LP Magazine

JUL-AUG 2014

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/352439

Contents of this Issue

Navigation

Page 44 of 68

continued on page 46 paradigm needs to be about minimizing the time between them gaining access and us detecting them. It's not enough to just monitor the perimeter; to watch the parking lot and watch the loading dock. That's not going to work in IT. You've got to work on hunting throughout the environment and actively looking for adversaries, looking for an indication that they've been there, and if you can mitigate that threat, you're going to be successful. When I was in the Bureau, our agents would go out dozens of times per week and knock on the doors of major companies around the country, and tell them that they've been breached. When the FBI or Secret Service shows up at your door and says, "You've been breached," in most of the cases, the organization say, "No, we haven't." So we say, "Really? Is this all your stuff right here? Look at this database we found. It's on a server getting ready to head over to Guangdong Province. You're saying that's not yours?" And then they say, "Well, yes, maybe it is." Then they would go back, search, and ultimately they'd find out that, yes, in fact, they had been breached. And it turns out they were breached four months ago or eight months ago or two years ago. Now, if you allow an adversary in your network for four months, eight months, or two years, bad things are going to happen. In the physical world if you allow somebody into your stores for eight months undetected, being able to do whatever it is that they want to do, and walk in and out with pallets of merchandise, bad things are going to happen. If, on the other hand, you can detect them within a couple of minutes or a couple of hours, you can mitigate the threat. STEPHENS: Let me speak broadly here. We are spending billions and billions of dollars as a nation on defending and protecting our networks, yet we're still getting breached all the time. To use a sports analogy, the best defense with zero offense isn't going to win a game. Conversely, an offense needs a robust defense. I would like to suggest that when you do work with law enforcement, you are assisting with the offense. We don't always get the bad guys because of the reasons we've discussed before, but sometimes we do. There is a strong, coordinated effort to go after these people and to get them to stop doing what they're doing. Shawn mentioned that we're never going to be able to have a completely invulnerable defense. They've got tons of time. And when they get in, they spend months figuring out how to do what they want to do while hiding their tracks. So, the longer they're in, the harder it is to catch them—not easier. And so in my view we need a strong, robust defense, but we also need a strong, robust offense. Frankly, I don't know that we'll ever stop this. But we can make ourselves more of a hard target, so hackers are disincentivized to come after us, and they'll go after more low-hanging fruit. KNISLEY: Shawn, building on what Lou is saying, companies are spending billions every year to protect themselves, yet we continue to see breaches. In your opinion what can companies do pre-breach to mitigate the effects post-breach? HENRY: This is the whole piece about being proactive. Rather than putting the pieces of the puzzle together to figure out who did what, you need to be "left of boom," as I've heard it said. I want to be there to prevent it before it occurs; I want to be hunting. I think it's a really important term, and I use it a lot. Hunting on a network is being proactive and being engaged. Yet there are just too many people who have said, "We've got our defenses in place. The fence is up. The alarm system is on. We're good." And then they go to sleep. That is just the wrong way to do things. You don't just find a particular server that was compromised, fix it, and go on. What's important is understanding who was there, why were they there, how did they get there, what have they done, are they still here, what did they leave behind, and what did they take? We do all that on the front side as well. You don't have to wait for an incident to collect that type of intelligence, and it's absolutely critical that we're doing that. Again, in the physical world, we have done it to prevent terrorist incidents. We have not had a significant terrorist event in this country since 9/11, not because we live in a completely secure environment. Quite the opposite. There are lots of people walking into this hotel with big suitcases, any one of which could contain a bomb or something of that nature. The reason that we haven't had one of those serious incidents is because of law enforcement, the intelligence community, and the Department of Defense are constantly identifying bad actors that are coming in and mitigating the danger before any of us watch it on CNN. "In IT, for years we've been practicing defense-in-depth. We do it in the physical world as well, of course. But in the information world, it's about firewalls, intrusion-detection systems, two-factor authentication, and encryption. You layer your defenses so that you can be more resilient. But the reality of it is, in the IT space, the most sophisticated adversaries will get into the network one way or another." – Shawn Henry continued from page 42 44 JULY - AUGUST 2014 | LPPORTAL.COM DEALING WITH DATA BREACHES

Articles in this issue

Links on this page

Archives of this issue

view archives of LP Magazine - JUL-AUG 2014