If your company was fined $123 million for doing something wrong, you’d probably do everything you could to avoid it happening again, wouldn’t you? UK authorities fined Marriott $123 million for the 2018 Starwood breach that leaked 500 million users’ records.
And yet, Marriott recently disclosed that they had been breached for a second time in the past two years. While the most recent breach affects “only” 5 million users and (so far) it doesn’t involve as much sensitive data, it’s noteworthy that a major company was breached shortly after they (presumably) had taken steps to secure their environment.
This time they recognized the breach much more quickly. The Starwood breach was happening as far back as 2014 and wasn’t recognized until 2018. This time, the first unauthorized access happened around mid-January 2020, and it was discovered by late February. Their threat detection has improved, especially when compared to the average time of 197 days to detect a breach. For comparison, GoDaddy recently disclosed they had been breached on October 19, 2019, and discovered it on April 19, 2020.
Marriott’s most recent breach was traced to the compromised credentials of two employees. It’s unclear exactly what happened, but there are several actions that can be taken to minimize the risk of this kind of breach:
- Follow least-privilege best practices to ensure that users don’t have access to more than they need to do their jobs. Don’t allow them to keep access they needed from previous roles in the company, and don’t blindly copy someone else’s access when setting up new accounts.
- Implement multi-factor authentication (MFA), with the option of prompting for additional factors when authentication activity is unusual in some way.
- Identify where sensitive data lives. It may not always be where you think it is. Once identified, assess if users’ access inappropriately allows them access to that data.
- Implement threat detection capabilities that can automatically identify patterns that indicate a breach is in progress. Automatic identification is critical to identifying issues in a timely manner without overwhelming manual review of false positives.
At this point you’re probably asking yourself, if their sensitive data can be stolen, how safe is mine? What can I do that they haven’t already done? It’s true; securing your environment is a never-ending challenge. But you have to start somewhere, and you can’t afford to bury your head in the sand and hope everything works out. If you’re breached, and your board asks what you did to prevent it, what will your answer be?
Here’s somewhere to start.
First, don’t be in the mindset that it’s unlikely to happen to your company. Odds are it will happen eventually. No industry or small company is immune. Everything from an Ames, Iowa parking system to the French newspaper Le Figaro has been breached. Believe that there are external and/or internal threats that are acting TODAY to get access to your systems and data.
Second, take an inventory of your sensitive applications and data. Your sensitive apps may be clear and obvious, but the location of data often isn’t. Is PII and payment information all locked up in an encrypted database? Or does some of it, unbeknownst to you, get exported to a spreadsheet on a shared drive on a weekly basis to facilitate some reporting? What happens if someone acquires access to the system, and what can they do with what they find? What are the regulatory and reputational consequences if something is exfiltrated?
Third, once you’ve prioritized those systems, consider what tools you’ll need to address the areas most at risk and what processes will need to change. The business consequences identified above can be used to help communicate the urgency of the investment necessary to minimize your risk. A partnership between the business, IT, and security is necessary to be successful. If the business can’t understand, in their terms, why they should invest in security rather than business-advancement priorities, you’ll have a very difficult time accomplishing what you need. Your company may have a need to improve one or more of these capabilities:
- Automatically provision, deprovision, and review access
- Make authentication as secure and frictionless as possible
- Locate and classify sensitive information across your organization, wherever it may be stored
- Detect and prevent unauthorized access and movement of data
Getting into the specifics of the analysis of each of these areas is beyond the scope of this post, but know that Zirous is partnered with industry leaders such as SailPoint, Splunk, and Okta who can fulfill many of these needs. We also understand that business process changes are often the most difficult part of any technology shift, and we’re eager to help you navigate that challenge.
 2018 Ponemon Institute