This week, Adobe announced a settlement of a class action lawsuit that was filed against them as a result of a 2013 data breach. This followed a 2014 finding that Adobe’s conduct was a contributing factor to the damages sustained by the plaintiff; namely representatives of some of the three million credit or debit card holders.
The potential for legal action is not limited to Adobe or the loss of credit card data. What we all need to consider is whether the conduct of your organization appears to be a key attribute in determining liabilities resulting from a data breach. This is not to suggest any malice in the case of Adobe. As a former employee, I can state it is a well-run ship. I do not have all of the facts on the case, and I am not interested in passing judgment. What I am interested in is pointing out the fact that given all the time and attention targeted attacks are being given in the media and security industry, it is time we collectively addressed some elephants in the boardroom.
To avoid being the next headline, we need to come to terms with the fact that a clear trail of evidence and action is being taken to address the problem. Security team, executives and board members must be seen as having taken ongoing and proactive steps to identify, inform and manage the risks associated with targeted attacks. To be clear, there is no silver bullet to this problem. Despite all the marketing hype around zero-days attacks, exploits and the latest threat research du jour, the sage approach is to develop an ability to detect what is designed by your adversaries to be undetectable. Looking in the same nook and cranny and expecting to find something new is at best wishful thinking. In other words, solutions designed based on yesterday are of little value to help you solve tomorrow’s problems.
Given this, should you read, hear or be told that monitoring the network equivalent of only your front door and window is enough to detect modern targeted attacks, I hope your false sense of security alarm is rattling loud and clear. For your security teams, executives and board members to be seen as proactive and serious about addressing the unexpected risks, costs, strategic and professional impacts associated with targeted attacks, they need the ability to detect and act upon the unexpected and the unseen. Why? Attackers are by nature unpredictable; therefore, how you detect, inform and take action must take this into account. One cannot implement a static approach, that being to merely monitor the perimeter and a few end user protocols and expect to catch a dynamic adversary. Caveat emptor: there are organizations that espouse this storyline and claim a level of expertise as a means to support this proven false premise.
Despite what you may have read or been told, your organization needs to have a 360-degree view of all activity across all internal and external network traffic, over all 65,000 ports – and to be able to detect what is happening on over one hundred protocols. Others may have you believe that a myopic approach of monitoring only web, email and file content used by your employees is all you need. However, as previously suggested, the enemy may already be well within your gate; therefore, you need eyes everywhere.
For more insight into the need and path ahead for your executives and board members to address targeted attacks and advanced threats, I encourage you to provide them with the following resources:
- Insight into the potential impacts of a targeted attack: http://www.trendmicro.ca/en-ca/boxes/videos/20141009180731.html
- An opportunity to run a targeted attack simulation: http://targetedattacks.trendmicro.com/
- A rationale for investing in a targeted attack solution: https://enterprise.apac.trendmicro.com/apt/webinar/TargetedAttacks_AdvanceThreats.pdf