Founder & CEO of ERP Maestro. Jody is a trusted advisor and security thought leader who is a CISSP, a CISA, and former director of KPMG. Follow him on Twitter @JodyCPaterson.
Lessons from Marriott’s Starwood Hotels Mega Breach
This article originally appeared on Medium in December 2018.
While it’s shocking that the recently revealed Starwood Hotels’ security breach impacted 500 million guests, it’s even more alarming that the attack spanned a four-year period of time unnoticed.
There is still much to understand about the breach in regard to who was responsible and if it was a complete outside job or if it involved internal collaboration or activities. From research, we have learned that internal threats at the hands of employees are much harder to spot and can go undetected for a longer period of time without the proper monitoring tools. If anything, this incident can serve as a stark reminder of how critical it is to have solutions that can expose risks and enable prevention.
Research tells us that insider attacks, for example, may go unnoticed for years. Once discovered, it can take an average of two months to contain an insider incident. And according to the Ponemon Institute report, “2018 Cost of Insider Threats: Global Organizations,” the average cost of an insider threat annually is $8.76 million.
The same report outlines seven process-related activities organizations should have in place to address insider-related incidents:
Monitoring and surveillance
Activities that enable an organization to reasonably detect and possibly deter insider incidents or attacks. This includes allocated (overhead) costs of certain enabling technologies that enhance mitigation or early detection.
Activities necessary to thoroughly uncover the source, scope and magnitude of one or more incidents.
Activities taken to raise awareness about actual incidents among key stakeholders within the company. The escalation activity also includes the steps taken to organize an initial management response.
Activities relating to the formation and engagement of the incident response team including the steps taken to formulate a final management response.
Activities that focus on stopping or lessening the severity of insider incidents or attacks. These include shutting down vulnerable applications and endpoints.
Activities to help the organization minimize potential future insider-related incidents and attacks. It also includes steps taken to communicate with key stakeholders both within and outside the company, including the preparation of recommendations to minimize potential harm.
Activities associated with repairing and remediating the organization’s systems and core business processes. These include the restoration of damaged information assets and IT infrastructure.
Although, we don’t know the specifics of the Starwood Hotels leak, this occurrence reinforces the importance of a holistic security strategy that addresses both external and internal threats. As for taking steps to block internal data breaches, knowing and trusting your employees is not enough. Deep analytics and continuous monitoring are necessary to understand the level of access all employees have to business systems and to detect violations — before they escalate to the magnitude of the Starwood Hotels crisis.
With insider attacks now compromising 60–75 percent of all cyber threats, internal vulnerabilities must be kept in check with tools that can deliver instant visibility.