How to turn data breaches into an event, not a disaster

The hacker attack on Sony Pictures Entertainment changed the way companies think about security. Now it’s time to develop a true defence-in-depth strategy


It’s been less than a year since the most devastating hack in corporate history, where hackers took down Sony Pictures Entertainment.  They  stole information, destroyed servers and released sensitive emails and data, including major motion pictures, which rendered Sony inert.

In a recent article in Harvard Business Review, Sony Pictures’ CEO Michael Lynton talks about the fallout from the hack, which is presumed to have originated in North Korea in retaliation for the movie The Interview.

So what did Sony learn? “There’s the fundamental issue of what should or shouldn’t be up on the network,” he told HBR, adding that the FBI said 90 per cent of companies would have been unable to withstand the attack.

Perhaps only the FBI knows for sure what actually happened, because the information has never been made public — and it’s generally not a good idea to base your security strategy on hearsay. What we can learn from this, though, is that your perimeter will likely be breached at some point.

There is an arms race of sorts underway between those who seek to cause harm and embarrassment, and those charged with securing the enterprise from malicious attacks.

One of the next-generation defences is encrypting critical data with a private security key that is compatible with external cloud apps. Even if the cloud is compromised, your data is safe. Even if the encryption technology itself is compromised, your data is still safe and you can sleep easy at night.

Additionally, new technology is available to uncover  anomalies in an IT environment, which pose threats to your sensitive data. Machine learning or behavioural learning is being deployed to detect malicious activity unique to your network, applications and users. These may, in fact, look and act like malicious insiders but may actually be external threat actors taking control of insider workstations and their users’ identities.

Any document that employees download is a risk, including PDFs. People tend to think documents and PDFs are benign, but they are capable of executing code just like apps. Cloud solutions are available to inspect these documents for “known bad” threats and block malicious downloads. That’s not only useful to those within the enterprise, but also mobile users who aren’t protected behind enterprise defences.

If it’s “known bad,” you block it; if it’s “known good,” you let it in as per your policies. There are always new (or repackaged) and possibly unknown packages of malware out there, so searching for “known bad” isn’t always going to work. That’s where sandbox technology comes in: If it’s unknown, the download gets dropped in a sandbox where it’s opened and monitored for any malicious behaviour.

But bad actors and cyber criminals know this; there’s malware being architected to detect sandboxes, turning this into a cat-and-mouse game. And it only takes one person, with a bit of skill (and plenty of time) to bypass a single security gap in an organization’s defences. This could be a misconfiguration, missed patch, “zero day” policy violation or other gap.

If you assume, as the FBI and NSA indicate, an organization will be compromised, you need to protect your sensitive data and turn a breach into an event — not a disaster. This requires a careful and tested approach of people, process and technology that meets the ultimate business goals of the organization and is supported by the senior leadership team.

Sony, for example, says in the article it has built a “white network” that is segregated from its previous “black network.” The company also says it will keep as little information as possible on its active network, while the rest will be encrypted and cut off from the Internet. It will archive emails after a few weeks, require two-step login for employees and control the desktop by banning employees from installing apps that aren’t pre-approved. And it will embrace next-generation cyber-defence strategies.

Of course, technology for technology’s sake is not enough unless you also have a process to turn threat data into relevant, actionable intelligence. Alerts are useless if you aren’t able to act on them. Allstream can help you put those processes in place, so you can stay out of the next hacking headline.

Comments are closed.