Cyber-Security Teams: No Rest for the Wary

Last April, Charles Schwab & Co. was hit by its first significant security breach when a distributed denial-of-service (DDoS) attack flooded the investment firm’s network with data, rendering its Websites temporarily inoperable.

“It got the attention of the executives,” recalls Jason Lish, vice president of security technology and operations. “They actually saw the impact, and it was a wakeup call. As a result, there was quite a bit of investment made in areas we otherwise wouldn’t have. And we definitely rethought our security strategy.”

A few months later, the Shellshock security bug swept through nearly 2,000 Web domains, executing arbitrary commands and gaining access to secure systems. That was followed by high-profile breaches at JP Morgan Chase and Morgan Stanley in which hackers made off with large hauls of customer information.

Each time, Lish had to reassure Schwab’s board that the company was adequately protected, even though Schwab faced no immediate threat. “Every time there’s a breach anywhere in our industry, I have to react to it,” Lish says.

Welcome to security in the 21st Century. No longer do companies assess their security postures only after they’re hit by a breach. Now they must do so whenever a breach occurs anywhere. In fact, conventional wisdom now dictates that they should be assessing their security strategies on a continual basis because a damaging breach is probably around the corner, if not right next door.

“Companies should be starting from the premise that they’ve already been compromised,” Eric Hanselman, chief analyst at 451 Research, advised via email. “Waiting for a call from the FBI or Visa is a career-limiting strategy.”

The problem, admits Schwab’s Lish, is that without a specific event to deal with, it can be difficult to know where to start. That’s why he cites prioritization as the company’s most persistent security challenge. He and his team have to balance the demands of federal regulators, customers and company executives, all of who have different concerns.

“We get on the bike, and we’re in first gear,” says Lish. “We’re all peddling, but we’re not getting anywhere fast.”

Proactive, Holistic Security

Jim Routh, chief information security officer at health insurance provider Aetna, says today’s breach-heavy landscape dictates that companies approach security proactively and holistically. For example, during a panel discussion at last year’s RSA Security Conference, he said he wanted to act on internal research that indicated that 70 percent of Aetna’s business processes that accessed social security numbers had no need to do so.

A year later, the company now has a formal program in place to correct that issue. “We’re changing our processes to reduce the attack surface by eliminating the use of social security numbers whenever we can,” Routh says.

And that’s just the tip of the iceberg.

Although Aetna hasn’t been hit by a significant breach since 2009, Routh is leaving no stone unturned in an ongoing effort to make sure that trend continues. His team is looking closer at vendor relationships to reduce the chances of an insider threat; he’s monitoring key-performance indicators across the company’s constantly changing security controls on a daily, weekly and monthly basis; and he’s assigning a daily risk score for the enterprise based on anomalies and patterns the company receives from thousands of internal and external security intelligence sources.

That risk score, Routh says, “helps us allocate resources as the threat landscape evolves.”

And when it comes to the constant threat of phishing attacks—the most common method hackers use to obtain credentialed access to systems—Routh no longer relies on binary controls. Instead, he’s using behavioral analytics to map online behaviors against previous patterns. If the analytics engine identifies potential fraud, it then triggers an interruption to the affected business processes.