Wednesday, December 10, 2014

Game Changer: Court Rules that Target Is Liable for Not Preventing Breach


From Brian Foster, CTO of Damballa:

Almost one year to the day after Target suffered a breach during peak 2013 holiday shopping, a Minnesota court just handed them a lump of coal. In a ruling announced on December 2, 2014, the court said that Target can be sued for failing to prevent their data breach. Their rationale was: Target can be viewed as negligent for failing to heed warnings from its FireEye prevention system and for disabling the inline blocking feature.

Let that sink in a moment.

As an enterprise security professional, ask yourself, Do you immediately take devices off your network when you receive an alert from a prevention tool? Do you ever automatically block a device because of one alert?

I assume you answered “no” to both questions. If I’m wrong, I would love to meet you and understand how you manage the herculean feat of not grinding your network to a halt and handcuffing business operations. 

In a brand new, not-yet-published, security survey conducted by the Ponemon Institute, respondents said they receive an average of 17,000 alerts per week and only 19% are reliable. The rest are false positives.

Put yourself in Target’s shoes. They paid $1.6 million for a system that was supposed to prevent advanced attackers. What they got was a lot of alerts lost in a sea of other alerts –meaningless unless correlated with other pieces of evidence.

Again, ask yourself, which one of 17,000 alerts would you know with certainty to pay attention to?

While comments from a vendor defending themselves and their ability to spot the malware may have made Target's security team seem like the Keystone Kops, fumbling around, carelessly not investigating alerts, this is hardly the case. According to Ponemon, the average sized security staff involved in malware detection and contain is 17.1 full-time headcount. And those staff on average have 7.9 years of professional experience in their field. It’s difficult to view this highly skilled group as clueless and purposefully negligent.

I’m certain the security team at Target would have prevented their attack if it were at all humanly possible. They had lots of expensive tools. They had a full-time Security Operations Center. Apparently, what they lacked was any degree of certainty that the alerts fired by their prevention tools were actionable.

The discussion about prevention versus detection has become escalated this year. The Target court ruling will likely make the discussion a lightning rod. Security experts will tell you they know their prevention system can’t stop advanced threats. They are designed to identify potentially suspicious activity by known ‘bad’ entities, not the unknown. Cyber criminals learned to outsmart those systems with ease.

Ask any CISO what keeps them up at night and they will tell you it’s the ‘unknowns.’ I imagine today’s court ruling will cause many CISOs to lose a few hours more sleep tonight.