Threats to data security are changing in a dangerous way. They are becoming laser-focused on sensitive information such as intellectual property and cardholder data. Symantec has observed this shift over a period of years through its Global Intelligence Network. Read on to learn about the challenges this poses for most IT organizations.
I recently attended Symantec's annual user conference, where I spent my time talking one on one with the company's leading strategists and technologists. We mostly talked about what enterprises can do to take better control of their information security and regulatory compliance postures. This week I'll share with you Symantec's insight on how threats to data security are changing (and becoming far more dangerous), and next week I'll cover the Symantec strategy for helping companies regain control over protecting sensitive information.
Data loss a mystery for many businesses
IT's traditional approach to information security is to protect the infrastructure around the data as well as where the data resides. Like building a moat around a castle to keep out marauding intruders, this approach is insufficient for today's threats. It's too easy for thieves to cross the moat (or crash the firewall) and have access to the crown jewels -- your company's sensitive data.
Because important information is everywhere these days -- on handhelds and other endpoints, in the cloud, in social media -- we need to shift our way of thinking to focus on protecting data and the applications and not just the infrastructure. This is especially important because research shows that many security threats have changed to be more information centric in their focus in order to derive the highest possible value for cybercriminals. Therefore, our approach to security must be one of being information centric as well, while also simplifying the security process.
Symantec's Global Intelligence Network has been observing threats to information security for years. Over time, Symantec has noticed a shift in the intent of cyberattacks on both business and government entities. Hacking attempts have progressed from being mass attacks looking to wreak havoc and steal as much data as they could, to being very targeted attacks looking for specific data from a specific organization.
(Read the Symantec Global Internet Security Threat Report: Trends for 2009 now available online, along with a Webinar that summarizes the key points from the report.)
Symantec categorizes a modern hack attack resulting in a data breach as having four distinct stages.
Stage 1: Incursion -- A hacker gains access to the enterprise infrastructure via an endpoint. In previous years this was done via mass distribution of malware, usually through means such as e-mail or corrupted PDF files. The hacker hoped that more than one person would open the corrupted file or link and allow the malware to spread.
Today hackers leverage social engineering techniques to get the malware onto the endpoint. This approach is very targeted, often with a cyber thief using social media such as Facebook to gather information about a prospective target. The targeted person is heavily researched up front; the attack is socially engineered to lure the victim to trust the e-mail message or attachment with a unique malware-infected payload. Often these attacks and the malware are unique to the specific person and his or her organization, allowing the thief to find and steal important information that can be monetized, such as intellectual property or payment card data.
Stage 2: Discovery -- This phase often uses unique malware that is spawned by the initial entry malware to scan and discover the desired information within the network. This technique was used in the Heartland Payment Systems attack -- one of the largest and most damaging breaches to date. In this attack, the incursion and discovery phases were very discrete; the malware hid inside the network for almost a year, looking for the specific targeted data. Once the hackers found what they wanted, the data extraction of more than 130 million records happened quickly.
This new lengthy (and stealthy) discovery process is far more insidious than techniques used in previous years, where the malware would get inside a network, find the desired information and then attempt to get that information out as fast as it could before being discovered. This entire process would be very "noisy" from start to finish, leaving many traces and being easier to detect. However, with new targeted attack methods like those used on Heartland, the malware quietly searches for and sometimes inspects the data to find exactly what the hackers are looking for and then tracks the data location for the next phases.
Stage 3: Capture and Stage 4: Exfiltration -- While the new incursion and discovery phases are often "quiet" and hard to detect, the data capture and exfiltration stages are still fast and noisy when hackers take the data out the virtual door. Frequently, this is the first time when most organizations realize they have been breached, if even then.
The criminal engineers of these attacks know that it will take a period of time for an organization to respond to a breach because of the layers of responsibilities to detect the breach, analyze the situation, develop a response and finally take action. By the time this is done, the data is long gone and the damage is done.
Today's malware is often as sophisticated as commercial software; it's specifically designed to succeed in the four stages mentioned above. In addition, the way in which most enterprises protect their data today leaves openings for hackers to exploit and hide their malware. There are four reasons behind this IT challenge:
1. Compliance -- Most organizations can implement IT policies effectively, but they have difficulty consistently enforcing the policies over time. For example, over time the same server and endpoint types will have diverged and have different configurations and controls over them, as well as patches not being applied consistently and in a timely fashion.
Cybercriminals count on these issues to allow their surreptitious malware to burrow and effectively gather its information over long periods of time. In other words, the malware hides in plain sight, with a very small footprint on the network. In the Heartland case, it was a non-disruptive "one box" malware that went undetected, largely because antivirus and traditional security tools cannot effectively detect one-off instances of malware.
2. Protecting information -- Most organizations know where their critical or sensitive information is primarily stored (and supposed to stay). What organizations don't know is where else this information resides. This is typically the result of well-meaning employees who have approved access to this information using it for their jobs and then storing it somewhere else -- someplace that may or may not be secure, such as a minimally secured file share, their personal computer, or a portable USB drive. Consequently, this sensitive information can end up living in many locations besides the primary secure data store. The cybercriminals know this, and this is why their malware spends so much time in the discovery phase. What thieves want often inadvertently resides in places outside a well-protected and monitored data store, so the thieves avoid the databases and seek out poorly protected storage areas. In many cases, breach investigation teams learn that data that was compromised was simply a copy of production data stored in unsecure locations.
3. Systems management -- Many organizations struggle with this critical function for various reasons. A major problem seems to be not knowing about everything that lives on the network. Many times there are unknown systems attached to the network, and if you don't know about them, you cannot manage them. Gaps in patch management are a big contributor in breaches when malware exploits known vulnerabilities that have not been patched in a timely manner.
4. Infrastructure security -- Most organizations are relatively evolved in having the right point security products in place and having their infrastructure pretty well secured. However, this diversity, or vastness of point solutions in an infrastructure, creates a lack of visibility across the entire environment. It becomes impossible to understand what is going on at any point in time from a holistic security and risk perspective.
When it comes to enterprise information security, it's hard to see the problems associated with compliance, information protection, systems management, and the network infrastructure at the same time and at a relevant enough level to effectuate appropriate and timely remediation -- in other words, to prevent the breach. So, the challenge is how to increase visibility into all of the network and supporting activities, and at the same time reduce the time from breach detection to mitigation, with the emphasis being on risk management and mitigation.
Next week, I'll discuss Symantec's strategy for addressing this challenge.