Excellus breach reporting is symptomatic of a security media malaise
Instead of focussing on the scale of the Excellus breach, the security industry should stick to the what and the how of what happened.
The news that there has been yet another large breach is not a surprise to me. The fact that it has hit the healthcare sector is not a surprise to me. That media coverage has concentrated, for the most part, on reporting the size of the breach is not a surprise to me. In the words of the great Radiohead “no alarms and no surprises (let me out of here)” and I feel like I’m in the video for that particular piece of music as well, in danger of drowning inside a sealed helmet while the IT security industry watches on.
Why am I so narked about media coverage anyway? Because the media coverage shouldn’t, but it sure appears to, drive much of the security agenda in organisations up and down the country. Even those within the IT security industry itself, professionals who really should know better, all too often get caught up in the desire to attribute, record break, size and extrapolate (which gives us the apt acronym of ARSE you may have spotted) instead of sticking to the what and how of the matter.
Yes, I know I am part of that media circus and just as guilty as the next writer for indulging in precisely this kind of ARSE behaviour. However, I also appreciate that it’s got to stop and now is as good a time as any to start stopping.
Look, I get that quantifying an attack in terms of cost to the business may be seen as a useful sales tool when you are selling network and data security, or at least I would if the metrics were meaningful in any way at all. And they are not. If you don’t believe me then go take a look at half a dozen different reports analysing the scale of IT security breaches, all from reputable outfits, and explain to me why they will all tell us something different?
Vendors, industry analysts, the media, regulatory bodies will all use different methods to try and determine the same thing; and they all fall flat because it’s not something that can be measured with any degree of accuracy. Simple as.
Impact is as impact does, to badly paraphrase Forrest Gump. Attempting to establish the cost of an attack to the business is pointless until you know how much that attack has cost the business, and that may not be for a year, or five.
As Tim Erlin, Director of Security at Tripwire quite correctly states “in nearly every breach, the first headline is just the tip of the iceberg and we learn of more compromised records after the investigation has moved forward. I would expect no less in this case.”
We are not talking money that has been stolen, we are talking data. We are not talking a static cost implication but a dynamic one that will change as more facts emerge. You have to factor in such unknowns, and they are just that, as brand damage, IP theft, loss of competitive advantage, and all this on top of guessable costs regarding downtime, investigations and fixes.
I am always being assured that IT security budgets are growing because there is a direct correlation between an increase in breaches, media coverage of the same and a better understanding in the boardroom of security issues. Yet I see little real world evidence of this, little in the way of a connecting of the dots when the media regards everything as ‘an attack’ whether it’s a DDoS, a hacktivist site defacement or a well-organized theft of data. I have said it before, and I will say it again: without clarity in the conversation we run the risk of it being muted, and if the conversation becomes muted then we really have lost the fight against the bad guys.
Listen to what David Gibson, VP of Strategy and Market Development at Varonis, is saying when he stated after the breach “Excellus is currently saying there’s no evidence that the information was removed. Who are we kidding here? The hackers were just browsing around for kicks? The reality is that they probably have no idea what happened or what was stolen and never will. This would come as no surprise to anyone, and doesn’t sound much different than the major cyber-attacks that we have more information on.”
That is spot on, and honest. As was his comment that while CIOs and security professionals may feel safe with large investments in firewalls, virus detection and other perimeter defences, the on-the-ground reality is that today’s hackers continue to get better at their jobs and will easily get around these protections through a virtual side-door without ever being spotted.
“It’s time for organisations to shift priorities and assume that some of their employees (and even their administrators and executives) will be duped into giving up information (like their password) and/or downloading malicious code” Gibson continued, concluding “if an attacker steals an employee’s password (and you’re not using multi-factor authentication) then the attacker gets access to wherever they can use the password – any external or public-facing systems or applications where the employee used the same password are easily accessible.” All relevant, all factual, all good advice.
To sum up, then, I simply do not care if the Excellus attack was ‘one of the top 20 worst ever healthcare breaches’ or if ‘more than 10 million people may be impacted’ or if there have been ’15 major breaches in the healthcare sector in the last 18 months’ because that is, when we cut through to the security chase, just noise. Is healthcare a target? Hell yes.
Tim Erlin is bang on the money when he points out that “healthcare seems to have run into a breach nexus. It’s clear that this industry has been targeted successfully.” However, when Tim then goes on to state that “every organization that stores personal health information should be put on notice: you are at high risk of already being compromised. If you think your systems are secure, you can easily be wrong” I tend to think that it’s an unnecessary comment. Not that it’s wrong, just that you could replace ‘personal health information’ with ‘any data’ and the same would still apply. In other words: is healthcare the only target? Hell no.
Here’s the thing, by which I mean the real IT security thing and not the media spin: it doesn’t matter if a breach is the biggest ever, it doesn’t matter how much the bad guys got away with, and it doesn’t matter if the Chinese authorities were behind it and ultimately it doesn’t really matter what industry sector has been hit.
It may matter when we the media (and I include myself in this, having been guilty enough of chasing hits by headline) are looking to get eyes on our stories rather than the competition. It may matter to the industry regulators and the authorities handing out fines when it comes to determining the level of punishment due. Heck, it obviously matters to those government and law enforcement agencies looking to make political capital out of an attack, which can be attributed to one hostile state or another. Yet it really, really, really shouldn’t matter to those folk tasked with finding out what went wrong and how to prevent it happening again.
Eric Chiu, president and co-founder of cloud control company HyTrust, adopts a better approach (although I could happily lose the quoted percentages) to commenting upon breaking news stories when he says “this is a critical situation, and with the majority of computing (more than 75%) now moved to cloud environments, we need to turn our security paradigm around from an ‘outside in’ threat perspective, which has proven inefficient and largely ineffective, to an ‘inside out’ view that addresses both insider and outsider advanced threats. Security monitoring tools such as SIEMs are broken; they’re slow, reactive and weak, especially when compared to techniques such as role-based monitoring (RBM), which is the fastest way to identify threats in virtualized environments with over 98% accuracy. The bad guys have unlimited resources and time to poke and prod your organization. Your only hope is to invest in qualified people and automated tools so that you can effectively monitor your systems in real-time for malicious activity.”
Sure, it’s a sales pitch as well as an expert comment, but that doesn’t mean he’s not right. And I’ll tell you something else, I’d rather read a thinly disguised sales pitch that actually connects with that ‘what and how’ debate I’ve been banging on about, than yet another piece of hyperbole and self-indulgence pretending to be insightful coverage.