One of the great things about doing marketing in the security world is the fact that there are always new breaches and they often make not only for good reading but also do a great job of illustrating why products like CloudControl are so useful.
So the Excellus story goes like this. Excellus, or Excellus BlueCross BlueShield, a large health care provider in New York, last month discovered not only that they had been breached, but that the breach had happened in December 23, 2013. With 10 million patient records on file, this is one of the Top 20 health care breaches so far.
The good news is that Excellus was using encryption, a step which may have prevented that data from leaving the network. We not only recommend everyone run encryption, we also provide end-to-end cloud encryption solutions that handle key management as well, but that is another topic for another day.
Getting back to Excellus, the bad news is that bad guys were wandering around in their systems for almost two years with administrative level accounts that they had compromised. Pretty scary.
How do things like this happen?
It often starts with either phishing or more targeted phishing attacks. While there are a large number of approaches to breaching an organization via phishing attacks, one way is to target IT users (these are the ones who have the privileged accounts). Once you have root or admin, you can have anything you want. To make things even easier, there are commercial services used by marketing organizations that can supply you with the email address for every IT employee of a particular organization.
While spam filters have gotten better, the sophistication of phishing attacks, has risen dramatically. Layout and appearance of emails as well as the linguistic accuracy of content have both improved, making it increasingly hard for naïve users to distinguish between an attack and actual communications. After all, when you get a mail from HR with an attachment salaries.xls there is going to be some temptation.
Also while in the past attacks were often as subtle as a sledgehammer, now APT1 et al are doing a better job of flying low and slow not just when rattling the door knobs but also after they get in. This is one of the reasons why in 2/3 of the breaches we have seen it has taken the impacted organization months or years to figure out they have been breached.
So what can you do?
SIEMs can be useful, particularly when looking at threats coming in from the outside, but they are probably not going to be the answer here. A better approach would be Role Based Monitoring (RBM). Instead of looking for traffic from PLA Unit 61398, you need to be looking for unexpected behavior and action from privileged accounts inside your network. For example, an inappropriate number of denied administrative actions or an EMEA based virtual admin starts flushing VMs in North American data centers or someone trying to copy data outside a zone – anomalous behaviors like these should trigger a closer look.
That’s where HyTrust CloudControl comes in. We provide not only Role Based Monitoring, but also Role Based Access Control in addition to policy control including the Two Man Rule, access control with Two Factor Authentication and Forensic quality logging.
Being realistic, the majority of organizations are going to experience a breach at some point. You can either hope and pray that it doesn’t happen during your tenure with that org or you can take steps to cope with the inevitable when it happens and contain and mitigate the danger. Now which would you rather be, the guy who has to explain to the board why APT1 was wandering around your network for a couple years undetected or the guy who gets to explain how Unit 61398 got in briefly but was stopped before they were able to get anything?