148 million consumers were affected by the Equifax Data Breach in 2017, more than half of all American adults. The US House of Representatives recently published an extensive report that allows the public to see what happened throughout the attack step by step, the techniques the attackers used to penetrate, move laterally, and gain access to valuable information, and how they managed to achieve this without being detected. Significantly, the report discusses what could have been done to prevent the extent of the damage. So, what went wrong for Equifax?
Two Missing Security Protocols that Could Have Stopped the Breach
With a breach of this scale, it would be easy to assume that the attackers used a complex attack pattern or took advantage of a new vulnerability that flew under the public radar. Interestingly, the committee outlines basic steps that Equifax failed to put into place that could have prevented the breach and limited its impact.
In particular, the report mentions “the company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation” as an insight into how Equifax “allowed the attackers to access and remove large amounts of data.” Without these in place, the attack lasted 76 days, and attackers were able to use the unprotected credentials they found to access 48 additional databases. The attack was only stopped because the company updated an expired security certificate, one of more than 300 they had failed to update.
The limitations of Equifax’s security protocol were not due to a lack of in-depth tools or the company failing to upgrade to the latest expensive or cutting-edge technology. Many weaknesses could have been improved or even solved with security measures that are often cited by various industry standards and cybersecurity experts.
Below, you can see an informative pyramid by Gartner that details the protection controls that an enterprise needs when handling cloud workloads in a dynamic environment. The top point of the pyramid references what Gartner refer to as less critical technology, and as the pyramid widens, the tools become increasingly essential as a foundation for cloud workload protection.
The “optional” top section includes Antivirus and deception tools. The middle section contains controls that are often included outside of cloud workload protection, such as encryption and monitoring. The bottom section is the most essential, and Gartner goes as far as to label these tools core server protection strategies, foundational to a cloud workload environment. System integrity monitoring, vulnerability management, and segmentation and application control all play central roles in this category.
It’s not only Gartner who considers these controls essential. When it comes to protecting valuable customer information and achieving regulatory compliance, organizations such as PCI-DSS and SWIFT recommend the same basic steps. For financial information, PCI-DSS regulations enforce file integrity monitoring on your Cardholder Data Environment itself, to examine the way that files change, establish the origin of such changes, and determine if they are suspicious in nature. SWIFT regulations require customers to “Restrict internet access and protect critical systems from the general IT environment” as well as encourage companies to implement internal segmentation within each secure zone to further reduce the attack surface.
Equifax’s lack of a well implemented segmentation strategy allowed attackers to gain access to additional databases that contained Personally Identifiable Information. Without drawing attention to their activity, these hackers managed to access and remove large amounts of data held in dozens of different databases.
It’s not a coincidence that the same steps to mitigate these threats are suggested so widely- from industry experts like Gartner analysts to regulatory authorities such as SWIFT and PCI. Vulnerability management and system hardening reduce the risk of being breached in the first place, while segmentation limits the impact that a breach could have if successful.
Similar recommendations are coming from all directions. Implementing these basic steps significantly and measurably reduces the risk to protect your data center, starting with your business’s most critical assets.
The real question is, why aren’t businesses putting these steps into place?
One answer is the growing complexity of IT environments. Take the SWIFT regulations for example. Even identifying the assets that belong in a secure zone can be tough in a large financial institution that may have hundreds of components to track. Some of these are physical, while others might be virtual. They are increasingly hosted on varying kinds of architecture and could be spread across different locations and teams. Gaining visibility of an increasingly complex and dynamic ecosystem is a must before you can put any policy or controls into place, and yet the visibility itself can be a sticking point for many businesses, even before they start considering smart segmentation strategy.
At Guardicore, we recognize how important it is to put these foundational controls in place, making it harder for attackers to gain entry to your environment and reducing the impact of an attack, limiting dwell time to minutes rather than days. That’s why we start with visibility, making it easier to enforce policy in the right places. A clear map of every asset and its dependencies allows businesses to create secure boundaries, track communication within the data center, as well as identify flows between the data center and the rest of the network.
Circling Back to Equifax
It’s unlikely that the Equifax team were not aware of the benefits of these controls. As we’ve seen, these protocols are recommended by experts and even required for various types of compliance. However, knowing is one thing and implementing is another. These steps are some of the first suggestions we put on the roadmap as we partner with new customers, but we’re often met with trepidation. They tell us for example that their past experiences with traditional segmentation tools have shown them to be slow and expensive, and it’s difficult to know where to start.
Guardicore Centra has evolved to tackle this challenge head on, moving away from traditional segmentation methods to provide microsegmentation that provides foundational visibility and shows quick time to value. Our customers benefit from early wins like protecting critical assets or achieving regulatory compliance, avoiding the trap of “all or nothing segmentation” that can happen when competitors do not implement a phased approach.
Our expertise allows enterprises to build this contextually superior phased approach to microsegmentation. Risk reduction is one essential element, but at Guardicore we offer a whole package solution that includes breach detection and incident response, too, strengthening overall security posture.
Micro-segmentation is not a luxury for the few. Anyone can now implement the basic security measures needed to stay protected, shield themselves from obvious security gaps, and prevent attackers from gaining unchecked access to sensitive information in a hybrid IT environment.
Interested in hearing more? Get in touch for a demo.
Want to learn more about operationalizing microsegmentation for quick time to value?