In a span of five weeks earlier this year, several high-profile breaches were reported — Orbitz, Saks Fifth Avenue, Lord & Taylor, Sears, and Best Buy were just some that made headlines. This spate of data breaches affected millions of customers, putting focus on not only on data protection but also incident response.
Indeed, data breaches are a wake-up call for enterprises. With today’s ever-evolving threat landscape, data breaches are no longer isolated cases. Whether from misconfiguration, patch lags, and unsecure software or system components, bridging security gaps and responding to and remediating data breaches calls for a proactive approach — something that managed detection and response (MDR) can provide.
[Related News: Timehop, Macy’s, Bloomingdale’s, Domain Factory Announce Breach]
Here are some lessons learned and how MDR figures into data breaches:
Case in point: In June, attackers exploited a vulnerability in an application hosted on the server of FastBooking, a hotel reservation software provider. It resulted in the theft of personal data and credit card numbers of hotel guests; a hotel and resort operator in Japan revealed that over 124,000 of its customers were affected. More than 37 million records of Panera Bread customers were reportedly left exposed, although Panera Bread claimed that only 10,000 were affected. Dylan Houlihan, a security researcher, had notified Panera in August 2017 about a vulnerability in its website — an unauthenticated application programming interface (API) — that exposed the personal data of its customers. However, the flaw was not immediately fixed. There’s also the infamous Equifax breach last year that exposed the PII of 145.5 million U.S. citizens and 15.2 million records of U.K. customers.
Data breaches can be mitigated by fixing security flaws as soon as they are identified. A single vulnerability is often all it takes to affect millions. In today’s dynamic threat landscape, a reactive approach is not enough. Apart from regularly vetting the security of mission-critical assets and ensuring the privacy of data stored on them, organizations armed with actionable threat intelligence can better assess security incidents and make informed decisions on how to deal with them. With the right insight and context, an organization can anticipate and prepare for threats and, in the case of breaches, quickly remediate them.
Case in point: Last February, security researchers uncovered that a legacy server containing the personally identifiable information (PII) of FedEx’s customers was not secured. Expedia’s Orbitz, an online travel fare aggregator, disclosed that a data breach exposed the data on 880,000 payment cards of its customers. The attacker reportedly gained unauthorized access to Orbitz’s legacy travel booking platform, and was able to get PII stored on it. It was also acknowledged that the data breach reported by TalkTalk in 2015 was due to vulnerabilities that were exploited in their legacy technology.
Data breaches are a good reminder to regularly patch systems and secure legacy, outdated, or end-of-life software or systems no longer supported with patches, or migrate to their updated versions. Data breaches also highlight the importance of visibility across the organization’s online premises. By actively monitoring activities on endpoints, networks, servers, and internet-of-things devices — even legacy systems — and correlating them, enterprises can better identify, bridge, and remediate security gaps that could have been overlooked by traditional security solutions.
Case in point: In January, Forever21 disclosed that the data breach it reported in November 2017 had indications of point-of-sale (PoS) malware. In March, it was reported that more than 160 of Applebee’s restaurants operated by RMH Franchise Holdings (RMH) in the U.S. were hit by PoS malware. In early July, B&B Hospitality Group reported that PoS devices in nine of its restaurants were infected with malware, exposing their customers’ payment card data. Luxury retailer Saks Fifth Avenue and Lord & Taylor divulged that payment card data of more than 5 million customers were compromised. According to security researchers, the Saks hack was carried out by the Fin7 cybercriminal group aka JokerStash using PoS malware.
Organizations clearly need to strengthen their security posture against surreptitious threats designed to hide and dwell within systems for long periods of time. An effective approach that can help is proactively hunting these threats. A robust threat hunting strategy helps enterprises plan against similar threats. Regularly checking and sweeping online premises for indicators of compromise or attacks and actively monitoring for anomalous network activities are just some of the countermeasures that can be employed to uncover threats that otherwise could have bypassed security controls.
Case in point: At least 10 U.S. municipalities have been affected by security incidents involving Click2Gov, an online billing software. The breaches were ultimately found to be due to a vulnerability in a third-party component needed to run Click2Gov. Online chat service provider 7.ai was hit by a payment card breach that in turn affected several of its clients, including Sears, Delta, and Best Buy. While 7.ai’s statement on the incident noted that only “a small number” of its clients were affected, Sears said the incident exposed the credit card information of less than 100,000 of its customers. In a survey of organizations last year, at least 56 percent of respondents suffered a breach due to third-party risks.
Whether using tried-and-tested entry points like email or seemingly novel vectors like chat software, attackers will constantly fine-tune their tactics and techniques — and so must enterprises. Organizations should also take into account the third-party services they use when developing their incident response strategy, such as ensuring security controls are in place to deter unauthorized access to the data they store or process.
In an ideal scenario, enterprises must have the mechanisms in place to actively monitor, manage, and respond to security incidents. However, this can be challenging for organizations, especially those that don’t have the resources to employ full-time threat analysts and researchers that can correlate and fully delve into security alerts and incidents.
The cybersecurity skill gap doesn’t help either: In fact, it is projected that by 2022, there will be 1.8 million unfilled cybersecurity positions. Even if organizations have the budget, a shortage in cybersecurity talent will make it difficult. This is exacerbated by the amount of security alerts that can overload IT teams that often also multitask to keep the business operations running. Each security alert must be correlated, validated, and fully researched, all of which take time and skills. Organizations may employ the most advanced security solutions, but these can only be as effective as the people who use them.
MDR provides organizations with security capabilities that can help them anticipate and thwart known (or unknown) threats and, in the event of a compromise, remediate faster. Through automation, the burden of manually sorting through security alerts is alleviated. It also helps validate if an alert or incident previously marked as innocuous is actually part of an active attack.
For instance, it’s crucial that a piece of malware doesn’t dwell on PoS systems; it can steal more payment card data the longer it stays undetected. MDR can provide automated threat correlation to promptly identify where the malware is hiding, how it spreads, and if it has downloaded other malicious files and infected other systems. Businesses can then promptly develop a remediation and incident response strategy that, when complemented by defensive measures, can enable them to be more resilient against cyberattacks.
Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can investigate prioritized alerts to determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.