According to Benjamin Franklin, “the only things certain in life are death and taxes.” I would like to add “data breaches” to his list. Suffice to say, it was only a matter of time before Target was hacked.
Thanks to this BusinessWeek article everyone is up in arms about the fact that even though the Minneapolis-based analysts were alerted to the threat by the team in Bangalore, nothing was done. In fact, the Target team actually turned off its system's capability to automatically delete malware as it's detected. As a result, hackers obtained an astounding 40 million credit card numbers.
While it's very easy to point fingers, we need to put this in perspective. For a network as large as Target's, security analysts get an outrageous number of alerts every day, which is comparable to sifting through a stack of needles to find that one needle you care about. How would the security analysts know the difference between a needle that is a nuisance and one that is a threat?
Imagine you live in a wooded area that has a lot of wildlife – deer, raccoons, skunks – roaming around. You have a motion sensor system set up outside to detect potential human intruders, but it's always tripped up by a deer grazing in your backyard or a raccoon making its way into the trash can. Eventually you get tired of all the false alarms and turn off the motion sensor. I have little doubt that's exactly the scenario Target's analysts must have faced.
So how could they have eliminated the false alarms and ensured that they were addressing the real threats in the limited bandwidth they have?
Enter context
Context is just a different way of saying that we know what happened, why it happened and what to do about it. It's important because there are so many different systems, analysts and pieces of information that go into resolving a breach.
Generating context is key for security analysts to understand data intuitively, discover previously unknown threats and provide the necessary information to take action quickly.
Let's put this idea of context, well, into context. What if you were able to equip the motion sensor I discussed earlier with pattern recognition technology to only notify you once a real threat is identified? You might still want the motion sensor to initiate recording when an animal passes by. However, if there was a real intruder in your backyard, you would want the motion sensor to trigger video recording, turn the backyard light on and sound the alarm. The additional context allows your alarm system to be smarter and flag real threats.
It's also crucial to present this data in an intuitive fashion; otherwise it's just another blinking red light. With the influx of data, attention is being drawn to the importance of data visualization for analysts. We need to move away from the rudimentary approach of taking data and presenting it in colorful pie charts and graphs that fail to deliver any insight. Instead, we need to embrace visualizations that enable analysts to process information and gather insights as quickly as possible in order to answer questions or resolve problems faster.
Lessons learned
At the end of the day the Target breach has taught us a lot.
First, it underscored the importance of context, encapsulating every alert with a core set of data that can help security analysts assess what to pay attention to. It also stressed the importance of automating some of the processes required to determine the importance of the alerts, so that analysts can focus on what's really important. If Target hadn't turned off the automatic malware deletion capability, they could have saved millions of dollars spent responding to the breach in fines and court fees. And, their cleanup bill is still growing.
Lastly, it highlighted the importance of presenting the information to analysts in an intuitive fashion by enriching the context and providing a user-friendly interface that doesn't just make them want to push the “ignore” button.
With the all-time high amount of data traversing networks and hackers getting smarter everyday, security threats have increased in frequency, complexity and persistence. It was inevitable that large companies like Target and Neiman Marcus would one day miss a high-alert threat among all the false positives. Therefore the question should not be, “How can I prevent an attack?” but, “Once I'm attacked, how can I resolve the issue as quickly as possible so that it doesn't affect the business?”
