The Equifax breaches and subsequent firing of the CEO, CIO, and CISO are a giant canary in the enterprise world. Their failures are far from unique. Most organizations struggle with the same issues too. But after a breach has occurred, challenges get reported as failures in the periodicals. Caricatures of what did or didn’t happen follow. Bigger issues are overlooked.
Decision-makers are Burdened with Voodoo Economics
Every organization struggles to bridge the chasm between qualitative arguments for more vigorous cybersecurity from its IT people with those from executives that cannot quantify the risks or the levels of resources to apply toward them. Nobody can produce statistically sound net present value options to facilitate no-brainer choices.
Worse, it's not just a budget and resources question. A cultural sense for urgency and a tolerance for disruption are also important. How does one quantify risk well enough to answer these questions? There’s no simple, analytical answer.
Much discussion regarding the gains from sharing of data and information amongst peers to improve cybersecurity sounds a bit kumbaya. Practically speaking, we need sharing to yield statistically significant insights to free decision-makers from Voodoo.
Systematically Fix the Human Weaknesses in your IT/Sec-Ops
The Equifax breaches would have been avoided had its people flawlessly acted collectively. Most organizations are inadequately taking on the human element. Technology depends on people, who depend on other people. Organizations that fail to excel in finding and fixing their human weaknesses will succeed Equifax in the headlines.
Cybersecurity Workflows are Complex Business Processes
The Apache Struts vulnerability that was exploited occurred roughly two months after a patch was released. Patching one’s home computer is nothing like that for enterprise systems, which are are complex systems consisting of complex systems, each of which consists of complex supply chains (e.g., open source software). Let this list of terms imply the complex business processes: patch management, change management, vulnerability management, asset management, risk management, compliance management, personnel management, business management, etc.
Move to a Continuous Workflow Paradigm
Agile and DevOps are both attempts to move away from the big-bang planning concepts that yield more bureaucracy than productivity.
Consider penetration testing, whether of an enterprise or an application. The testing takes one to three weeks, followed by up to two weeks to write up the findings. The Blue Team or Developers spend up to two weeks reviewing the report for contextual errors. Some vulnerability findings are ultimately irrelevant in certain circumstances that can easily be unknown to the pentesters. Next, another one to three weeks of triage and remediation planning ensures. This extreme representation of this process means that the most critical findings may not be remediated until after ten weeks. This is a classic example of Big Bang Planning. Note, the Equifax exploit occurred after roughly eight weeks. Not the same thing, but still a good point.
There are tools out there that strive to enable organizations to cast off the Big-Bang Planning paradigm for that of continuous workflow. For example, I’ve seen penetration testers employ secure portals for real-time capture and description of findings. Their customers have literally remediated fixes before testing was complete. I’ve also seen this in change management for AWS infrastructures that must comply with the Federal Risk Management Framework and all that.
Seemingly Missing Pieces of Tech at Equifax
I’m probably mistaken but I’m writing this anyway because I’ve learned through many conversations that not everyone knows of these. Did you know the day after the Apache Struts vulnerability was reported that a Snort IOC was made available? Had Equifax scanned for this, they would have detected the exploit.
One more concerns Database Activity Monitoring tools. These are critical. Not all exploits of application vulnerabilities are done to implant malware in the systems that host them. Apparently no malware was installed to persist on the Equifax server. Instead, the adversaries just used Equifax’s own application to methodically query the database for millions of records. Database Activity Monitoring tools should detect anomalies such as this.