How to avoid becoming a victim like Target

"It's technology, process and policy and technology is only one-third of the solution"

Target's failure to act when alerted that malware was in its network is a reminder that spending large amounts of money on technology is a waste without the right people and processes.

Weeks before hackers started siphoning 10s of millions of credit card numbers from Target's payment systems during last year's holiday shopping season, security personnel were warned that malware was in the retailer's computers, Bloomberg BusinessWeek reported.

The alert came from a newly installed network-monitoring tool from security vendor FireEye. The system, which cost $1.6 million to install, apparently did its job. The failure was in not responding to the alerts, experts say.

Technology like FireEye's is good at spotting potential problems, but the number of alerts is overwhelming without fulltime staff dedicated to separating the false positives from warnings that point to a serious computer breach.

"It's technology, process and policy and technology is only one-third of the solution," Avivah Litan, analyst for Gartner, said.

"If you don't have the process, which includes organization, and if you don't have the policy saying what you are going to do when you see a high alert, then it doesn't matter if you have the best technology in the world.

"The alarms are going to go off and no one is going to pay attention to them."

Why Target did not follow up on the FireEye warnings is not clear. Nevertheless, companies that deploy the same type of technology should be aware "that none of these systems are perfect," Litan said.

To make effective use of these systems, an enterprise needs to have fulltime security pros monitoring alerts. Since this is often considered too expensive, than companies have to be willing to hire a managed service provider (MSP) to do the monitoring for them, Rick Holland, analyst for Forrester Research, said.

"For the majority of companies out there, they're going to have to rely on a third party to do their SOC (security operations center) operations for them," Holland said.

Companies that go that route have to have a tight and well-managed relationship with the service provider. That partnership has to include locating in advance the computer systems that process and store the information that drives revenue for the company or would cause tremendous harm to the business if stolen. This systems list should be updated every quarter.

Knowing all of this in advance will give the MSP a clear understanding of what areas of the network to watch closely.

"The number one priority should be focusing on the important assets and detecting bad things against them way before the exfiltration (of data) occurs," Holland said.

Overall, network-monitoring tools require manpower. While the FireEye system could have been configured to remove malware automatically, that feature was turned off.

Target had determined that the software was too new and untested to have it delete files on its own. The decision was the right one, because if the software made a mistake, it could easily taken down a critical system.

"It is always the recommendation to fully test the product in the environment before turning on automatic checks," Joe Schumacher, security consultant for risk management company Neohapsis, said.

"In my opinion, it takes a lot of additional work by an enterprise to reach an automatic block level with a product as the last thing security wants is to make the business grind to a halt."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about BloombergFireEyeForrester ResearchGartnerNeohapsisTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place