The most recent retail purchase I made was for a pair of sunglasses. I had never heard of the brand before, but I am sucker for eyewear and was drawn in by an ad with a rock climber (not something I do) that came up on my Instagram feed. So why not? A couple of clicks, an entry of my credit card number to some company that said they were based in Switzerland — and a fresh pair of shades found their new home blocking the California Winter sun.
It’s amazing how accessible retail is. It’s there even when we aren’t looking for it. Just reach in your bag or pocket like Mary Poppins and click “buy it now” for just about anything you could ever need to appear. The ease is undeniable, but there’s another side. A dark side? Sure, but there’s more to it than that. When we enter our names, addresses, phone numbers, emails and credit card info — personally identifiable information (PII) — whose job is it to make sure that the information remains safe and not in the wrong hands? The retailer? The consumer? The security vendor that is hired to keep our information from being included in a data breach?
The short answer is all who are involved. Having worked in cybersecurity for over a decade, I am well aware of the possibility of a retail data breach and the potential for my information to be stolen, but I also know that I hold responsibility for where I decide to enter my information. The responsibility that retail and eCommerce brands have to keep consumer data safe has been put under the microscope with GDPR coming to fruition in Europe and the California Consumer Privacy Act (CCPA) here on the West Coast. But of course, when we wipe our eyes in the morning only to discover that another retail breach has occurred — it’s often consumer data that’s long gone with a lot of questions remaining for retailers and security vendors.
What’s ahead for security teams defending against cyberattacks on retail?
It’s easy to point fingers when things go horribly wrong, but in terms of a breach — it’s often less about who is responsible and more about what can be done so they don’t continue to happen in the future. Perhaps we can dig up some answers?
From my rose-colored view at Vectra, I hear the words ‘hybrid cloud’ more times in a day than I say the names of my kids, so with all the smart people who live and breathe threat detection and response around here — there must be something to it. What exactly does hybrid cloud have to do with the future of retail cybersecurity? Well, it’s the world we live in and one that security teams are now challenged to defend.
Gartner defines it as “policy-based and coordinated service provisioning, use and management across a mixture of internal and external cloud services.” What it comes down to is that retailers (or really any organization) now operate in environments where public cloud, SaaS, identity, network, endpoints and everything in between are connecting and working together — the network is everywhere. It’s convenient, fast, efficient, always available and one of the main reasons for attack surface expansion — or a bigger dance floor for cyber attackers to show off their latest moves. In fact, Gartner listed ‘attack surface expansion’ as the number one trend in cybersecurity this year, stating that it, “leaves organizations more vulnerable to attack.”
Not only are organizations more vulnerable due to an expanded surface, but Vectra’s, SVP of Products, Kevin Kennedy points out in a recent blog, that security teams are now operating in a “spiral of more.”
- More attack surface exposure means more tools, which means more complexity.
- More evasive attackers mean more rules, which means more alerts and more tuning.
- More alert rules to tune and maintain means more analysts, more work and more burnout.
Now tasked with “more,” security teams are required to defend against threats they don’t know exists across their networks. Unknown threats caused by the “more” that they face each day in the SOC. Is the unknown threat the single biggest cybersecurity risk that organizations face today? We think so.
What do these unknowns mean for retail companies (or any company)? Well as Kevin points out, “unknown threats whether cloud-based, account takeovers or attacks on the supply chain, simply have more ways to infiltrate and move laterally inside an organization.” So as cyber attackers devise plans to scurry off with valuable customer PII — they now have more ways in, more ways to hide once they’re in, and in turn, create more work and challenges for security teams.
What cybersecurity countermeasures can retail security teams take?
Two commonly cited resources around Vectra are MITRE ATT&CK and MITRE D3FEND as valuable tools that security practitioners can use to help them understand what attackers do during an attack (ATT&CK), and the countermeasures (D3FEND) that can be used to address attack techniques. For example, Vectra detections across public cloud, SaaS, identity and networks are mapped to MITRE ATT&CK to help security teams discuss and present the outcomes of investigations. MITRE would seem to be a wise resource for security folks to utilize, but how can vendors also help retail teams get ahead of the next attack?
As the global cyber security skills gap now sits at an alarming 3.4 million people, there’s an obvious limitation in terms of security resources available, especially as we discussed in the hybrid cloud era. A skills gap means there’s more work to be done with less people — maybe this is where the security industry can lend a hand? One of the catalysts of unknowns remains the amount of work that security teams are up against and a lot of that is having to constantly tune security alerts to mitigate false positives that do nothing but generate more work. Does it have to be that way?
A lot of that depends on how you’re able to manage the different security responsibilities and whether you have the resources on your own or need ways to augment some of the work. This is another topic of conversation around here, specifically amongst the Vectra MDR team — where our security experts work alongside customers who augment their in-house security team with additional resources. Retail customers use Vectra MDR for different reasons depending on the nature of their environment to help address challenges like skills shortage, analyst burnout, hunting and investigation or Vectra platform optimization — ultimately enabling customers to share responsibility with Vectra.
We recently documented a scenario with one of our retail customers — a Global 2000 company that was facing rising threat visibility challenges due to various cloud complexities —specifically with Microsoft 365. In this case, they deployed the Vectra platform harnessing AI-driven Attack Signal Intelligence to handle urgent threats, but with a small security team on hand decided to leverage Vectra MDR to make sure they have the resources for 24/7/365 threat coverage.
“We have a team of three people, mainly security officers, who are investigating or following up on detections and alerts. We also use the Vectra MDR Services, which helps a lot by providing a skillful set of people who look into things with a great customer perspective.” - Head of IT Security.
This team knew the risks and what they could handle on their own and then built accordingly, but for every company like this retailer there may be twice as many who don’t have the answers. Do retail security teams have it worse than those in other industries? I don’t know if that could be quantified, but it would seem like there’s a lot to handle if you’re going at it alone. 80% (263 million people) of the U.S. population shops online and I can certainly attest to demanding nature of consumers — I still don’t understand how my new shades took over a week to arrive.
Instant gratification aside, retail security teams have more pressing topics on their mind. The challenges aren’t going away, especially in the cloud. IBM’s Cost of Data Breach 2022 report cites that nearly half (45%) of all data breaches happen in the cloud. That same report cites that AI and automation offer the biggest cost savings, stating that “organizations that had a fully deployed AI and automation program were able to identify and contain a breach 28 days faster than those that didn’t.” We’re not just heading into an era where human intelligence and artificial intelligence can work together to overcome great challenges, we’re already there. The good news for retail security teams is that when attackers target your cloud data or SaaS environments, you now have ways to know about it.