A Review of the Nine Worst U.S. Data Breaches Reveals the One Common Element that Led to Disaster
In this blog article, we reviewed nine of the most notorious U.S. data breaches with the details now available. It revealed one common element that led to the extensive damages being as large as they were: the attacks were not detected while active on the internal networks. In this blog, we review each data breach and the circumstances that led to the data devastation and describe how a new approach can improve network visibility, allowing faster incident response and the ability to quickly stop attacks.
Before we get started with the data breach review, let’s take a moment to discuss what we mean by an internal network. It’s easy to think of a network as only what’s inside your premises, what’s onsite, and in your immediate control.
However, in today’s business environment, it’s not that simple. Organizations rely on a mix of different technologies that extend beyond what’s on-premises, like instances within the public cloud and off-site hosted data centers.
In addition, within your internal network, there’s the extra consideration of new intra-VM-to-VM and container connections that create high volumes of lateral east-west flows as well as data flows that travel in and out through firewalls to the Internet. So, getting a handle on all the east-west traffic patterns to understand what’s happening inside a hybrid and expansive internal network has become a difficult, and unfortunately, an often overlooked challenge to solve.
Why is this? Unfortunately, most of the well-used security tools focus on north-south data and perimeter protection, even though only 20% of threats are discovered in this way. That means that many, many more threats successfully get inside the network and often go undetected, thus demonstrating the importance of true internal network visibility.
The Equifax Breach
With that in mind, let’s start with one of the most damaging data breaches. In August of 2017, Equifax suffered a series of website hacks that gave intruders access into the network to ultimately get access to the personal information of more than 143 million Equifax customers.
The company failed to patch an Apache Struts website vulnerability, which the hackers exploited and used as the access point in August 2017. They jumped from the initial web server across the internal network and were eventually able to get access to all of the collected customer data, and then exfiltrate it over several months—all undetected.
The Equifax example highlights an important lesson here: The industry assumption to date is that you will find and fix every vulnerability before any hacker will, and do so flawlessly. Equifax had invested heavily in tools, people, and processes; however, these efforts were not focused on monitoring the internal network to find threats one they got in or identify the resulting data exfiltration. This data breach had a number of significant consequences for Equifax beyond the expected consumers’ loss of confidence and a tarnished reputation: a $700M fine, and even an official downgrade from Moody’s.
Unfortunately, Equifax is not alone as many of the most infamous breaches were the result of missed threats on internal networks, which allowed hackers to access and then exfiltrate massive amounts of data over long periods of time, undetected.
How was this possible? According to Forrester Research, up to 90% of today’s cybersecurity budgets are still spent on perimeter measures—north-south traffic—yet only 20% of network threats are discovered this way. The remaining 80% of threats appear on organizations’ internal networks, missed entirely, or found too late to prevent massive data loss.
Our assertion is that with better internal network visibility—monitoring and an ability to control specific east-west traffic conversations in addition to perimeter activity—breaches like Equifax can be minimized, or even completely avoided.
Additional High-Profile Breaches
Consider these other high-profile data breach events that might have had different outcomes with a better solution.
Gain missing internal network visibility needed for effective Incident Response
As we’ve shown with just a few examples, to be truly effective at finding, verifying, and stopping cyber attacks requires complete visibility into all your network traffic—north-south and east-west. Yet as we’ve illustrated, this is not an easy feat given the east-west communication paths used by public cloud, datacenter, and on-premises data and application stores.
But given the weighty investment that organizations have already made, any solution to this problem should easily fit with your existing security processes and strategic tools.
Our ARIA Software-defined Security (SDS) was designed to monitor the internal network threat surface, an ever expanding attack surface, allowing quick detection and a means to stop attacks. Our solution also provides a simple means to extend your existing SOC processes while leveraging the tools you have with transparent integrations to SIEMs and IDS/IPS.
The ARIA solution has fully open APIs allowing it to be controlled through scripts or plays within SOARs. This provides organizations with the ability to orchestrate and automate the security and protection of high-value assets across the entire enterprise. With the ARIA enhanced network visibility for east-west and north-south network traffic provides better, more complete insights into your network, allowing you to find and stop threats that are normally missed in minutes before significant harm is done.
With ARIA SDS, organizations gain a clear advantage in cyberattack preparedness. Our solution gives you all you need to:
Learn why ARIA SDS has become critical to mitigating potential threats in fluid east-west communication paths.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate data breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.