by Ben Tomhave | January 9, 2015 | Comments Off on Sonys and Targets and Heartbleeds! Oh My!
Now that we can soundly close the book on 2014, it’s perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of “major, earth-shattering” vulnerability disclosures, etcetera etcetera etcetera (if you didn’t read that last bit in the voice of the King of Siam, then check it out here).
First, let’s ponder back, ever-so-briefly, on 2014… wow, it kinda sucked, didn’t it? Well, maybe only a little. Personally, I only had 2 cards reissued last year, and it’s because I misplaced one and wore out the other. Well, ok, the worn out one also got compromised, now that I think about it, but this was still an improvement over 2013 when I had 3 cards compromised in 4 wks (card skimming ring on a major highway near where I live targeting all the gas stations).
We certainly saw a heaping pile of major breach disclosures in 2014… Target seems to have been the most impactful one in terms of the infosec trade, in large part because of the impact on executives and board members there. I’ve heard from dozens of organizations that are “benefiting” from increased interest and emphasis on cybersecurity now going forward. Are there lessons to learn from that event? Probably, but the real story has yet to be written…
Sadly, the same can be said about the Sony breach… we really don’t know a whole lot, except that they’re apparently still down (“More than six weeks later, the studio’s network is still down – and is expected to remain so for a few weeks, as techs work to rebuild and get it fully back online.” [src]) We aren’t even sure of what the business impact will be from the event (“‘I would say the cost is far less than anything anybody is imagining and certainly shouldn’t be anything that is disruptive to our budget,’ Lynton told Reuters in an interview” [src]).
So, we’re left to wonder, after all the hoopla over Target and Home Depot and Staples and Sony and myriad others… what lessons are we to learn from 2014?
First, remain calm and carry on. For all the major breaches that occurred, we’ve not seen businesses fail (yet). As such, something must be working, even if it’s just an adequate amount of insurance / self-insurance. That said, don’t get cocky! Breaches will happen. We need to be prepared for them. And, more importantly, we cannot rely on good will and insurance to bail us out in the end.
Second, get those basics tackled, and asap. Based on the 2014 Verizon DBIR, the vast majority of attacks are still reflective of not having the basic practices in place. If the rumors are to be believed, the Target incident may have involved some weak vendor credentials, inadequate network segmentation, and improperly managed malware and monitoring (see “It turns out Target could have easily prevented its massive security breach” and the U.S. Senate Committee on Commerce, Science, and Transportation report “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach”).
Third, it’s time to pivot hard toward the cloud services model while optimizing detection and response capabilities. That means pushing into virtualization and various cloud services models, making use of orchestration and configuration management tools that facilitate ops automation in order to more rapidly address issues. It likely also means shifting toward DevOps for similar reasons. And, of course, it means investing heavily in visibility into your environment in order to detect events as quickly as possible. Bad things will happen, so it’s imperative we find ways to detect them ASAP and then interdict as best as possible.
At the end of the day, the time is right to start investing in better tooling for ops automation, detection and response. All of that must be underpinned by a solid risk management capability, which will facilitate prioritization of projects, environments, as well as pulling forward impact analysis awareness to an operational level to better achieve top-to-bottom alignment. We’re critically overdue for an evolutionary step (or leap) forward as we’re simply not able to scale resources adequately to keep pace. Solving those scale issues will be critical here in 2015 (and beyond).
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.