OPM Breach Highlights Need for Continuous & Contemporary Security
So I watch CNN every night at least for a few minutes. No idea why. I’ll just go with habit.
Last night the lead story on Anderson Cooper 360 was the FBI’s investigation of an attack on the U.S. Government’s Office of Personnel Management (OPM). As a result of this attack it is believed that personal data on 4 million current and former federal employees was stolen. Not coincidentally, this is the lead news story we are all waking up to today.
There’s going to be a lot of blog action on this topic today. Many of these blogs are going to sound like a broken record.
“It’s not if but when!” and “Legacy signature based solutions are inadequate!” -- Both of which are true by the way.
“It’s China!” and “No it’s [enter other suspected bad guy here]!” -- Not sure it really matters.
Here’s what I consider the most important things to think about in light of the latest OPM attack:
- Security requires a “continuous” mentality. Attacks are continuous not episodic. The OPM experienced a breach in March of 2014 and a year later it’s dealing with another breach. Sally Beauty Supply was breached in 2014 and recently experienced another breach. Get the picture?
- Continuous monitoring is critical. Continuous attacks require continuous monitoring. Frankly, I think continuous monitoring has become is widely accepted at this point with many organizations investing significant dollars in detection solutions, SIEMs, etc.
- Deploying more contemporary security solutions can help. It’s become clear that in order to gain increased visibility into environments and detect today’s threats organizations need to deploy more contemporary detection solutions and security analytics capabilities. In the case of OPM, following its March 2014 breach it undertook “an aggressive effort to update its cybersecurity posture adding numerous tools and capabilities to its networks.” With respect to the recent breach, a DHS official indicated that the “good news” was that the OPM discovered the breach using the new tools. This is a real world example demonstrating the benefits of deploying new tools, IMO.
- Invest more in response and shift the mindset to continuous response. If attacks are continuous and we are continuously monitoring then the next logical step is to adopt acontinuous approach to response. I think the first step in this journey is for organizations to invest more in response period – people, process, and technology. The response mindset also needs to change. Historically, response has been episodic or event-driven (“I’ve been attacked – Do something!) This mindset needs to shift to continuous response (“I’m getting attacked all the time – Do something!”). A key ingredient to enable continuous incident response will be the increasing use of automation. Why? Automation is required to keep up with attackers that are leveraging automation to attack. It’s also required to address a key challenge that large and small companies face – the significant cybersecurity skills shortage.
I’ve recently given presentations on Security Automation & Orchestration at an ISSA event in Chicago and yesterday at the Southeastern Cybersecurity Summit in Huntsville, Alabama. These presentations drew significant interest and were well received. So much so that I’m planning on doing a future webinar on this topic (that is if my Director of Marketing will let me! J).
In the meantime, if you’re interested in automated response join us for an upcoming webinar I’m hosting with Forrester Research Analyst John Kindervag.
“Rules of Engagement – A Call to Action to Automate Breach Response.”
June 24, 2015
1pm ET
Register here: https://www.hexiscyber.com/documents/rules-engagement