Cyber Criminals Love the 'Detect and React' Cyber Security Approach

Gift buying and traveling, especially during the winter holidays, creates an environment ripe for cybercrime. During this frenzied period, retailers and hospitality providers must keep their revenue generating systems up and running to keep moving product, charming customers, and making lasting holiday impressions. However, an alarming Cisco survey found that a typical enterprise of any industry is staffed only with enough security analysts to act upon half of its cyber alerts.  This could be because many companies believe in a 'detect and react' approach. Unfortunately, cyber criminals can easily take advantage of this lack of security. This article from AppGuard discusses some of the IT security threats that the hospitality industry faces and offers tips on how companies can help prevent security issues from arising in the first place.

For instance, IT staff at most hospitality corporations are already overwhelmed with the significant pickup in process demand during the holidays. When they can react to alerts, they are faced with a dilemma: Do they shut down infected systems or do they take a bigger risk of minimizing the quarantining of systems in favor of keeping them up and running? Unfortunately, many choose to quarantine the systems.

Another IT threat hospitality organizations face is stealthy malware on point of sale machines quietly copying customer data (e.g., credit card) and sending it to criminals around the world. Many of these retail breaches are discovered by the banks, whose anti-fraud software can detect an unusual amount of card not present fraud over time and triangulates where those cards were used to identify the compromised machines. While it is great that the banks are able to detect these breaches, hospitality organizations that have been breached are often on the hook for the months of fraud that preceded the discovery.

Both of these examples indicate that detect and react as an approach to cyber security is not necessarily the best security practice out there.

If one cannot keep up with the ‘detect and react’ alerts in the first place, the process will be flawed. If the enterprise cannot hire enough skilled cybersecurity professionals to staff this complex security process, is it still a valid approach? If the enterprise outsources alerts investigation to service providers, how effective can they be at investigating anomalies if as external players they don’t know what normal looks like in an environment foreign to them? These service providers often deliver a similar message: 'The breach will occur and our people and technology will find it faster than alternatives.'

Let’s return to the POS, which directly and indirectly drives most of the alerts that organizations cannot triage well. They are mostly Windows hosts relying on antivirus and whitelisting. These cyber controls are often terrible at preventing compromises via polymorphic application exploits, non-malware attacks, in-memory attacks, and socially engineered attacks...basically, the majority of the advanced threats that currently exist. This puts the retail and hospitality sectors in deep trouble. Repeat attacks is the measuring stick.

According to Ponemon’s 2017 Cost of Cyber Crime study, data breaches are up 27.4%. This always increasing trend will never reverse unless the paradigm changes from detection and response to prevention. This means not letting malware detonate and not letting it become stealthy and persistent in the first place. To improve, hospitality companies can implement these tips:

1. Conduct cyber readiness drills as often as is practical. You may be shocked at how much a brown bag lunch with table-top exercises for your IT- and Sec-Ops people might yield. The most common problems are the chasms amongst the individual’s knowledge of policy/workflow, knowledge of adversary tactics, proficiency with tools, role/dependencies within workflow, etc. Identify likely incident scenarios, then explain, discuss, and simulate them however you can.
2. Verify all incident response contact information within your organization as well as up and down your supply chain. Missing contact info is one of the most common IR lessons learned. Remember to include business line managers who might be required to authorize a temporary shut-down of a compromised system. Missing contact info can add hours or even days to incident responses.
3. Methodically look through your entire infrastructure for missing or inadequate back-up capabilities. Conduct back-up recovery exercises to verify they do what you need.
4. Begin developing and continue to maintain a labor breakdown structure spanning your overall cyber program, including all of your IT/Sec-Ops personnel plus whatever external service providers. You can’t fix what you don’t measure. This will help you quantify the costs of your ‘detect and react’ posture and identify correlations amongst the different areas. Don’t leave out cyber hygiene. As your confidence in your data grows, you’ll find yourself in a better position to gauge the value of explorations and investments into preventative measures that reduce the volume of alerts and incidents upstream of much of your labor. You can and will find inter-dependencies. Did you know there’s a high correlation between network alerts and endpoint usage? Nipping intrusions at the endpoint and the end-user can impact your cyber program in many different ways.
5. Challenge your assumptions and paradigms. Over half of a cyber programs resource requirements are driven by the mistakes of end-users and the frequent compromises of endpoints. On the former, many believe you can’t patch stupid; they are wrong. On the latter, many believe endpoint compromise prevention is unattainable; they too are wrong. These and other beliefs profoundly impact decisions regarding your cyber program. Yet, few organizations take inventory of these, let alone challenge them. Make a list, share it, and challenge each item. Only big changes will free you from the never ending cyber-flation of the ‘detect and react’ posture. A list like this enables such changes.
6. Conduct employee cyber readiness training that transforms them from soft targets into vigilant cyber defenders. Many organizations mistake this for security awareness training. Most such programs are responsible for the common belief that the problem of employee cyber mistakes are unfixable. Seek out a program that is highly individualized and is continuous. Do-it-yourself programs with test phish templates are a nice step but generally fall short of what the enterprise needs.
7. Look beyond the traditional sources of endpoint protection software. Seek solutions that reduce your labor costs across the board by preventing endpoint compromises instead of guaranteeing that IT/Sec-Ops staffing requirements increase year after year.