Equifax Breach & Why Your Company is Next

The Hybrid Cloud Data Center Paradigm Shift That Leaves Security Behind

By Dave Klein, Senior Director of Engineering & Architecture, GuardiCore

When the Equifax breach was announced on September 7th, I was not surprised. When I heard the magnitude of the damage: 143 million US consumers and 44 million British consumers – which equate to roughly 57% and 97% respectively of both country’s populations, age 18 years of age and older – I, again, was not surprised. Why?

Four years ago, I began seeing breaches occur in my customer’s data centers, both on-premises and in the cloud and utilizing my customer’s own application workflows to hide their activity as they progressed. Attackers dwelled undetected for long periods of time, spreading laterally with ease. Tools at our disposal for cyberattacks were purpose-built for yesterday’s cyber battles occurring outside of data centers. Not only were these attacks in places we weren’t, but they also behaved unexpectedly. It was as if we were firefighters battling an internal factory fire while being forced to stand outside the building’s thick concrete walls.

The IT world had shifted dramatically, and, in its transformation, cybersecurity had been left behind. IT had moved valuable resources to hybrid cloud data centers but cybersecurity solutions and practices had not kept pace with the transformation. Cybercriminals had already seen the shift and adjusted to maximize the larger attack surface and reaped accordingly.

Equifax provides a great example of a breach that took advantage of this IT paradigm shift. The cybercriminals attacked Equifax’s data centers directly. Focusing on the vulnerability, however, is like missing the forest through the trees. Equifax’s vulnerability, Apache Struts, was merely the entry point. To steal roughly half the US population’s information and almost all of Great Britain’s so quickly tells us the attackers became well established within the application housing targeted data. They overcame the front-end querying capability to syphon off massive amounts of data while avoiding encrypted data at rest on the backend.

If the IT paradigm shift has changed, as seen with the Equifax attack, how can we bridge that gap? Taking perimeter solutions and endpoints into the hybrid cloud data center environments won’t work. Customization to legacy, traditional cybersecurity solutions to transform them from north-south solutions that bring them into east-west environments is not possible. No matter what retrofitting is done, they are poorly suited for their new working environment.

When looking at new security solutions that can help you avoid being the next Equifax, here are five attributes you should consider for security applications and data in hybrid clouds:

1. NATIVE: Cybersecurity solutions must be native to the hybrid cloud data center environments in which they live. They must be built from the ground up to work seamlessly across the entire heterogeneous space which includes everything from hypervisors, containers, images, various cloud topologies to legacy bare metal and even those old mainframes.

2. CONVERGED: Cybersecurity solutions must work in a converged fashion, providing a single solution that is flexible and works across the entire heterogeneous environment. In the hybrid cloud data center, these solutions must work across everything from hypervisors, containers, images, various cloud topologies to legacy bare metal and even old mainframes. Converged solutions provide solid gains while reducing complexity. A great example is micro-segmentation within the data center workloads. There are many point solutions out there which only solve segmentation within a particular portion of the environment and do it poorly. Each cloud provider provides Layer 4 segmentation but these are only specific to their particular cloud and provide zero process-level visibility. The same can be said by a few vendors who do the same for on-premise workloads. In order to truly do micro-segmentation you need a converged solution that works across all of your environments seamlessly, provides visibility to allow you to accurately create policies and which reside at the Layer 7 process level.

3. FLEXIBLE: Working within the Hybrid Cloud Data Center you must have multiple options for deployments from low touch to high touch. This enables deployment across the entire spectrum and provides room to grow. Flexibility also refers to fitting any provisioning and management model used by the DevOps teams. For example, when dealing within these environments you may or may not be able to deploy agents, therefore, your solution should offer both agent-based and agentless options. When dealing with agents, ones which are truly lightweight, easily provisioned by any provisioning mechanism deployed by DevOps staff (Chef, Puppet, Ansible, etc.) and requires zero reboots, are considered preferable and DevOp friendly.

4. VISIBILITY: By far the most important thing you need is visibility within the data center. Visibility must be at the process level and into the application workflows, supplemented with rich contextual data from the various platforms, and orchestrations from which they came. With this rich visibility, you have enough context to create a global, macro and micro-segmentation policies easily and quickly, and have the ability to find compliance issues. Most importantly, when it comes to attackers, you can see their movements and even redirect them dynamically into secure spaces where you can securely remove them from the real environment and reveal their tools, techniques, and exploits, capturing every packet, keystroke, and screenshot in the process.

5. DevOps RELEVANT: If a solution provided does the above, then the priceless data and protection will be readily useful, adaptable and valuable to the DevOp personnel themselves which is key for success. The Hybrid Cloud Data Center is their environment and when you become relevant to them you become their partners and allies.
If you are a CISO or cybersecurity professional, by evaluating new security solutions based on these five attributes, you will bring cybersecurity back into relevance and take a big step to avoid becoming the next Equifax in the process.

About the Author
Dave Klein, Senior Director of Engineering & Architecture for GuardiCore Dave Klein has over 21 years of real-world cybersecurity experience – he works with GuardiCore’s customers and prospects to educate them on utilizing advanced application workflow-based cybersecurity solutions for visibility, segmentation, and rapid detection, containment, and remediation of security breaches. Prior to GuardiCore, Dave was the Engineering Manager Forcepoint’s Federal Sector where he drove growth by adapting the company’s behavioral heuristics, Bayesian logic, and predictive capabilities to defend US agencies against Insider and Advanced Persistent Threats. Dave also worked with other vendors, government and private sector entities on the NIST response to the Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience. Prior thus, Dave was a security leader at Cisco Systems. Always a visionary, Dave saw an opportunity in Cisco Network Admission Control, IronPort Web and Mail Gateways and other core Cisco security offerings. As both an individual contributor and leader Dave was responsible for some of the largest US Federal security solution sales. Before that Dave worked for McAfee. His work there included working with the City of New York post 9/11 for three years – commuting by train daily to help shore up cyber defenses there and developing a National State and Local Government engineering and sales team. Dave has spoken on a wide variety of cybersecurity topics including hybrid cloud adoption, segmentation, educating on the stages of the cybersecurity kill chain, understanding interactions between the physical and cyber worlds as it relates to the radicalization and arming of domestic terrorists and using cyber forensics in real-world criminal cases.
Dave can be reached online at ([email protected], @CyberCaffeinate on Twitter and at our company website http://www.guardicore.com