Yesterday Anthem became the latest company to suffer a massive, high-profile data breach that almost certainly will become the largest data breach to date in the healthcare industry. Attackers were able to infiltrate the network and steal personal information for over 80 million customers. The stolen data included a variety of Personally Identifiable Information(PII) including Social Security numbers, contact details as well as employment and income information.
This is a particularly dangerous combination of data that is worth significantly more on the black market than stolen credit card numbers. Unlike a credit card, which can be easily cancelled and replaced, a full identity can be used for long-term fraud such as taking out loans in the victim’s name. Employment information is particularly sought after when selling an identity. The one silver lining is that it does not appear that medical records and other Personal Health Information (PHI) were exposed in the breach.
While details are still emerging, this most recent breach appears to have followed a very familiar path of spy, spread and steal. Early indications are that the attackers gained access to employee credentials, which were then used to spread through the network and ultimately steal customer records. While the specific tools and techniques may vary, this is the same blueprint attackers have used in virtually every major breach over the past 2 years. A recent visualization of the largest data breaches puts this in sharp focus. This visualization not only shows the chronology and size of breaches, but it also shows how the breached occurred whether by external hacker, accidental disclosure, lost device and so on. The data shows a clear trend. Since 2012, virtually all of the biggest breaches have been the work of external hackers.
The reality is that an infection or intrusion is an inevitability for most modern organizations. There are simply too many trusted users with too many connected devices for an organization to be perfectly seal its access perimeter. The problem is that most security teams lack the security tools to keep a small breach of an individual host from metastasizing into a massive breach of the entire organization.
Defending against the modern cyber attack requires a new way of looking at threats – one that focuses security on the inside of the network and on key assets, and not just the network perimeter. One that sees threats with a wider lens than individual exploits or malware, but can perceive the entire criminal operation including how it persists, spreads, and steals within a network. One that actively learns what is normal in the network to recognize changes, and to proactively identify malicious behaviors even if they have never been seen before and have no signature.
This is a conceptual shift for many organizations. We must learn to see threats beyond the individual atoms of exploits and malware to understanding the more complex chemistry of an advanced attack based on multiple interactions in a network over time. This approach actually becomes quite powerful, because the more complex an attack, the more clearly it is revealed when tracked and correlated over time and multiple devices. This is precisely the approach we have developed at Vectra and how we go about finding the detections that truly matter to your network. Take a look at white paper below to learn more about how Vectra works and how you can use it to detect all phases of a cyber attack.