The following excerpts are from the Technical Controls section of Part-1 of the ICIT Equifax report entitled “America’s In-Credible Insecurity,” written by James Scott, Sr. Fellow, Institute for Critical Infrastructure (ICIT).
Data should be protected according to its value and the potential harm that would result if it were stolen. Encryption does not prevent adversaries or insiders from exfiltrating data; however, it does deter or prevent attackers from exploiting the stolen data unless they spend significant additional resources breaking the encryption or stealing the decryption keys.
Data Loss Prevention
Data loss prevention is the employment of reliable vendor tools to secure data when it is in transit, when it is at rest, and when it resides at endpoints. DLP governs which data end users can transfer and which data can leave the network. DLP often includes keyboard filtering,
If Equifax had invested in or licensed a DLP solution, automatic rules configured by a trained information security team would have prevented any internal or external threats from exfiltrating sensitive consumer data from the network.
Network segmentation is the practice of dividing a network into smaller partitions, called subnets, to isolate critical assets from one another and control access to sensitive data. Networks can be logically segmented via private Virtual Local Area Networks (VLANs), which restrict communication between hosts on different subnets, in addition to physically segregated via air-gaps.
If Equifax had properly segmented its network, then the attackers would not have been able to access consumer data via the public-facing web portal. Furthermore, data brokers such as Equifax should be legally mandated to segment servers containing consumer data so that a single adversary cannot exfiltrate millions of data sets.
System Information and Event Management SIEM
System Information and Event Management (SIEM) solutions are not foolproof, but they are a good starting point for incident detection and mitigation programs. SIEM solutions condense the event data from potentially thousands of devices and applications to a small number of actionable alerts that signal vulnerabilities, risks, and anomalous behavior that could be attributed to insider threats .
SIEM solutions provide a layered centric or heterogeneous holistic view into infrastructures, workflows, and compliance and log management in the form of dashboards or “views” .
Dashboard tools significantly reduce event response time and allow organizations to detect, prevent, and minimize the damage caused by an insider more effectively.
Machine Learning-Based Artificial Intelligence Solutions
Outdated insider threat protection paradigms are centered on the protection of endpoints. This model no longer reflects the modern threat landscape because adversaries have developed custom exploit kits and mutating malware that are not immediately detected by signature and heuristic-based anti-malware solutions.
Machine-learning algorithms can process user and system activity data significantly faster than any human analyst. Consequently, algorithmic solutions can detect and mitigate malicious code and activity prior to adversarial execution. It can also prevent internal or external threats from escalating privileges, planting logic bombs, exploiting 0-days, or executing unwanted programs .
By securing the endpoint from malware, despite the lack of a signature or known malicious behavioral pattern, organizations prevent emerging threats from establishing persistence on the network, laterally compromising vulnerable systems, or exfiltrating treasure troves of sensitive user data.
User and Entity Behavioral Analytics (UEBA)
User and entity behavioral analytics (UEBA) solutions audit and analyze the file and application access of an individual to detect and connect disparate data points that could indicate suspicious user or application behavior.
UEBA excels at spotting variances in user and system activity and handling unknown instances. For example, UEBA can be used to detect automatically if a user deletes thousands of files in a short amount of time, starts visiting unusual directories or starts accessing applications that are not specific to their role, or if a server begins transferring millions of records that should not be leaving the network .
Identity and Access Management
The Verizon 2016 Data Breach Investigations Report found that 63 percent of data breaches involved weak, default, or stolen credentials . Effective cyber-hygiene hinges on each employee responsibly responding to every threat emerging from the hyper-evolving threat landscape.
Personnel often find that cyber-hygiene is daunting, exhausting and distracting; meanwhile, cybersecurity awareness and training are often limited, and the demanding responsibilities of personnel preclude their interest or ability to shore up their cyber-hygiene and their awareness of cybersecurity best practices .
Identity and access management (IAM) solutions centrally manage the provisioning and de-provisioning of identities, access, and privileges, and they manage the authentication and authorization of individual users within or across system and enterprise boundaries. IAM can automate the implementation of the principles of least privilege and least access across the network .
Privilege Identity Management (PIM) solutions are a component of IAM through which user privileges and access rights are initiated at minimal values and readjusted when necessary according to the user’s current role within the organization.
PIM solutions enable the information security team to tailor access and privileges for internal personnel, outsourced/third-party users, and shared accounts across hybrid infrastructure. As a result, compromised credentials do not guarantee adversaries carte blanche access to sensitive servers and systems.
IAM solutions are critical to the protection of the identity perimeter across mobile and cloud infrastructures. Multi-factor authentication (MFA) can be used to validate user identities through a combination of user knowledge, a user possession and information characteristics of the user .
MFA would not have prevented the Equifax breach, but in the future, it can be implemented by Equifax and other organizations to limit the impact to victims by requiring an additional authentication component that is not based on PII or other compromised information.
Centrify fully endorses the recommendations in the Technical Controls section of the document. Applying them can help organizations mitigate some of the emerging attack vectors and regain a semblance of control over sensitive information.
Join ICIT and Centrify, at CyberConnect in New York on November 6-7, 2017.