What We Can Learn from the Equifax Breach

Sovereign Systems

by Sovereign Systems

Security breaches continue to dominate the headlines and are affecting more people than ever.  The recent Equifax breach has potentially impacted 143 million customers and could cost Equifax over $300M to remedy. Factoring in the loss of trust with customers and damage to the Equifax brand, the overall cost to Equifax could push well north of that $300 million number.

Many of the recently publicized breaches involve companies that place their workloads in a public cloud environment.  This does not mean that these breaches were caused by the public cloud or that you need to stay away from these providers.  What is does mean is that security is no less of a concern in a public cloud than it is for your on-premises data center.  Companies must follow a basic structure when implementing a strong security architecture that will help protect their important data whether that resides on-premises, in the public cloud, or across a hybrid cloud (multi-cloud).

To provide the best possible protection of your data and minimize your chances of data loss, we recommend implementing a layered security approach for all of your environments.  At Sovereign, we help customers analyze their security posture across each layer to identify both strengths and/or weaknesses that could leave vulnerabilities for a hacker to exploit.

The Layered Security Model

There are no silver bullets against today’s advanced attacks.   Securing an organization against a multi-vector attack requires a security architecture, not any single point solution.  As we have seen time and time again, some tools that successfully stop attacks today may not prove as formidable against the next outbreak as the attackers and their tactics evolve. To stay ahead of the next wave, multiple layers of defense that can coordinate and share intelligence to ultimately mitigate threats are needed. Let’s look at some of the layers that will help prevent this type of attack from happening; this model highlights five areas:

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome categories within this function include: Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy.

  • Customers should have a CMDB (configuration management database) that maintains an automated and updated repository of all company assets. This information allows customers to quickly point out potential risky assets and deliver a solution to remediate. It is difficult to determine what needs to be patched if you don’t know what you have.

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event.

  • Automate: As far as we know right now, the cause of the Equifax breach was an Apache Struts web server (open-source software). Knowing the attack occurred in July, that means either the breach occurred in a zero-day attack (no signature created) or the system was not patched properly (the last patch for Struts was in March). Organizations can help minimize risk by staying up to date with their patching levels. By using tools that automate the push of security updates after testing on production workloads, most companies would have averted any further damage by this outbreak.
  • Network Behavior Analysis: Customers can utilize the functionality of the network to report anomalous behavior seen across the network. By leveraging netflow, customers can see certain behavior that is outside the usual daily pattern of traffic.
  • Security Policy Enforcement: Policy enforcement engines, which help initiate an update on non-compliant endpoints to keep them up-to-date, could also be leveraged by customers. You must know what is present on the network to be able create policy enforcement to remediate the issue. The policy enforcement engine allows customers to enforce security policy on all clients that are connected to the network at any time, whether they are a wired or wireless client.
  • DNS Security: DNS is typically the first method of communication for any malware threat as it tries to call home. By deploying this type of security, most threats can be stopped before the spread occurs.

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

  • Network Threat Protection:  Customers need to employ next-generation threat protection that will be able to determine if a payload is malicious. NGFW (next generation firewall) or deep packet inspection for internal network segmentation would have prevented the file from moving laterally across segmentation points in the network.  Coupled with communication to the worldwide security community, clients could share common threat information, thus the moment patient zero discovered this variant, the network would block the file preventing its spread laterally across the network.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

  • ITSM: By having a proper ITSM solution (IT Service Management) in place, companies can mobilize the correct resources to remediate the security events and maintain company SLA’s during the process.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

  • Correlate– By having systems that can correlate events, security teams are enabled to respond to threats, thus minimizing any issues that have arisen from the security event. Without correlation, teams often spend countless hours chasing all alerts, not being able to discern between true threats and false positives.

Summary:

As stated earlier, there are no silver bullets against today’s advanced attacks.   Securing an organization requires a deep, layered security approach that looks at all threat vectors and addresses each potential vector with equal importance. This has been a disruptive event to many organizations throughout the world, but unfortunately, will not be the last. With the use of a layered security model, your organization will be better prepared to deal with current and future cyber-security threats.

If there’s anything we can do or questions we can answer, please don’t hesitate to reach out to our team.