- A good security defense requires equal measures of investment in not only technology but also people and processes.
- Detecting breaches is not the end game, but the beginning of a process to understand the scope and impact and then respond quickly to minimize the damage.
Thinking about the latest revelations around the Target breach, and how Target’s FireEye deployment had alerted the company to the breach early on, it struck me that the company had invested appropriately in technology, but underinvested in its people and processes. It’s easy for technologists to fall for the silver bullet trap, investing in technology with the belief that it will make a particular problem or pain go away. It’s a whole lot harder to muster the resources required to properly exploit the benefits of the technology when budgets are tight and skilled security analysts are in short supply. It’s time for enterprises to invest more in training to develop the skilled staff necessary to meet the challenges posed by today’s threat landscape. At the same time, it’s equally important to invest in developing the processes needed to deal with the glut of alerts and follow-on investigations effectively required to scope out the extent of those potential breaches. When key security employees leave, the appropriate training and processes can help fill the void left to insure such inevitable changes don’t negatively impact the organization’s security defenses.
The timing of FireEye’s acquisition of Mandiant in early January was rather interesting, given their bird’s eye view into what unfolded at Target. And it speaks to the need for organizations to think through their incident response readiness more seriously. It’s clear from the Target experience that the ability to move quickly to investigate serious alerts and gain an understanding of the extent and implications of a suspected breach and then shut it down is paramount. Following the first FireEye alert, Target had nearly two weeks before the data was exfiltrated to prevent that event from occurring. And what’s probably most galling to all those affected is that the FireEye software could have deleted the malware, had that particular automated capability been turned on. Of course it’s understandable that it wasn’t: the history of anti-malware technologies is riddled with false positives, often resulting in a disruption of business. And that puts security professional between a rock and a hard place. As HP Security Chief Art Gilliland noted in his RSA keynote, the bad guys only need to get it right once, the good guys need to be right 100% of the time.