In a year consumed with jaw-dropping breaches of consumer data, 2017 looks like the Year of the Equifax Breach. The risk generated by the well-documented breach spread throughout the consumer financial system, affecting credit card issuers, credit agencies and 143 million consumers. At least two high-level executives at Equifax–the CEO and CISO–can blame the breach for ending their careers. Their shareholders lost about $3.5 billion in the days after the breach.
If there is a silver lining to the tragedy, it is that business units throughout the world are now painfully aware of the value of measuring risk posture. Improving that risk posture can become a rallying point for executives and employees to all protect their reputations and job security by avoiding security issues. Just as revenue targets rally salespeople, a measured risk posture can focus entire business units and companies on improving it.
In our post-Equifax security world, we expect many new methods, incentives and technologies to enter the spotlight.
At the very least, technologies to detect and remediate vulnerabilities will be valued. All defensive technologies either reduce the likelihood, length or severity (scope) of a breach. Endpoint protection assists in mitigating all three. We see bolder methods being tried as well, such as crowdsourced penetration testing and other next-gen security techniques.
Each of these technologies represents an evolution and extension of data gathered from instrumented and protected endpoints as well as deeper in the infrastructure. Penetration testing remains an easy way to shine light on unknown vulnerabilities, although finding talent is always a key hurdle. The two main tester types–red teamers and bug bounty-motivated researchers–bring an additional benefit. They tend to drag remediation and patch verification with their services. Either or both of those were at fault when Equifax failed to fully and successfully patch a known Apache Struts vulnerability, leading to their data being exfiltrated.
Further, the attackers likely arrived at their final destination by bypassing inadequate endpoint protection. Undoubtedly Equifax has protections in place on the perimeter and installed on each of their endpoints. Those were bypassed. Whether using next-generation anti-virus (NGAV) or a full endpoint protection platform (EPP), endpoint detection and response (EDR) can be improved in many organizations. The believed length of exposure at Equifax–months–demonstrated a bevy of failures in process as much as technology or judgment. Other technologies to watch include ransomware-specific detection and mitigation, deception technology and risk scoring.
Perhaps more important than the technologies themselves will be the organization-wide changes in acknowledging and reducing overall risk posture. Initially, tightening organizational controls to avoid a single-point process failure will be high on enterprise IT analysts’ minds. Equifax’s former CEO Richard Smith delivered a memorable Congressional testimony where he threw a single unnamed person under the bus for a failed update. Security-savvy listeners heard what most didn’t: Equifax had a complete process failure in the way they found and remediated vulnerabilities.
A promising idea that helps align organizations is to actually link an organization’s measured performance to a live risk posture score or assessment. When performance, bonuses and team reputation are on the line, many more eyes will pay attention to security issues.
While Equifax still stings in many minds, it does open up an opportunity for improvement. With selected use of next-gen security technologies–particularly vulnerability detection and endpoint protection–Equifax might be remembered as a turning point for when security started to get better.