Securing your corporate network is challenging enough, now it appears that you should be concerned with your neighbours' too. Headline-grabbing data breaches involving Target, AutoNation, Lowes and AT&T have all been linked to their trusted third-party vendors as the origin of attack. Recent real-world examples include:
• A large bank where 50 percent of contractors' laptops were infected and actively communicating with malware.
• A large energy company infected from a local deli's online ordering system. Attackers had embedded their exploit in a JPG image. Employees who placed orders from the corporate network were infected.
Why the trend? Large enterprises are getting better at security so criminals are turning to their partners' networks instead. Generally, these organisations have fewer security controls making them easier to exploit.
Security research firm, the Ponemon Institute found that roughly a quarter of breaches were attributable to third-party negligence. A survey by consulting firm PWC showed that only 22 percent of respondents conducted incident response planning with their supply chain and only 20 percent evaluated the security of those partners more than once a year.Is this a blatant disregard of security best practices? No, it's a sign of the times. Many security teams have simply reached the breaking point in terms of the man hours available to keep up with network threats.
It's a manual process to track down every alert logged in a SIEM or generated by firewalls, intrusion prevent systems, firewalls and sandboxes. Humans have to corroborate the information from an alert with other data to get proof of an infection. That explains the Target breach. It was widely reported that the company received security alerts yet an alert isn't proof of anything.
A network the size of Target's, with 2,000 stores and 360,000 employees across the United States has thousands every single day alerting them to anomalous behaviour. In fact Damballa's research shows that enterprises experience an aggregate average of 10,000 alerts per day and fewer than a hundred of those 10,000 would be actual infections. Having to wade through such a volume of alerts is impossibly time and resource consuming. Even if you did, you'd be late to the remediation party, and owned before you knew it.
The ill-defined ecosystem of third party, shadow and BYOD systems will only grow. Automating and correlating alerts from all your different sources is the only practical response: verify, verify, verify before the boy cries wolf.
If shutting down third-party access to your network isn't an option, then what? Conduct a breach assessment that enables you to uncover vulnerabilities like third-party access. Next, consider how prepared you are to detect infections that bypass your prevention controls. Finally, have an active, well-rehearsed incident response plan in place so you can take immediate action to prevent damage.
Contributed by Brian Foster, CTO, Damballa