Missed FireEye Alerts Reportedly Warned Of Security Lapse At Target
Retail giant Target Corp., still reeling from its massive data security breach late last year, could have avoided the crisis altogether if its security team followed up on alerts generated by a new network security appliance installed months earlier.
The firm's newly installed FireEye network security appliance detected a malware infection in late November. The triggered alert prompted a monitoring team in Bangalore, India, to warn the company's security personnel to investigate a potential incident. Despite the warning, and a second alert triggered by its Symantec endpoint security software, no action was taken, enabling attackers to upload millions of credit and debit cards to a remote server, according to a report in Bloomberg Businessweek.
FireEye partners and other channel solution providers who sell, deploy and maintain network security appliances for their clients, say the issue is a basic problem that has plagued organizations for years. Businesses often don't have the resources to handle a wide variety of alerts generated by their systems. Other firms have teams that followed up on too many false positives, causing investigators to need corroborating evidence of a potential problem before taking a look.
"The security industry is so focused on bringing in new tools and new boxes to address long-standing problems that organizations fail to address the basics," said Rick Doten, chief information security officer at Digital Management Inc., a Bethesda, Md.-based mobility solutions provider. "We've had the same kinds of lapses for years because organizations fail to bring in the people and have the right processes in place to address security incidents."
A study issued in February by the Ponemon Institute found that companies often fail to find the budgeting to add incident responders to the security staff, creating a process gap that can defeat the purpose of new security technologies. Shaq Kahn, CEO of Fremont, Calif.-based security service provider Fortifire, told CRN that while his firm is deploying FireEye and other network security appliances with new capabilities to detect custom malware and other threats, incident response is often an afterthought at organizations. Businesses are often wowed by the alerts detected during a product demonstration, he said.
"This problem has been around forever," Kahn said in a recent interview with CRN. "Breach detection needs some kind of human interaction to follow up on the potential threat."
Minneapolis-based Target is still investigating the massive breach and what could have been done to avoid it. The retailer is said to have a team of at least 300 personnel dedicated to security management at its operations center. It announced plans to launch its own proprietary payment system based on EMV chip card technology in an attempt to thwart future attacks. The company told Wall Street this week that it spent $61 million in expenses related to the breach in its fiscal fourth quarter. Many of the costs, from breach investigation to legal defense, and offering identity theft protection services, were offset by $44 million insurance receivables, the company said. Meanwhile, sales have decreased 2.5 percent in the fourth quarter, the company said.
NEXT: Security Market Complexity Could Be Factor
"During the first half of the fourth quarter, our guest-focused holiday merchandising and marketing plans drove better-than-expected sales. However, results softened meaningfully following our December announcement of a data breach," said Gregg Steinhafel, chairman, president and CEO of Target. "As we plan for the new fiscal year, we will continue to work tirelessly to win back the confidence of our guests and deliver irresistible merchandise and offers, and we are encouraged that sales trends have improved in recent weeks."
FireEye and its recent Mandiant acquisition have gained a lot of attention with its ability to detect threats that have been previously missed by traditional network security appliances, say industry analysts. The company addresses a serious visibility issue, but it is unclear how trends, such as the dissolving corporate network perimeter, will impact its long-term viability, said Peter Firstbrook, a research vice president at Gartner. FireEye's suspicious file analysis technology is also quickly being commoditized by other network security vendors in various forms, Firstbrook said.
"FireEye is the first practical application of network and endpoint working together," Firstbrook said. "We're still in the early days, but definitely the FireEye example is a good connection between the two."
Other solution providers tell CRN that the wide variety of security products on the market can sometimes create complexities that open up weaknesses counter to the initial purpose of increasing network visibility and data protection. The number and scope of network security vendors has grown significantly in recent years, even with a lot of commoditization and acquisition activity, said Justin Smith, president and chief operating officer of Buffalo, N.Y.-based Brite Computers, a firm that specializes in data protection and network security. The firm, which provides services for a wide range of public-sector organizations up to Fortune 500 clients, passed on FireEye, but sells Lancope, ForeScout and McAfee products for network visibility, security incident detection and threat intelligence. Smith, who attended the recent 2014 RSA security conference, said the security market is growing more complex, making service providers more valuable than ever.
"We see value in gaining visibility into network traffic and being able to take that traffic and get a good understanding how it is traveling across the network," Smith said. "We've transformed ourselves into full-blown systems integrators because there is a great need out there for a variety of different services."
PUBLISHED MARCH 14, 2014