President and CEO of Vormetric, Alan Kessler, blogged earlier this week concerning the far-reaching impacts of the Target breach – reflections from almost two years later. Alan remonstrated in his article that the Target breach was the most visible mile marker in 2014, a year full of breaches and continuing into 2015, and he went on to discuss and reflect on some of the other specific breaches.
In this article, I would like to reflect on some of the industry-wide changes that have taken place since the Target breach.
ClickToTweet: 2 Years Later: Reflections from "The Breach" http://bit.ly/1PqIH55 pic.twitter.com/VbvpuddYzg
“The Breach”
The Target breach was so significant that for at least the first year afterward, it was referred to, especially in security circles and even on the news, as simply “The Breach.” And as Alan has already detailed, that breach was merely a harbinger of things to come with major breach after major breach taking place after the Target breach.
But what has been the impact of all these breaches? As one would expect, reactions and responses to “The Breach” by organizations have been all over the map. Some have, as the saying goes, not “let a good crisis go to waste” and have become better companies as a result. Others have not fared or reacted as well.
While “The Breach” and the major breaches afterward has led most major retailers to reevaluate their data security approach, the retail edition of the Vormetric 2015 Insider Threat Report shows that retailers still have a long way to go. Over 51% of retail respondents reported being very or even extremely vulnerable to insider threats – the highest rates measured in the study. Many of these organizations continue to invest in security and utilizing traditional approaches that have proven over the last two years to be insufficient.
While the threat obviously still remains high and a number of organizations still admit they have a long way to go, positive changes have taken place since “The Breach” (hereafter referred to simply as the breach) that are moving the retail industry and other industries along in a positive direction.
What Has Changed?
As we approach this anniversary of what was the first of the mega breaches, and in light of this anniversary (and in honor of the many records that hackers have stolen), here are some reflections on what has changed in the last two years:
The Rise of the CISO
Previous to the breach, the office of the CISO largely suffered from irrelevancy. In a significant number of cases, the office of the CISO did not even exist, even in organizations as large as Target (which did not have a CISO at the time of the breach), or the office was relegated to several layers removed from the CEO, often reporting to someone whose organizational mandate and executive focus was not primarily related to IT such as the COO or CFO.
Since the breach, the outlook on the office of CISO has largely, radically and very rightly changed. We have finally seen the rise of the CISO to its proper place in most organizations. For years, many security experts (including yours truly) have decried the irrelevancy of the CISO and his or her lack of a seat and a voice at the C-Level table.
Organizations that have deeply evaluated and fully embraced the necessity of the CISO have gone so far as to place the CISO roughly on par with the CIO, mandating that the CISO focus solely on the security of the organization while allowing the CIO to focus on overall IT business enablement. In some cases, the CISO now actually reports directly to the board of directors! For organizations following this line of thought and reacting with this sense of urgency, the results have been very visible and outstanding.
Ironically, in spite of the increased day to day pressures of a possible breach, more talented individuals have come forward actually desiring the role of the CISO because it now has industry relevance. The CISO and CIO in many cases now work more effectively, more hand-in-hand, with better focus and with better and more effective C-Suite visibility and organizational impact.
Restructuring of the Payment Card Industry
One of the biggest most welcome changes wrought by the Target breach especially on behalf of the consumer was mandatory restructuring of the Payment Card Industry and point-of-sale terminals and credit cards.
While it was easy at the time to blame Target for lack of POS security, the fact remains that POS insecurity was an industry-wide gap and it took a breach the size of Target to finally get the Payment Card Industry and credit card issuers to revamp the infrastructure necessary to secure debit and credit card transactions at point-of-sale terminals.
It was high time for this change to take place in the US – a change the rest of the world, ironically, had already completed – and many consumers can now see evidence of these changes at many retail outlets where they shop and by having their credit cards re-issued with secure chip technology. These much needed and long overdue changes have come as a direct result of the breach.
The New Relevancy of Technology Partners
A major shift within organizations is re-evaluation of the use of technology partners. Organizations reacting correctly to the day to day challenges and pressures of increased security have realized the legitimacy of leveraging technology partners who bring instant or hard-to-obtain security domain expertise to the table.
Some examples of this include secure and next generation firewalling and networking including software defined networks, SIEM integration, real-time monitoring and alerting, and log analytics. All of these security domains and a few more (Identity and Access Management being another) are areas where operational and implementation ramp up time has been critical and necessary domain skills are difficult to train for effectively among full-time security staff. Smart partnering is in and use of “body shops” for security is out where specific bang-for-the-buck cannot be demonstrated.
Transparency
Transparency after a breach understandably remains a hurdle of trepidation for retailers and other industry organizations that have been breached. In my view, Target ultimately set the standard for transparency after a major breach, completely owning it and then working hard afterward to gain back the trust of their customers.
Since the breach, it’s become clear that transparency is the best policy and establishing a line of trust in terms of communication and commitment to the customer is absolutely essential. Organizations are beginning to take note of this, and many major retailers have chosen a policy of transparency from the start when it comes to breaches. While voluntary transparency is ultimately the best policy, mandatory post-breach transparency would incentivize organizations to reduce risk while also helping prevent future breaches.
The “New” Reality of the Vendor Matrix
Everyone knows it. It was broadcast all over the news. The Target breach took place through the use of vendor credentials phished from an HVAC (Heating, Venting and Air Conditioning) vendor. Those phished credentials were the keys to the gateway through which the rest of the breach took place.
It used to be the case amongst “the little guys” that they had no skin in the IT vulnerabilities game. What data could a hacker possibly want or find valuable from a small HVAC company? Since the breach, that relationship and the fact that we’re all matrix together through the internet is a new reality that necessarily has had significant industry-wide impact.
I won’t go into the specific remediations necessary for strengthening one’s vendor matrix, but simply highlight that a new age has dawned in that the inter-relationships are there and everyone is realizing (or should be realizing) that these are profoundly significant relationships that must come under the microscope and be better secured, both up and down. It’s unfortunate for the little guy with a limited IT budget and little to no IT security resources. But the breach and the breaches afterward have exerted pressure down through the vendor matrix and are forcing security attention and spend across the industry.
The Shift from Compliance-Based to Risk-Based Security
As Alan Kessler noted in his article, the shift from compliance-based security to risk-based security has come as a direct result of the breach and the major breaches afterward. Industry security pundits (again, including yours truly) have preached long sermons and prophesized that compliance-based security was not enough (and in fact doesn’t really represent real security at all.)
It is very important to note that, in the case of many breaches, the likes of PCI DSS compliance had actually already been achieved but, obviously, did little to prevent a breach from actually taking place. According to the aforementioned Vormetric Insider Threat report, 63% of U.S. retail respondents cited preventing a data breach incident as the number one IT security spending priority. We here at Vormetric are very glad to see that meeting compliance standards – such as the PCI DSS regulation – was not the primary driver but instead the need to face real threats based on real, perceived and analyzed risks is starting to become the primary driver for security initiatives.
The Shift from Perimeter-Based Security to Data-Centric Security
And lastly, one of the most important changes that has occurred is an increase in realizing, world-wide, that standard perimeter-based security (i.e. outside in) is not enough, is insufficient, and that a much needed shift to data-centric security (i.e. inside out) is in the process of taking place. Overall, security organizations should be focusing more on better securing company data from within. As I’ve stated in previous articles, data is the real gold and ideally, all data should be protected the moment it’s born into an organization.
A centralized, platform approach to data security with centrally managed keys and policies with specific access and encrypted data as a final safe guard is what will best thwart growing insider threats. With encryption becoming increasingly easier to implement, there’s really no excuse for not protecting your data – all of your data, regardless of where it sits.
While the Target breach was POS-related, one thing we can learn about the importance and effectiveness of encrypted data from the specifics of the Target breach is this: tremendous and very sophisticated effort was expended in getting an exploit placed at the one place in the payment card transaction where the data was not encrypted (which was at the moment the credit card was swiped). Think of that. Target was penetrated deeply because that was the only place where payment card data-in-motion was unencrypted.
So maybe the biggest lesson we can all learn from the Target breach then is underscoring the value secured and encrypted data represents, both in motion and at rest.
Conclusion
These are just some of the positive changes and realizations that have come out of the Target breach and the breaches that have followed. As noted at the beginning, organizations that have learned from the ghosts of the past and haven’t let the crisis of a breach affect them, but instead have strengthened their companies as a result have largely done so in the aforementioned ways.
So in conclusion, if you have been breached or are breached in the future, here is a summarization of steps you can take if you haven’t already:
- Be transparent
- Establish necessary leadership – including a CISO, if not already established
- Conduct a re-inventorying of all security initiatives, close all known gaps, exercise good due diligence, strengthen your vendor matrix, and partner with others where strong domain expertise is lacking or brings specific value add
- Shift focus from compliance-based security to risk-based security
- Bring sharper focus to log analytics, real-time analysis and alerting, identity & access management and actually protecting the data itself
- Shift focus from perimeter-based security (outside in) to data-centric security (inside out)
Questions? Comments? Concerned about a breach? Feel free to use the comments section below or tweet me @ChrisEOlive.