The Equifax breach, which impacted an estimated 145.5 million U.S. consumers, was in many ways the enterprise security story of 2017. That’s why so many of us were shocked when, during (now former) Equifax CEO Richard Smith’s Congressional testimony, we repeatedly heard him blame the company’s breach on a single IT person failing to install a patch. On the surface, this sounds like an error so easily avoidable as to be a travesty of incompetence or neglect. Indeed, Equifax came in for extensive criticism on essentially those grounds. But that superficial reading masks a deeper truth about the state of cybersecurity today, one that actually is even more worrying than the fact that a company holding data on so many Americans could be breached: namely, that many security teams (like, apparently, Equifax’s) are so overwhelmed that even simple things slip through the cracks.
More spend on tools, but to what end?
Organizations like Equifax are currently spending more on security than ever before. According to Gartner, worldwide spending on enterprise security will reach $96.3 billion in 2018, an increase of 8 percent from 2017.
Yet despite the money pouring into security, organizations — and not just Equifax — are increasingly being compromised not by the most sophisticated zero-day attacks but by simple mechanisms from the early 2000s — like missing patches or weak administrative passwords. How can such elementary problems still be tripping us up so many years later?
For one, security teams are overwhelmed. The average security team typically examines less than 5 percent of the alerts flowing into them every day (and in many cases, much less than that). Ironically, some attempts to improve this efficacy may backfire. Automation is clearly required to help security teams prioritize their work and defend their environments, but many systems prioritize alerts based on measures of the severity and impact of the threat itself rather than measuring its potential impact within the context of the business. In other words, while a human analyst may understand that a “simple” exploit of an unpatched vulnerability on a server that houses your crown jewels is a higher priority than a sophisticated zero-day attack targeting the machine housing the cafeteria menu, automated tools may mistakenly believe otherwise.
Human skills are still paramount
Furthermore, the nature of modern attacks means that human discretion is more important than ever, not less. Attackers are increasingly adopting approaches in which they, to a great degree, “live off the land” — that is, exploit compromised credentials, in conjunction with existing tools and non-malware, to achieve their own ends. In the absence of over-the-wire exploits and on-the-host malware, many traditional security technologies are ineffective.
Also, very few successful attacks are smash and grab — attackers will often stay in the environment for weeks, if not months or years. As Smith testified in the Equifax case, for example, there is evidence to suggest the attackers were present in the environment for more than two months between May 13 and July 30. Finding the attacker during this time, before the full damage is done, is of paramount importance, yet that hinges on being able to judge which activities are benign and which are not.
So, as sophisticated as our tools are, finding an ongoing attack often comes down to our most limited resource — people. While tools and machines are great for processing large volumes of information, they aren’t great at drawing inferences on maliciousness by “eyeballing” the results of the analysis. Humans that know what to look for can, whether it be suspicious network activity or data exfiltration.
But humans need to be enabled
It takes analysts time to find the answers they need to assess the scope and impact of even a single alert — to say nothing of uncovering a subtle, ongoing campaign. In my firm’s studies of security teams ranging from the Fortune 500 to companies of under 1000 employees, we’ve seen the process can be painstakingly complex, often involving correlations across 30-40 sources of information, both internal and external to the environment, and half an hour or more to complete even a preliminary investigation. And think of the incentives for the staff trying to make sense of this morass: How many security teams want to be the folks to call the CEO saying they believe 150 million records have been stolen, mistakenly? The Equifax 19-day timeline even after an issue was identified may sound outrageous (particularly now that we know the grim implications), but it is unfortunately all too common and, actually, similar to other attacks that have been in the headlines.
Investigations and analyst burnout
Lawmakers and industry leaders have struggled to find solutions to data security challenges, but the key underlying issue of enabling security teams and analysts is often overlooked. Today security teams face torrents of information, yet, despite increasing levels of automation, rarely do these systems actually help them find the things that matter. We need to enable security teams to understand their environments better so they can catch the threats that can do the most harm, even if they are “simple.” These teams must be able to assess individual alerts faster and more accurately to avoid missing the ones that count, and they must have visibility into what is actually happening so they can deny adversaries the ability to operate undetected. Until security teams are empowered to be effective, we should expect more incidents that ought to have been avoided.
Michael Callahan is cofounder and CEO of security investigation platform company Awake Security. Previously, he served as Chief Technologist for HP StorageWorks Enterprise NAS, joining the company through the acquisition of PolyServe, a big data infrastructure company he founded and served as CTO.