Operational security lessons from the Target breach

In the wake of revelations from major retailer Target that hackers compromised its point-of-sale systems and stole credit card information on tens of millions of its customers during a two-to-three week period in the busy holiday shopping season, initial media attention focused on the means by which the attackers were able to gain access to Target’s systems and possible security weaknesses in those systems. Subsequent disclosures by the company revealed that, contrary to early assumptions, Target’s corporate network environments were in fact monitored by sophisticated intrusion detection technology. More troubling is that its intrusion detection system produced alerts about potentially malicious activity shortly after the attack began, and that Target security personnel notified the company’s management about those alerts, but the alerts were dismissed as not significant enough to warrant an immediate response. While in hindsight this decision not to act has clearly been seen as a mistake, company representatives and some security analysts have essentially excused the error as an anticipated outcome when security operations teams face a daily barrage of alerts and notifications, many of which turn out to be benign “false positives” or are judged to have a low impact. Although it is possible that additional configuration or fine-tuning of the FireEye monitoring software that Target uses could have improved the quality of its security team’s analysis, when an organization has the information it needs to identify a security incident but fails to act, it suggests issues with operational or management controls that may be far more significant than any technical gaps.

It is difficult to assess the effectiveness of the security monitoring technology specifically implemented and operate by Target. FireEye offers industry-specific monitoring solutions for retail as well as several other sectors, and the company certainly markets its “adaptive defense” approach as a way to reduce false positives and thereby increase a company’s ability to respond to actual incidents. It is important to remember, however, that no intrusion detection systems can be fully effective without detailed analysis of the log and alert information that they produce. This analysis can be performed by automated or manual methods, often within the broader framework of an integrated security information and event monitoring (SIEM) tool. FireEye does perform some types of automated analysis, but it is a threat detection tool, not a SIEM tool, so it is misleading for anyone at Target to suggest that its security analysts can only rely on whatever information the FireEye tool produces for them. Even if Target saw dozens of daily alerts similar to the one it received for this attack, the fact that the issue related to its payment systems should have immediately escalated its significance to any retailer.

Equally unclear is how operational security is really managed at Target. In management and security circles alike, much has been made of the fact that prior to the breach Target had no chief information security officer, raising questions of accountability and highlighting the problems that can arise with decentralized decision making involving risk. Whatever shortcomings may exist in Target’s global security monitoring, the massive credit card data theft and the fact that it went on for nearly three weeks suggests substantial room for improvement in incident response procedures. At a more purely administrative level, Target is almost certainly revisiting the ways in which it provisions and monitors network access credentials provided to third parties, since in this case the first key point of attack for the hackers was through one of Target’s external vendors.