Post by Nick Palmer, Sales Engineer
If someone were to offer you a cast-iron business opportunity that would increase your revenue by 4%, how much would you invest? More to the point, how would you convince the board that someone hadn’t spiked your latte prior to the presentation?
Now imagine if someone told you that there was a similar ‘dead cert’ that would COST your organization 4% of its revenue in the event of a data breach. How much would you invest to prevent that?
In less than two years the latter question will become a reality for organizations operating in the EU. The General Data Protection Regulation (GDPR), enacted by the EU to offer greater protection to individuals in the event of data loss, is coming into effect soon. Regardless of your views on whether the UK exit or remain in the common market, or the acrimony between the camps, the GDPR is real and it affects your organization.
With fines of up to twenty million Euros, or up to 4% of annual revenue – whichever is greater, it is no surprise that organizations are taking this extremely seriously. The astonishing number of data breaches still occurring (Sony 2011, 77 million records; Mumsnet 2015, 1.5 million records; Think W3 2014, 1.1 million records; MoonPig 2015, 3 million records and of course, TalkTalk 2015, 137,000 records) make it absolutely clear that there are going to be some major corporate casualties in receipt of share-price-killing fines when the next big breaches occur.
Given that personally identifiable information (PII) remains an easily monetized commodity for the serious threat actor, it is absolutely clear that unless organizations adopt a far more aggressive strategy to identify attackers already on the network, then the next major data loss and fierce associated compliance penalty is only just around the corner.
If I were an Advanced Threat Group, I’d be anticipating potential targets to be investing heavily in data protection measures to avoid these penalties. I’d be researching countermeasures and more importantly consolidating and fortifying my position around privilege escalation. The Mandiant M-Report of last year suggested that the sophisticated attacker can gain access to administrative credentials in as little as three days once on the network. This significantly improves their ability to circumvent the protection given to PII in pursuit of GDPR compliance.
Once an adversary has escalated privileges, they will seek to move laterally to find personal data. It is at this point that the attacker is most vulnerable to detection, assuming that the correct mechanisms are in place TO detect such movement. Here is the crunch point. Most organizations CANNOT effectively detect lateral movement. IDS and IPS systems can be easily thwarted through the use of well-known corporate standard tools (PowerShell, psexec, WMI), and the use of ‘low and slow’ scans. The most effective way to detect movement of attackers is in the use of Deception. By intermingling your production infrastructure with highly convincing fake IT assets, populated with fake PII and other content that the attacker is looking for, you create a layer in the network that nothing should be talking to. As soon as any system communicates with a decoy, you secure a conviction.
With fines (and associated reputational damage) of these magnitudes, surely a change in the way we consider security is warranted? Rather than attempting to secure an ever-permeable perimeter or persevere with end point solutions that are increasingly ineffective, why not consider a pragmatic acknowledgement that when attackers DO get access to your infrastructure they must be swiftly identified and even more swiftly dispatched. This is how you secure your customer’s personal data, and secure your position against a fine that could constitute 4% of your revenue!