There are times when major trends intersect. Sometimes they reinforce each other; other times they cancel each other out. In the case of Target’s security problems, there seems to have been a fair amount of interference (to read my earlier Advisor on the Target security breach, see “Cyber Security: Inside and Out“). The FireEye software that was supposed to warn of the kind of exposure that did Target in reacted as it was supposed to: the basic problem was flagged and diagnosed immediately, and a warning message was included in one of the security logs and highlighted by analysts at Target’s Bangalore security center. Unfortunately, the critical message was not deemed worthy of immediate action by the central security staff in Minneapolis.
As it turned out, there were multiple reasons that Target’s central security group didn’t follow up on the suspicious activity flagged by FireEye and the Bangalore team. One reason given for not acting was that the central team wanted to manually review all the critical flags. A second reason was that there was such an enormous number of flagged items on all different security logs that it was difficult to follow up on any but the most important ones in a reasonable time frame. (An interesting insight here is that the FireEye security monitoring software had the capability to automatically act upon finding specific problems, but again, the central team wanted to review this kind of problem. It may also have had something to do with the fact that the original breach was through a HVAC system, which may have seemed unlikely to cause widespread problems.)
So here we have two major trends going head to head: cyber security and big data. On the one hand, big data provided the Target security staff a lot of data with which to do their job; on the other, the sheer volume of log items obscured the most critical information. This is often the problem with cyber security: too many “false positives.” Security software spews out reams of data every day and the staff has difficulty keeping up. Additionally, there is the problem of repetition. Many log entries look very much alike. As a consequence, even the best analysts have trouble spotting even the most serious entries.
So here we have the most critical problem facing IT managers around the world, cyber security, which is getting worse every day, and we have one of the most powerful tools available in the market for thwarting cyber crime and, because of technical and organizational difficulties, it fails to protect a very large organization from a $100-plus million attack.
The takeaway here is that security groups must increasingly find and deploy more automated ways to spot and, where possible, react automatically to serious problems. (From my discussions with security experts it appears that new open source tools such as Security Onion, which combines and simplifies security logs, is getting good reviews.)
Moreover, organizations must focus increasing amounts of their human resources on intrusion and intrusion detection and how to create new barriers to the kinds of problems that Target has encountered.