this practice in our Things to Stop Doing in 2014 blog entry.) In this mode, the security control merely reports suspicious behavior via email or some other alerting mechanism. When the FireEye product detected the malware that began the attack, it was unable to block it or stop it. Rather, an alert went to a team of people who essentially ignored it.
This calls into question the value of Target’s investment in FireEye. When it came time for that control to do its job, it was not the control that failed, but the people who implemented it and managed it. Like many companies, Target missed the point of security controls. No matter how sophisticated or advanced a technology may be, the effectiveness of a control is almost entirely dependent upon how it is implemented and used.
Part of this problem stems from how these technologies are sold. Manufacturers, like FireEye, rely on network of resellers and distributors to promote and sell these complex security controls. These intermediaries are almost exclusively focused on selling the product, rather than ensuring it works correctly. Likewise, their focus is on promotion and promises, not integration or education.
Like many large companies, Target fell victim to the classic “set it and forget it” sales pitch. Perhaps if Target’s FireEye partner had correctly communicated the total cost of ownership for the technology, Target might have invested the resources necessary to deploy it correctly. Unfortunately, resellers rarely do that because it inflates the cost of the purchase and puts them at a competitive disadvantage with other resellers. Technology resellers just want to move gear, they could care less if that gear actually works. Ultimately, companies are setup to fail, making breaches like Target’s an inevitability.
2. Infosec Is Fighting for Value from People Unqualified to Value Security
Target’s FireEye product may have correctly sent out an alert, but the people monitoring these alerts ignored them. Why did they ignore this? And why was the FireEye solution deployed in monitor mode only in the first place?
Like so many large enterprises we have assessed, Target’s security teams lack the authority, ability, or willingness to affect change. Executive leadership views information security is a “necessary evil.” They are quick to dismiss any security control (or person) when there is even a whiff it could create a roadblock to operations. This trepidation from leadership will usually find support among inexperienced IT staff, who reject active defenses out of fear it will create additional work for them (or lose their jobs.)
This puts security practitioners on the defensive against company leadership. They must constantly prove their value to managers who quite frankly lack the ability to assign value to security. Executive management is focused on meeting performance objectives. From their point of view, security is a potential roadblock to those objectives. However, they also should know that a breach could ruin the company as well.
This results in “Schizoid Security” which this blog has written about before. People value security, until it makes things even slightly more difficult, then they hate it and want it turned off. This erodes confidence in security teams, which in turn also erodes their authority to affect change.
Security teams are therefore fighting an uphill battle against a variety of cognitive biases that influence people to reject security. To counteract this, security teams will setup large teams of people to manage their systems and provide reassurances that everything is under control. This leads to another big hurdle: people are poor defense.
3. People Ponder, Technology Reacts
Had Target deployed their FireEye appliance in-line, with the ability to automatically block malware, this breach would likely never have happened. Instead, the security control sent an alert to a team of users, bounced around the organization, and was not followed up on at all.
Human beings simply do not have the cognitive ability to react to events at the speed of modern networks. Human time is measured in hours, days, and months. Networks work in nanoseconds, well beyond the ability of human cognition.
What people are good at is pondering, thinking, analyzing and synthesizing. Target is a prime example of the mistaken perception that security programs need a team of engineers sitting at consoles night and day to protect the business. This is simply not the case. Those teams of people are never going to be able to react fast enough or with decisive enough response to stop the next generation of attacks. No human or team of people has this ability.
Technology, on the other hand, does have this ability. It can react in real-time and prevent attacks. However, that technology still needs people to monitor it and analyze its output.
What these companies need are people who analyze data and then synthetize it into actionable intelligence. That intelligence, however, needs to go somewhere meaningful, which leads to the next revelation from this breach.
4. Leadership Needs Intelligence
The departure of Beth Jacob, Target’s CIO at the time of the breach, suggests Jacob was, at some level, out of the loop on information security. Our own assessment data backs this up as well. IT executives usually delegate security and then have no involvement in the day to day security operations. This marginalizes security until there is a serious problem.
As mentioned earlier, IT security needs the ability to affect change in an organization. In order for this to happen, it must be in front of executive leadership on a regular basis. Yet, when you look at the security controls that companies invest in (like FireEye), their output is far too obtuse for the average executive. These controls generate data, metrics, and reports, which must be rendered into something more comprehensible for executives. In other words, executives need intelligence, not data.
When the US President wants to know about the tense situation in Ukraine, he does not get a list of all the people in the country who said something inflammatory last week. He gets a briefing from analysts who read reports like that and synthesize that data into intelligence. The President’s briefing is therefore a distillation of data into something workable and actionable.
Executive leadership needs security intelligence, not more data. We need to groom a new generation of information security practitioners who analyze data and advise leadership, not merely plug in new security appliances. We must empower leadership to make intelligent decisions about security; decisions that can affect change in real, tangible ways.
Imagine if Jacobs, Target’s CIO, received an intelligence briefing the day after the malware detected. The analyst might have said something like: “there was a very suspicious malware attack that came in from a third party vendor. This is a common breach tactic based on threat intelligence. I suggest we assign one of our incident responders to investigate and clean the affected systems immediately.”
Jacobs would have been armed with real, actionable intelligence. She could have authorized the clean-up right then. The breach would have been properly investigated and stopped. Moreover, since this directive came from the CIO, security staff would be compelled to action, rather than just ignoring the problem and hoping it goes away.
Conclusion
It is safe to say, the industry will be picking apart the Target breach for years to come. There is a lot to learn about information security from this incident. Specifically, security relationship with executive leadership needs to mature. Organizations need to stop the Schizoid Security and develop intelligence-based answers that leverage new technologies. Moreover, security teams need to make sure that technologies and people are not performing the wrong jobs.
For Target, they appear to be like many other large companies: buying gear they do not fully use from resellers who do not care; managing data they do not understand from systems that do not protect the business; and allowing leadership to push off security to somebody else who also, does not know or care about protecting the business.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com
Andrew, Great article, excellent insight. It all points to what you said which is “IT security needs the ability to affect change in an organization.”
You are correct that this breach will be picked apart to the nth degree for years to come. It is easy to say with our perfect hindsight that Target security leadership should have made the decision to have their appliances in-line and actively blocking known threats but speaking from experience that is easier said than done. Not a single experienced security practitioner would be shocked had they been a fly on the wall in the multitude of Target meetings debating the merits of active security, then listening to arguments that security is too disruptive, then followed by the gnashing of teeth, and ultimately deciding NOT to place malware/IPS functionality in-line. The inevitable result of deciding against automated controls is that security is expected to rely on human interpretation and interception for 100’s of thousands of transactions and millions of packets of legitimate and illegitimate traffic. When this fails, as is bound to happen, the business has a convenient scapegoat that can be asked to fall on their sword. I’m not making excuses for Beth Jacob’s for failing to recognize the risk but I gather there are more than a few at Target who appreciate the irony of trading controls disruption risk for breach risk at juncture.
“Every body has their taste in noises as well as other matters; and sounds are quite innoxious, or most distressing, by their sort rather than their quantity.” ― Jane Austen, Persuasion
Security has the ever increasingly complicated task of determining what is noise and what is not and then deciding how much of that noise to store and for how long.
It tells us that not much has changed…
Many others outside of Target appreciate the irony as well. Security is never convenient.
As Walter Scott said: “Oh, what a tangled web we weave”.
I am continually amazed how well the very complex physical, locally virtualized and cloud-based infrastructure operates in my shop. We all need to stop and think about how easily it can be compromised by a single user who is trying to do “the right thing” or more likely, not paying attention while browsing and/or clicking away. Even with in-line deployment of the latest firewall technology there is plenty of low lying fruit to cause security headaches.