Posted by Rick Holland on March 14, 2014
Yesterday, Bloomberg Businessweek ran a story providing some alarming details on the Target breach. The article, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” didn’t paint a pretty picture of Target’s response.
Some of the highlights in case you haven't read it yet:
- Six months before the incident, Target invested $1.6 million in FireEye technology.
- Target had a team of security specialists in Bangalore monitoring the environment.
- On Saturday November 30, FireEye identified and alerted on the exfiltration malware. By all accounts this wasn't sophisticated malware; the article states that even Symantec Endpoint Protection detected it.
- "The breach could have been stopped there without human intervention." I'm not sure that I agree with this statement. The journalist doesn't mention what FireEye technology was deployed, but I suspect it was the NX platform that focuses on web-based malware. The NX can be deployed: out-of-band via a TAP/SPAN, in-line monitoring, or in-line active blocking. This was a new deployment, so the chances that the solution was deployed in-line for active blocking or leveraging TCP resets for out-of-band blocking are small. The article even states that "It’s possible that FireEye was still viewed with some skepticism by its minders." If they were skeptical of the solution, I doubt it was doing any automated response. In my experience, customers don't typically deploy these types of solutions in-line. FireEye tells me that they have a significant amount of customers who deploy the NX platform in-line, but I personally haven't observed that over the past four years of selling (as a sales engineer) and covering FireEye.
- Analysts in Bangalore got the alert and then flagged the security team in Minneapolis.
- The Minneapolis Security Operations Center "did nothing."
- The article states, "The security system sent out more alerts, each the most urgent on FireEye’s graded scale." More alerts don't always result in action. How many other alerts were SOC analysts getting? Depending on the FireEye deployment, the solution's alerts could've been overwhelming by themselves. Then if you consider the aggregated alerting from Target's entire infrastructure, these alerts could have been lost in the noise.
- Hindsight is 20/20. There is no doubt that Target had catastrophic failures. It's easy to look back upon what happened and armchair-quarterback the situation. The pragmatic reality is that technology alone won't magically save your organization. If you don't have the right people/process/oversight around initiatives, they won't be successful.
Vendors who live in glass houses shouldn't throw stones. It didn't take long; I've already started hearing FireEye competitors speaking out against their competitor's role in the Target breach. As I mentioned above, this wasn't a technology failure: FireEye detected the malware. This was a people/process/oversight failure. In some respects, this reminds me of Bit9's "operational oversight" breach. I blogged about this last year and made the comment that Bit9's operational oversight, was an operational reality for most organizations out there. So if you are a FireEye competitor with a similar technology that would be deployed in the same manner, chances are your technology would've suffered from the same operational oversight. Furthermore, as an analyst, I'm not encouraged when I hear competitors demeaning other vendors. I don't want to hear trash talking; you're not wrestlers, and this isn't the WWE. Talk to me about how you differentiate; don't chase your competition, disrupt the entire space with a new novel approach.
Image source: WWE