! The Target Breach and why Point!in!

time Malware Detection Alone Doesnt Work"

March 20, 2014!
!

Bloomberg BusinessWeek published an article" and video"" last week that discussed the details of the now infamous malware attack and data breach that hit U.S. retailer Target over the 2013 holiday season. As a result of the breach, 40 million customer credit cards were compromised and personal information for up to 70 million customers was stolen, constituting the largest retail hack in United States history.! According to Bloomberg, hackers gained access to Targets network and successfully uploaded malware to the network and point#of#sale systems on November 27, 2013. Three days after this initial infiltration, Targets 1.6 million dollar FireEye malware detection software spotted the malware and sent an alert to analysts in Targets security operations center on November 30th. However, this generic alert, likely sent with hundreds of other alerts each day""", was not heeded, as was another generic alert sent on December 2nd. Without providing any visibility or context into the malwares entry point or behavior, no action was taken and two weeks passed while the malware continued to pilfer sensitive customer information. Only after federal law enforcement suspected suspicious activity did Target look into the matter, and finally remove the malware on December 15th. ! What are the real lessons we can learn from this failed approach?! Point!in!time detection is not enough and will never be 100% ! FireEye missed the initial malware breach the infected file was never detected coming inbound. Furthermore, FireEye was blind to the malwares activity for 3 days until an outbound call back was picked up. ! ! One generic alert in a sea of alerts doesnt help ! In response to Bloombergs article, two security experts who advise organizations in responding to cyber attacks and both have experience using FireEye technology said they believed it was likely that Target's security team received hundreds of such alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious."$ ! ! Visibility without context and control is not visibility at all, its noise ! FireEye sends generic point#in#time alerts, the type that security personnel typically don't get excited about because FireEye does not provide much information about those threats.$ This type of point#in#time alert on its own is simply not enough. To truly be actionable, that single alert needs to be linked with other indicators and contextual data related to the event to highlight the scope of the problem and provide security/incident response teams with the control to contain and remediate the threat. ! ! Cisco understands this and offers Advanced Malware Protection (AMP), an integrated set of controls and a continuous security model to detect, confirm, track, analyze and remediate these advanced threats before, during and after an attack. ! ! Detection, monitoring, and tracking beyond initial point!in!time ! Detecting malware the first time you see it is important, but due to the very chameleonic nature of malware and the sophisticated hackers that deploy it, whats really important is being able to continue to analyze and determine the maliciousness of a file beyond the initial point#in#time that it is seen. Any enterprise should assume that no detection method is 100% effective. This is why your malware protection technology needs to go beyond point#in#time to examine that file over a period of timetracking where it goes, what it does when it gets there, and analyze that behavior when an initial detection was not possible.!

Intelligence correlated with context to raise priority ! With Ciscos ability to track and analyze behavior continuously at the file, process and communications level, advanced behavioral indications of compromise can be used for further identification of compromise, and can raise the alert priority level for security teams to help them distinguish between noise and whats really important. Since the process is continuous, and not just an enumeration of events, the technology will continue to track and monitor malware, even if the initial detection event is ignored. As more and more information is collected, it snowballs, becoming ever larger and larger, and becomes too large for security teams to ignore. " ! Once an alert does reach the level of awareness, its critical that immediate analysis of events leading up to and after the compromise be conducted quickly with an ability to zoom in and out to understand the scope and answer the questions of exactly when, where and how the malware got there. The only way to do that is to be able to continuously capture the information necessary for that analysis. " " Integrated containment and remediation capabilities ! Finally, with the ability to track and analyze continuously, you can use that context and depth of information to surgically contain and remediate the problem without waiting for content or signature updates, or even worse, a scorched earth approach that is disruptive to customers and security staff. Cisco gives you visibility into the scope and root causes, and the ability to pinpoint the problem and remove it without the collateral damage and cost that is associated with broad#brush removal and remediation. ! ! Although the industry acknowledges that advanced malware attacks require new and innovative solutions to detect and remediate, far too many organizations default to focusing the entirety of their efforts on point#in#time detection and remediation tools. In order to have any chance of effectively defending against modern day attacks, the solution must leverage a continuous model to track file interaction and activity across the network, and utilize big data analytics, collective security intelligence and enforcement across networks, endpoints, web and email gateways, virtual systems and mobile devices. ! ! Cisco is the only malware protection vendor that delivers this continuous security model for protection and remediation against the growing scourge of sophisticated malware attacks.! To learn more about Ciscos Advanced Malware Protection (AMP) and other Security Solutions, refer to the resources here and here, or contact your sales representative. And for a deeper look at our POS retail environment, watch the webinar here.!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Bloomberg Business Week, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It!

"##$%&&'''()*+!,-++'--.(/01&23#!/4-+&567896:97:&#23;-#91!++-<924231+9!,9-$!/9"2/.90=9/3-<!#9/23<9<2#2>$7?? !!?"##$%&&'''()*+!,-++'--.(/01&@!<-0+&567896:97:&"2/.!,;9#!1-4!,-9'"2#9<!<9#23;-#9.,0'92,<9'"-,?? !!!?A-*#-3+B?!"#$%&'(")('*&'+%,-*.%+'&/'",&'/.'%"#-)'"-%#&'/0',)1%#'1#%",2 B?"##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9 !<CDEAFG5H78I56786:7:?? !@?A-*#-3+B?!"#$%&'(")('*&'+%,-*.%+'&/'",&'/.'%"#-)'"-%#&'/0',)1%#'1#%",2 B?"##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9 !<CDEAFG5H78I56786:7:? @?A-*#-3+B?!"#$%&'(")('*&'+%,-*.%+'&/'",&'/.'%"#-)'"-%#&'/0',)1%#'1#%",2 B?"##$%&&'''(3-*#-3+(/01&23#!/4-&5678&6:&7:&*+9#23;-#9)3-2/"9 !<CDEAFG5H78I56786:7:?

! " 2!