As we look for details about the recent Anthem breach, one question arises: are we spending our time and efforts on the right problem?
If we analyze the few details coming out of the Anthem breach, one becomes VERY obvious to me – risky access. I’m not talking about the access that our foes have to our physical access points or the virtual access they reach via the Internet. I’m talking about the accounts and access entitlements we issue on an hourly basis; the access required to keep our business running.
There are many discussions about how to detect malware, how things fit into the “Kill Chain” and numerous vendors banging on your door to talk about the latest hacker detection and prevention doodad. In every compromise I’ve studied, it always comes down to the same thing – valid credentials. Even if a system host is compromised by some sort of new (or old) exploit, the perpetrator is using some sort of valid access rights to do his ill will. He will either be happy with the credentials obtained after the exploit and/or he will try to elevate his permissions by going after a more privileged account, such as a system account. One thing is certain, however, he will be using an account that our companies have set up for valid use at one point or another.
In the case of the Anthem attack, it seems that a very observant database administrator discovered that a data query was running using his/her account. The administrator was wise enough to question what he/she saw, immediately stopped the query and notified the Anthem information security group. The subsequent investigation revealed that the logon information for other database administrators was also compromised.
Unfortunately for Anthem, this discovery by the observant database administrator was too late. Reports indicate that these database activities started on or before December 10, 2014 and continued sporadically until January 27, 2015. Reporting has disclosed that an estimated 80 million sensitive records of current and former customers were compromised. This is just the tip of the iceberg, and as the investigation continues, I’m confident that it will become apparent that the period of malicious behavior was greater, and broader.
Anthem is a huge organization by any measure. They currently operate under both the Anthem name and Blue Cross/Blue Shield brand in 14 states. One can assume that they have a very mature and sophisticated security infrastructure and operation. With their investments in privacy protection, network security and compliance, how could this have happened?
The answer is the same for Anthem as it is with many organizations. Most large companies have sophisticated security groups doing great things. Unfortunately, many seem to live in silos and operate independently, including the data and systems for which each organization is responsible. This is especially true for the group that is responsible for protecting the keys to the kingdom – access.
An approach worth considering might be to correlate all data sources and logging currently in place automatically into a centralized location vs. independent silos. A key pivot point should be correlated account data. In any organization, a particular user will have many accounts and IDs with which they perform critical business functions. Is your organization aggregating all of your account data in one place? For example, a user has remote access to your enterprise network, an email account, transactional systems, file shares and many other systems. Should we be looking at this one pixel at a time, or should we be looking at the entire picture? Most enterprises are fixated on pixels.
With the technologies available to analyze big data, we should be moving to a user- and access-centric paradigm to analyze what is really going on within our enterprise infrastructure. I’m not saying we shouldn’t worry about the latest malware hash, signature or attack vector. Of course, it’s still our job to find the latest threat and protect our companies from it. However, I think we should start putting our focus on the focus of our enemy – access. What if Anthem had been able to correlate all activities of all the accounts that the observant database administrator had? They could have then created a behavioral baseline of what the administrator typically does. They would also have been able to determine if that user was doing anything outside of the norms. In addition, they would have even been able to compare that associate’s activities to other associates like them. Why? Because they have the data!
In the end, we need to stop looking at individual pixels of the “Big Picture” and look at everything as a whole. The best way to do that is by correlating activity to access.