Target Missed Bull's-Eye in Data Breach
Target is going through a painful hindsight exercise, examining its security systems and procedures to determine what allowed hackers to penetrate its customer database and purloin millions of records. The company acknowledges that its security team decided to ignore alerts that a breach was taking place, but with large businesses like Target, it seems false positives are all-too-common.
03/14/14 6:44 AM PT
Target acknowledged Thursday that it put information on a back burner that led to the compromise of more than 100 million customer records and will cost the company millions of dollars in losses.
"Like any large company, each week at Target there are a vast number of technical events that take place and are logged," said Target spokesperson Molly Snyder.
"Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team," she continued.
"That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up," Snyder said. "With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different."
During a data breach that lasted from Nov. 27 to Dec. 18 last year, cybercriminals clipped 40 million payment card numbers and 70 million customer records containing personal information from the retailer.
In the quarter that ended in December, Target reported expenses related to the breach to be US$61 million, but that number is expected to balloon, especially as the retailer starts settling the more than 80 lawsuits filed against it because of the break-in.
Target issued its statement after Bloomberg Businessweek reported that on Nov. 30 and Dec. 2, the company was alerted to the cyberattack on its systems by a security team in Bangalore, India. A tool made by FireEye, which runs a global network designed to protect companies from Internet threats, had triggered the alerts.
The warnings went unheeded, according to Bloomberg. If the company had taken action, the number of records compromised in the breach could have been reduced.
The FireEye system has an automatic feature that would have deleted the malware behind the breach, but Target had turned off that feature.
Companies often turn off automatic features on security systems because when they're initially installed, they can generate too many false positives and slow down the performance of other systems.
"There would be a significant risk in the beginning if FireEye is not tuned correctly to stop processes that are not malicious," explained Joe Schumacher, a security consultant with Neohapsis.
"What could happen is the whole enterprise at Target could come grinding to a halt because of false positives or software on the system that FireEye thinks is malicious and is not," Schumacher told the E-Commerce Times.
"It would take an organization like Target a long time to roll out a system-wide solution that acted on its own and knew all the facets of the enterprise," he added.
FireEye declined to comment for this story.
Too Much Information
Target's treatment of the early warnings from Bangalore underline a problem facing all large organizations today.
"More than ever, network administrators, system administrators, security operations personnel have a tremendous amount of security events going on in their systems, and in this case, they also had a third party that is also monitoring their systems and providing them alerts," said JD Sherry, vice president of technology and solutions at Trend Micro.
"So the FireEye alerts on Nov. 30 could have been one of hundreds of thousands of critical alerts that came through their systems," he told the E-Commerce Times.
"Target had a failure in their process, and that's what they're looking at now -- but security professionals today have many, many events that they're evaluating, including a lot of noise being generated by some advanced threat detection system out there," he said.
"It's easy to get lost in the overall noise," Julian Waits, CEO of ThreatTrack, told the E-Commerce Times.
"I can guarantee you that it wasn't only FireEye that detected the problem. There were a myriad of technologies that went off -- but nothing was coordinated around a warning that there was a real issue that you have to respond to instantly," he explained.
Because of the volume of threat information organizations like Target must assess, security is becoming increasingly a Big Data problem.
"The biggest challenge with security today is with so many alarms going off, how do we identify which alarms are most pressing?" Tal Klein, vice president of marketing for Adallom, told the E-Commerce Times.
"Until we solve determining the severity of alerts in an automatic way," he added, "we should expect to see these kinds of problems keep happening."