Starwood Breach and Detection Gap

This last week’s news that Starwood reported a breach affecting 54 of their locations is a continuation of an unsettling trend of detection gaps where organizations often take months to discover that they have been hacked. In this case, the initial breach occurred in early November 2104 and was not discovered until March 2015.   Cyber criminals can exfiltrate plenty of data to monetize during such a long period. Why is it taking so long to detect these breaches?

As many as 60% of businesses, and perhaps more, fail to discover a cyber breach on their own and find out about it from a third party such as a vendor, bank, law enforcement, or worse, a customer. My view on the causes of the failure and the intolerably long detection gap lies in the reality that most businesses approach cyber security reactively. In medicine, almost everyone has heard the old adage “an ounce of prevention is worth a pound of cure,” and the same is very true for cyber security. Yet, like modern medicine, not enough emphasis is paid on holistic prevention and resources are focused on reactive types of activities. Given the hard realities that for most small businesses, a cyber breach often means that they will be out of businesses within six months, holistic and proactive efforts aimed at maintaining cyber health are a business necessity.

The Starwood breach appears to not have affected the reservation systems and instead, impacted the payment systems at gift shops, restaurants, and other outlets at the affected hotels and resorts. Payment systems remain weak and despite many card issuers converting from magnetic stripe payment cards to chip based cards, very few businesses have yet to adopt the capability to process chip cards. Personally, I rarely use cash and pay for most goods and services with a credit card and can think of only one business I regularly patronize who actually uses the chip reader instead of the magnetic stripe reader. This is beyond lazy and in my view negligent.

Negligence is of course a legal term and determining negligence in a legal sense requires the services of a lawyer and often the courts. Although, returning to the sobering statistic that most small businesses are out of business within six months of a cyber breach, avoiding any semblance of negligence would seem prudent. One fact that many businesses are not aware of with the newest payment card standards is the requirement to process chip enabled cards. Essentially, if a customer offers a chip enabled card and the business instead processes the transaction using the magnetic stripe, the business can be liable if the card transaction was fraudulent. The banks are pushing liability out to the small business. Why would any business willing choose to accept such risks?

Returning from my digression on payment cards, why is it taking so long to detect breaches? I think the answer lies in that businesses apply technology as security solutions without looking at the bigger picture. Detection technologies such as IDS and SIEM, while commonly deployed, are rarely in my experience implemented and maintained effectively. What is lacking is an understanding of a baseline.

Back in my earlier days of working with IDS, we worked with a vendor deploying a product which the vendor touted as the “anti-ids.” Instead of using signatures, as many solutions do, this solution required that we spend several days observing and understanding everything that was expected on our network, thus establishing a baseline from which to observe future activity. The experience was useful as well as eye opening because in the process, we discovered significant implementations of “shadow IT” where different business groups had introduced their own solutions into the infrastructure. The end result of the exercise was a clear understanding of “normal” for our network after which we were able to notice and respond to events which did not fit the normal expectation.

Many small and midsized businesses lack the in house expertise to implement and manage effective security solutions. Thus, partnering with a security provider such as a managed security services (MSSP) vendor often appears attractive. However, assuming that the MSSP will provide a turnkey solution is a dangerous assumption as the MSSP will not know about the business. Establishing and documenting a responsibility matrix with the MSSP at the onset of the relationship is critical to future success as well as protecting the enterprise.

For example, security when adopting a cloud solution can lead to ambiguities as the business may assume that the cloud provider is handling security and the cloud provider is assuming the customer is addressing the security. If the data belongs to the business, then regardless of who implements the security, it is up to the business to ensure that appropriate security controls are in place.

Establishing a baseline with an MSSP then requires a business to document essential elements about their data. For instance:

  1. Who, and which parts of the business produce data?
  2. Where is the data stored?
  3. How is the data used?
  4. How is the data shared and via which paths and systems does the data transit?
  5. Who has access to the data? From where and under what circumstances?

The above points are not intended to be an all-inclusive list, but represent a good start for an internal conversation within the business prior to engaging an MSSP or other security vendor. The chain of defense, protect, detect, and respond, has as a prerequisite an understanding of the asset, which in most cases is the data.

Taking the time to think proactively and holistically better positions the business to work either internally or with a partner to protect the business from possible failure caused by a cyber breach. For businesses who found themselves out of business, this activity might have helped to prevent the breach which led to their demise, or at least helped to detect it before the business suffered substantial harm.

Bringing in a consultant to help frame and ask the right questions can be a rewarding experience and result in better peace of mind as well as avoid costly mistakes investing in the wrong technology or services. Schedule your free consultation with us today and take the right steps towards improving the cyber security posture for your business before you find yourself out of business.

Comments are closed.