Over the last year many big brand organisations have become the subject of large-scale data-breaches – whether it be eBay, Home Depot or Staples, these are brands we know and use, and the loss of millions of customer records is a big concern.
The retail industry is a particularly desirable target, as the data they store is valuable to cybercriminals, and the damage a successful breach can cause can be huge both financially and from a reputational perspective.
Recent research by the Ponemon Institute looked at how well 675 organisations in the retail space were able to deal with the advanced threats that targeted them.
One of most the most striking, but unfortunately expected, findings from this research is the length of time taken for retail organisations to detect and contain threats – 197 days and 39 days respectively.
This means that once an attacker is inside a network they have a lot of time to move around and accomplish their goals, whatever they may be – in many cases never being detected at all, with the breach being discovered when stolen data comes to light after the fact
Given the above you would anticipate that retail organisations are looking to improve things, and the research indicates that a variety of different steps are being taken.
The most popular of these is ‘integrating threat intelligence into the incident response function’ – and although threat intelligence can help, its usefulness is dependent on the relevance and timeliness of the intelligence itself.
As a commodity, threat intelligence loses its value quickly as compromised infrastructure is cleaned up by the user or repurposed by the attacker. The relevance of threat intelligence is also important, for example having information on threats targeting the petro-chemical industry in the Middle East is not that useful if you are a retailer in Western Europe.
One key statistic within this research is that only 17% of surveyed retail organisations shared threat intelligence with other companies or government entities. This contrasts with 43% in the finance vertical (also the subject the Ponemon study) and this vertical has markedly lower detection and containment times.
The sharing of threat intelligence with peer organisations, including competitors, is important and is something that many verticals need to improve. The finance industry is better than most at sharing, and has a history of doing this to combat fraud. Action Fraud, British Bankers Association, HMRC, the FCA and the NCA are just some of the organisations who are part of CIFAS, working together to combat fraud in this industry.
According to the research, one of the other interesting steps that a third of retail organisations are looking to take to reduce detection and containment times is the introduction of a ‘hunting team’.
This approach focuses on the key ‘value’ targets within an organisation and the pathways to reach those targets, and relies on analysts actively looking for anomalies that may indicate the presence of a previously undetected threat.
Hunting allows an organisation to augment their existing event-driven incident response processes with a more proactive approach. It can help to reduce detection and containment times for the threats that do get through our preventative controls, but to make it viable solutions are needed that allow analysts to visualise threat and traffic trends – moving away from the row and column oriented screen layouts that many security solutions have today.
What is obvious, both from the study and from looking at the current threat landscape, is that bad actors are winning far more often than businesses would like them to.
To address this, businesses need to transition from being solely focused on preventative technologies. The latest detection technologies will always be important, but they need to balance this with investments in people and process.
Sourced from Darren Anstee, chief security technologist, Arbor Networks