Don't be the next Capital One
- By Sean O'Brien
- Sep 16, 2019
Based on chatter and data in the dark web, we can expect more data to surface from breaches like the recent attack on Capital One in the next few months. At this pivotal point, we either continue to treat security as an IT problem or galvanize our will to combat cyberwarfare.
Capital One joins the ranks of other big-name brands that have become victims of flawed fundamental security practices. Paige A. Thompson was able accessed a list of more than 700 folders that contained the data of approximately 106 million accounts because of a misconfigured firewall. Despite Thompson’s technical acumen, the breach was still preventable.
With no uncertainty, data signaling a nefarious act was present. The problem, as in many enterprises and government agencies, was the lack of integration among the defense-in-depth technologies. The direct and cumulative effects from configuration errors were most likely identified by siloed, independent tools. Yet, analysts weren’t able to prioritize the alerts they got from multiple tools, which generate 5GB of data per hour, on average. Had Capital One established a common security baseline and leveraged a single-pane-of-glass solution that was interoperable with its existing security tools, it would have seen the weight of evidence generated by the anomalous activity. That data would have justified taking preventative actions and avoided the breach altogether.
Lesson learned: Complete these two actions
Government agencies that want to avoid the errors of Capital One and improve their cyber hygiene should take this actionable, dual-pronged approach:
1. Stop using default settings on security appliances. Manufacturers ship their appliances with default settings, but that baseline doesn’t factor in the uniqueness of an agency's network. Agencies need to adjust settings depending on ecosystem, perimeter (physical and logical), network segmentation and endpoints. Without it, cyber defense is only as good as the manufacturer's baseline.
While companies allow users to configure appliances and make modifications pursuant to their domain or network, many agencies may not update the settings because they do not account for people, process, technology and data.
To ensure appliances are properly configured, consider the following questions:
- What data is being defending and where is it located?
- What technology is being used to generate and manage the data?
- What cybersecurity technologies are in place to protect the data? Where are the technologies deployed? And, what are their inherent capabilities?
- Based on the installed technology, what automated processes should be defining?
- How will people be trained to understand the risk implications of a data breach?
2. Begin integrating security tools. To combat highly mobile, asymmetric hackers, agencies must connect their security tools so they can measure, mitigate and transfer risk from endpoint to ecosystem.
It begins by breaking down silos and contextualizing data, creating a ground truth, or “network consciousness,” using raw packet analysis. To avert the hack at Capital One, analysts needed simple, interconnected buckets of measurement.
With a ground truth based on independent verification of ecosystem risk by suppliers, vendors and business units, Capital One could have exposed where Amazon's responsibilities ended and where the company's began, with an understanding of the physical and logical perimeter traffic in relation to the ecosystem. With that data in hand, the changes in unique IP addresses, port traffic, and S3 data feed volumes would have been easily identified. And, by implementing logical network segmentation and access controls to and from the cloud instance, the hacker's activities would have been discovered. Finally, had Capital One established endpoint awareness and set permissions, it would have helped significantly.
Results: Better security and network performance gains
Agencies that implement “engagement areas” or micro perimeters as part of their defense-in-depth strategies can overcome traditional complexity challenges of cybersecurity. Creating manageable buckets will assist in spotting anomalies among the noise and corroborating data, all while providing actionable intelligence necessary to identify poor performing areas of the network.
To truly eliminate gaps and partial evidence created by point solutions, agencies should create a common operating picture with precision analytic zones to help parse through big datasets, isolate issues and present a truth independent of the existing systems -- all using lightweight, automated technology. Only when agencies implement an interconnected defense-in-depth strategy will they have the intelligence they need to defend themselves.
Sean O'Brien is president of @RISK Technologies.