CANCUN–Businesses, especially those in the financial sector, should operate under the assumption that data exfiltration either is or will soon happen in their organization.
A lot like car insurance, end users should hope for the best and prepare for the worst, according to Wells Fargo’s Steve Adegbite, who spoke on the challenges of detecting silent removalĀ of data at Kaspersky Lab’s Security Analyst Summit here today.
Adegbite, the senior vice president in charge of the bank’s Enterprise Information Security Program: Oversight and Strategy, joked that sometimes he feels like he works at a technology company that masquerades as a bank.
“Working at a bank is never a dull moment, especially when it comes to data but do you have the ability to track every user on your system and their data?” Adegbite asked the crowd.
The concept is easier said than done according to Adegbite, who saidĀ that many people, even those who work in networks, don’t fully understand how data exits. There are countless channels used for data transmission: cloud-based apps like Salesforce and Amazon Web Services, email messaging services, various internet/web portals, social media, etc.
As it is, a large enterprise may have upwards to 132,000 TCP/UDP ports and 100,000 different IP addresses, according to Adegbite, something that makes it difficult to establish a baseline.
Exfiltration within normal traffic patterns and sizes is already hard to detect and that’s compounded by the use of increasingly stealthy encryption when sensitive credentials are compromised. Adegbite used this month’s Anthem breach as an example.
“A lot of personally identifiable information–what you do, taxes, ailments, medical claims–were leaked. The last time you went to the doctor? That information is in there,” Adegbite said, “You don’t get money defacing sites, you get money impersonating people.”
How quickly attackers have been able to react and incorporate bugs into exploits as of late has also complicates matters. Adegbite pointed to Heartbleed and Bash, whose exploit code was leaked just 24 hours and six hours after their respective discoveries.
With all of this in mind Adegbite said that stopping unauthorized data from leaving systems is still a workable problem but that IT professionals should step their defensive games up and apply as much rigor as possible when it comes to stopping attackers he likened to “barbarians at the gate.”
Part of the equation can be as simple as promoting a positive, optimistic culture that encourages shared threat intelligence in businesses.
“You can get the coolest toys, use the best defensive measures but when you don’t look at the human aspect when it comes to risk framework, you’re going to be in trouble,” Adegbite said.