Sony. Anthem. The Office of Personnel Management. Target. Yahoo. The past two years have seen one mega-breach after another—and 2017 promises to be the most catastrophic year yet.
Security experts have long warned that most organizations don’t even know they’ve been breached. Attackers rely on stealth to learn about the network, find valuable information and systems, and steal what they want. Only recently have organizations improved their detection efforts and started investing the time, capital, and people needed to uncover vulnerabilities. When they do, the results are often alarming.
“I think we are going to find more, not less, breaches in 2017,” says Ray Rothrock, CEO of RedSeal, a security analytics firm.
All the big breaches thus far have had one thing in common: The initial malware infections or network intrusions that gave attackers a point of entry into the network “all hark back to 2013,” Rothrock says. “A lot of bad stuff got unleashed into the world then, which found its way into corporate and government networks.”
Ghosts in the machine
Organizations just started hearing about APTs (advanced persistent threats) and understanding the prevalence of zero-day attacks three or at most four years ago. This gave attackers a window of time in which they could infect systems with sophisticated malware or embed themselves deep in the network without setting off alarms. It would be naïve to assume that all the major data exfiltrations have been found already.
“There is an executive awareness that the fox is in the henhouse and we have to do something about it, to solve the problem they know they have,” Rothrock says.
In other words, the breaches occurred years ago, but the IT teams haven’t gotten around to detecting them. They may eventually be discovered thanks to mistakes the bad guys made, improved detection systems, and so on. But we may never know the extent of the damage, because the vast majority of incidents are never reported.
Organizations are required to report stolen or exposed data if they include personally identifiable information or personal health information, but the majority of organizations don’t deal with either. Due to the lack of regulatory requirements to report stolen intellectual property or other types of sensitive corporate data, industrial organizations, manufacturing companies, consulting firms, and legal entities typically keep quiet.
Sensitive data isn’t just financial. “A lot of intellectual property matters. For a company that builds or designs nuclear plants, it’s one thing for attackers to attack their plants, and another if the attackers have the actual drawings telling them how to attack,” Rothrock says.
No one would have ever known about the Panama Papers stolen from law firm Mossack Fonseca last year if the files had not been leaked to journalists. The 2015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, but the names of the affected firms are not public. If plans for new airplanes from aerospace companies or research on new drugs are stolen, details of the breaches are known only to the affected organization, the consultants hired to assess and remediate, and possibly law enforcement—if they were called.
“We [Red Seal] have seen a lot of business as a result of exfiltration that [companies] don’t have to report. We get the call and we go in to address the problem. And I am sure we are not alone,” Rothrock says.
Online security and privacy non-profit Online Trust Alliance looked at preliminary year-end data and estimated there were approximately 82,000 cybersecurity incidents impacting more than 225 organizations worldwide. “As the majority of incidents are never reported to executives, law enforcement or regulators, the actual number of incidents causing harm combining all vectors including DDoS attacks could exceed 250,000,” OTA said.
Tallying the costs
Data breaches are expensive—and there’s more to the bill than the immediate costs of notifying the victims and hiring consultants and forensics investigators to find and fix the problem.
Other costs include downtime, lost productivity, customer churn, and lost revenue. When organizations discover breaches years after the fact, as Yahoo recently did, they must also pay for what Rothrock calls “engineering services” as part of recovery and remediation costs.
If a breach took a long time to be found, then something about the existing infrastructure made it hard to discover the weakness sooner. That calls for re-architecting the infrastructure, typically an expensive and time-consuming project. But that imperative is not always heeded. “Most people don’t try to figure out what they have and keep adding more stuff,” Rothrock says.
Restructuring our defenses
The growing complexity of networks—with cloud deployments, the advent of the internet of things, and the fluid movement of data across multiple devices—makes it more and more difficult for IT and security teams to navigate all the layers. For the attackers, though, nothing has changed. Malware will keep infecting these new systems and attackers will keep hunting for data to steal.
“It’s harder to find the needle in the haystack when the haystack keeps getting bigger,” Rothrock says.
At the same time, available security defenses are far better today than they were three years ago. Rothrock uses a metaphor from the construction industry: Consider how modern buildings are constructed, with sensors to detect heat, gas leaks, and changes in pressure. Walls are built with fireproof materials and there are protective measures in place to prevent fire. That’s the kind of re-engineering IT needs to prevent attacks up and down the stack.
“Old skyscrapers are sitting ducks, as we learned when a few burned down. New skyscrapers almost never have fires,” Rothrock says. “We have to do that for IT.”