Despite 88% of cybersecurity professionals believing automation will make their jobs easier, younger staffers are more concerned that the technology will replace their roles than their veteran counterparts, according to a research by Exabeam.
Overall, satisfaction levels continued a 3-year positive trend, with 96% of respondents indicating they are happy with role and responsibilities and 87% reportedly pleased with salary and earnings. Additionally, there was improvement in gender diversity with female respondents increasing from 9% in 2019 to 21% this year.
“The concern for automation among younger professionals in cybersecurity was surprising to us. In trying to understand this sentiment, we could partially attribute it to lack of on-the-job training using automation technology,” said Samantha Humphries, security strategist at Exabeam.
“As we noted earlier this year in our State of the SOC research, ambiguity around career path or lack of understanding about automation can have an impact on job security. It’s also possible that this is a symptom of the current economic climate or a general lack of experience navigating the workforce during a global recession.”
AI and ML: A threat to job security?
Of respondents under the age of 45, 53% agreed or strongly agreed that AI and ML are a threat to their job security. This is contrasted with just 25% of respondents 45 and over who feel the same, possibly indicating that subsets of security professionals in particular prefer to write rules and manually investigate.
Interestingly, when asked directly about automation software, 89% of respondents under 45 years old believed it would improve their jobs, yet 47% are still threatened by its use. This is again in contrast with the 45 and over demographic, where 80% believed automation would simplify their work, and only 22% felt threatened by its use.
Examining the sentiments around automation by region, 47% of US respondents were concerned about job security when automation software is in use, as well as SG (54%), DE (42%), AUS (40%) and UK (33%).
In the survey, which drew insights from professionals throughout the US, the UK, AUS, Canada, India and the Netherlands, only 10% overall believed that AI and automation were a threat to their jobs.
On the flip side, there were noticeable increases in job approval across the board, with an upward trend in satisfaction around role and responsibilities (96%), salary (87%) and work/life balance (77%).
Diversity showing positive signs of improvement
When asked what else they enjoyed about their jobs, respondents listed working in an environment with professional growth (15%) as well as opportunities to challenge oneself (21%) as top motivators.
53% reported jobs that are either stressful or very stressful, which is down from last year (62%). Interestingly, despite being among those that are generally threatened by automation software, 100% of respondents aged 18-24 reported feeling secure in their roles and were happiest with their salaries (93%).
Though the number of female respondents increased this year, it remains to be seen whether this will emerge as a trend. This year’s male respondents (78%) are down 13% from last year (91%).
In 2019, nearly 41% were in the profession for at least 10 years or more. This year, a larger percentage (83%) have 10 years or less, and 34% have been in the cybersecurity industry for five years or less. Additionally, one-third do not have formal cybersecurity degrees.
“There is evidence that automation and AI/ML are being embraced, but this year’s survey exposed fascinating generational differences when it comes to professional openness and using all available tools to do their jobs,” said Phil Routley, senior product marketing manager, APJ, Exabeam.
“And while gender diversity is showing positive signs of improvement, it’s clear we still have a very long way to go in breaking down barriers for female professionals in the security industry.”
New Exabeam research shows that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises.
Respondents named threat detection, incident response and flexibility/openness to change while working remotely as the top three areas that blue teams must improve upon. This indicates an increase in technical and adaptability challenges since the same study was performed in 2019, where the focus fell heavily on teamwork and communication.
While 37 percent of blue teams always or often catch these ‘bad actors,’ 55 percent say they only succeed sometimes, and 7 percent rarely or never achieve this feat. On a positive note, these numbers indicate a trend in the right direction compared to last year’s study, which showed one-third rarely or never catching red teams.
Companies increasing security investment
The fact that less than half of blue teams are stopping bad actors a majority of the time demonstrates the priority organizations must place on constantly evaluating and adjusting their security investments to keep up with today’s digital adversaries.
The study indicates that many companies are consciously taking these steps, with 50 percent increasing security investment and 30 percent adding to their security infrastructure as a result of these exercises. Seventeen percent have done both, and just 2 percent have not adjusted their security tools or budget in response.
Interestingly, the frequency and approach to red team/blue team tests vary widely. On average, organizations conduct red team exercises every five months – breaking down to 26 percent once a month, another quarter every 2-6 months, 32 percent every 7-11 months and 8 percent once a year.
Just 7 percent don’t utilize red teams at all. Blue team exercise frequency understandably reflected similar percentages and averaged out to every six months.
Many companies use the ‘purple team’ approach, in which the red and blue teams come from their own staff and work together to determine security preparedness. One-third run these simulations every 2-6 months, while 50 percent perform them every 7-11 months, and 12 percent report yearly tests. Again, only 7 percent do not have purple teams in place.
Internal and external red teams equally effective
Also new to 2020’s report, 92 percent of respondents tap external red teams without prior knowledge of their internal security systems to help their teams prepare for real-life cyberattacks. However, 54 percent found internal and external red teams equally effective, with a slightly higher percentage (24 percent) citing internal red teams as more effective than external (19 percent).
“An additional study recently reported that more than 80 percent of businesses have experienced a successful cyberattack since the start of the pandemic. Paired with the fact that just over a third of respondents are frequently stopping simulated attacks, these trends illuminate the security fallout caused by the remote work shift, tighter budgets and increasingly sophisticated attack techniques,” said Steve Moore, chief security strategist, Exabeam.
“These red team/blue team exercises can be valuable proof points when presenting budgetary and technological needs to the C-suite and board to help keep up with these changes. While there is always room for teams and security postures to mature, it is extremely encouraging that so many companies are regularly performing these tests to identify their weak spots and shore up their defenses.”
In addition to threat detection, incident response and flexibility, communication and teamwork (41 percent), knowledge of threats/tactics (38 percent) and persistence (20 percent) were also listed as valuable skills blue teams should focus on.
A Security Information and Event Management (SIEM) solution collects and analyzes activity from numerous resources across your IT infrastructure. A SIEM can provide information of critical importance, but how do you find one that fits your organization?
To select an appropriate SIEM solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals in order to get insight to help you get started.
Jae Lee, Senior Director, Elastic Security
SIEM is a mature product category and continues evolving. However, SIEM needs to enable teams to evolve, as SecOps transforms from “traditional” to “adaptive.”
Let’s start with people — traditional skillsets are based on tools (e.g., vulnerability, firewall, IDS/IPS, etc.), but broader skillsets are needed to help practitioners adapt quickly. Manipulating and analyzing data, performing collaborative research, understanding adversaries/tradecraft — SIEM must help augment and develop these skillsets.
Next is process — with improved skills, alerts no longer rule (unless allowed to), and pre-defined, static SOPs / playbooks alone are not enough. Teams now require real-time analysis to hunt — including performing research, reverse-engineering and simulating threats, and more. Context is everything. Hunting and operationalizing effectively requires full visibility — not in a separate tool, but within the SIEM.
Finally, technology. Full visibility isn’t just broad coverage, but fast insights. Also, detections need to work OOTB. Consider endpoint — there, OOTB detections have high accuracy. The same principle should apply in SIEM, without requiring every analyst to be an expert rule author. SIEM isn’t just “technology” — it needs real-world-validated security content.
As SecOps matures, major investments are often required for the care and feeding of a SIEM. You have to stop threats and justify your investment. Give yourself the runway to be confident that once deployed the SIEM can meet your fast-evolving needs, and ask hard questions around scale and flexibility — from detections to integrations, to deployment options, to pricing metrics.
Christopher Meenan, Director, QRadar Product Management and Strategy, IBM Cloud and Cognitive Software
The first thing to think about is what use cases you need to address. Your requirements will look very different depending on whether you need to secure your organization during a cloud transformation, build a unified IT and OT security operations program, or simply address compliance. Your use cases will drive requirements around integrations, use case content, analytics, and deployment methods.
Ask the vendors how they can help address your requirements. Understand which integrations and use case content are included, versus which require a separate license or custom development. Understand what analytics are available and how those analytics are used to detect known and unknown threats. Ask what frameworks, such as MITRE ATT&CK, are natively supported.
If you’re like most companies, your team is understaffed – which means you need usable products that help shorten the learning curve for new analysts and make your experienced team members more efficient. Ask how each solution measurably increases efficiency during the detection, investigation and response processes. Also ask about SaaS deployments and MSSP partnerships if to reduce on-going management requirements.
Most importantly, don’t be shy. Ask for a proof of concept to make sure the tools you’re considering will work for you.
Stephen Moore, Chief Security Strategist, Exabeam
The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organizational alerts they receive in a day and that complexity – coupled with the inherent difficulties of detecting credential-based attacks – means many SOC analysts now experience several pains that traditional SIEMs can’t solve, including alert fatigue, a lack of skilled analysts and lengthy investigation times.
Many organizations are now migrating their SIEM to the cloud, which allows analysts to harness greater compute power, sift through, interpret and operationalize SIEM data. Now more of their time is spent finding bad things versus platform and server support. But to choose the right SIEM for ‘the business’ you need to consult with it. You need to align its capabilities to the goals, concerns and expectations of the business – which will undoubtedly have changed over the last few months. Above all else, this requires taking the time to ask the questions.
Then, make choices based on known adversary behavior and breach outcomes – focusing specifically on credentials – ensuring your platform is adversary adaptable and object centered. Ask, will it improve your time to answer (TTA) questions, such as ‘which account or asset is associated with this alert?’ or ‘what happened before, during, and after?’
Finally, any solution needs to help your SOC analysts focus on the right things. Key to this is automation – both in the form of incident timelines that display the full scope, acting as the storyboard of the incident, as well as an automated incident response capability for when action must be taken to return the environment to normal. Providing automation of the necessary investigation steps is the most important thing an incident responder can have so they may take action faster and most importantly minimize the risk of an incomplete response.
Wade Woolwine, Principal Security Researcher, Rapid7
While the term SIEM has “security” as the very first word, event and log management isn’t just for security teams.
When organizations look to invest in a SIEM or replace an existing SIEM, they should consider use cases across security, IT/cloud, engineering, physical security, and any other group who may benefit from a centralized aggregation of logs. Once the stakeholders have been identified, documenting the specific logs, their sources, and any use cases will ensure the organization has a master list of needs against which to evaluate vendors.
Organizations should also recognize that the use cases will change over time and new use cases will be implemented against the SIEM, especially within the security team. For this reason, organizations should also consider the following as hard requirements to support future growth:
- Support for adding and categorizing custom event sources by your own team
- Support for cloud based event sources
- Field searching level with advanced cross-data-type search functionality and regular expression support
- Saved searches with alerting
- Saved searches with dynamic dashboard reporting
- Ability to integrate threat feeds
- Support for automation platform integration
- API support
- Multi-day training included with purchase
Jesper Zerlang, CEO, LogPoint
As the complexity of enterprise infrastructures is increasing, a key component of a Modern SIEM solution is the ability to capture data from everywhere. This includes data on-premises, in the cloud, and from software, including enterprise applications like SAP. In today’s complex threat landscape, a SIEM that fully integrates UEBA and allows enterprises to relevantly enhance security analytics instantly is an absolute necessity.
The efficiency of your SIEM solution is entirely dependent on the data you feed into it. If the license model of a SIEM solution relies on the volume of data ingested or the number of transactions, the cost will be ever-increasing due to the overall growth in data volumes. As a consequence, you may select to skip SIEM coverage for certain parts of your infrastructure to cut costs, and that can prove fatal.
Choose a SIEM with a license model that that support the full digitalization of your business and allows you to fully predict the future cost. This will ensure that your business needs are aligned by your technology choices. And last but not least: Select a SIEM solution that has documented short time-to-value and complete your SIEM project on time. SIEM deployments, whether initial implementation or a replacement, are generally considered complicated and time-consuming. But they certainly don’t have to be.
Exabeam’s 2020 State of the SOC Report reveals that 82% of SOCs are confident in the ability to detect cyberthreats, despite just 22% of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time.
Compounding this unfounded confidence, 39% of organizations still struggle with SOC staff shortages and finding qualified people to fill the cybersecurity skills gap.
The survey, conducted among 295 respondents across the U.S., the U.K., Canada, Germany and Australia, was also fielded to determine how analysts and SOC management view key aspects of their operations, hiring and staffing, retention, technologies, training and funding.
“From 2018-2019, we learned that dwell time – or, the time between when a compromise first occurs and when it is first detected – has grown. Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyberthreats,” said Steve Moore, chief security strategist at Exabeam. “We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not.”
Highlighting the imbalance is that SOC leaders and frontline analysts do not agree on the most common threats facing the organization. SOC leaders believe that phishing and supply chain vulnerabilities are more important issues, while analysts see DDoS attacks and ransomware as greater threats.
Small- and medium-sized teams especially are more concerned with downtime or business outage (50%) over threat hunting as an operational metric, yet threat hunting stands out as a must-have hard skill (61%). Other prominent findings include:
- SOC outsourcing in the U.S. has declined YoY (36% to 28%).
- U.K. outsourcing had a YoY increase (36% to 47%).
- Germany reported 47% outsourcing, primarily of threat intelligence services.
- Australian SOCs struggle in most categories and need improvement in technology updates, monitoring events and responding to/analyzing incidents.
In general, monitoring and analytics, access management and logging are higher priorities this year for all SOC roles.
- More than half of SOCs were found to log at least 40% of events in a SIEM.
- The U.K. utilizes logging the most, compared with geographic counterparts.
- SOCs are least able (35%) to create content, the skill around the creation of detection logic, validation, tuning and reporting.
To support this, most SOCs expect to see security orchestration, automation and response (SOAR) tools take precedence over other technologies in upcoming years.
SOC staff shortages
The U.S. and the U.K. SOCs have shown YoY improvements in recruiting costs and identifying candidates with the right expertise. Workplace benefits, high wages and a positive culture were this year’s top drivers for retention in nearly 60% of SOCs. Notably, there remain challenges:
- 23% of SOC personnel across the U.S. and 35% across Canada report being understaffed by more than 10 employees.
- 64% of frontline employees in the SOC reported a lack of career path as a reason for leaving jobs.
- Less effective SOCs reported feeling they lacked the necessary investment in technology, training and staffing to do their jobs well.
Exabeam, the Smarter SIEM company, announced a significant performance milestone with Exabeam SaaS Cloud contributing more than half of Q1 FY21 new and add-on recurring revenue, signaling an accelerated transition of its business to the cloud.
This momentum has been built on consistent improvements to Exabeam’s cloud-first product and partner strategy, including the recent announcements of the Exabeam Cloud Platform and Google Cloud Security Partner status.
With organizations quickly deploying collaboration and virtual meeting apps to ensure business continuity and productivity in today’s work-from-home reality, Exabeam has also announced support for the collection of logs from Zoom; further supporting security teams’ need to carry out their investigations across a diverse environment.
This new log source is included as part of the existing Exabeam Cloud Connectors solution. Clients who are already leveraging Cloud Connectors today will be able to ingest Zoom logs at no additional cost.
In addition to Zoom, Exabeam has extended its range of Exabeam Cloud Connectors to reliably collect logs from over 40 cloud services into Exabeam Data Lake, Exabeam Advanced Analytics, and any other security information and event management (SIEM) solution, providing visibility into cloud services from Workday, Ping Identity, Cloudflare and Fidelis.
Underlining its commitment to cloud-first organizations, Exabeam has also released a free trial of Exabeam SaaS Cloud, a powerful cloud security architecture that ingests and behaviorally analyzes data from any cloud or on-premises data source.
The availability of a trial version will enable organizations to experience first hand the benefits of a proven platform that allows analysts to collect unlimited log data, use behavioral analytics to detect and investigate attacks and automate incident response.
“Achieving this performance milestone underlines our impressive recent momentum across sales and new product launches, with Exabeam products now available from 15 locations worldwide,” commented Shahar Ben-Hador, VP of product management at Exabeam.
“The broad extension of Exabeam Cloud Connectors and our status as a Google Cloud Partner provide further validation of our commitment to meet the security needs of businesses across the cloud economy.”
Research validates value of a cloud-first security strategy
With recent research revealing that many companies are beginning to migrate security tools to the cloud, a significant number still have concerns over data privacy, unauthorized access, server outages and integration.
The study underlines why visibility into cloud services is now vital and validates the strategy of organizations that are now taking a cloud-first approach to security.
“Security teams must increasingly adapt to IT strategies that are moving more solutions to the cloud,” said Oseloka Obiora, director of operations, RiverSafe. “Exabeam’s technology and experienced team offer significant benefits for organizations compared to on-premises solutions – not the least of which is delivering initial time-to-value through a smarter SIEM.”
“After reviewing the market and a number of providers, we chose Exabeam to champion our vision of maximizing what the cloud offers as it relates to our security program,” said Marc Crudgington, chief information security officer, Woodforest National Bank.
“Exabeam’s SaaS-based SIEM means we have no infrastructure or system operations to manage. A cloud-first approach gives our team efficiencies instead of overburdening them with operational management tasks; they can now focus on strategic security initiatives that continue to mature our enterprise’s cybersecurity program.”
British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.
The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.
How did the attackers manage to breach EasyJet?
EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.
They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.
Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.
“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.
“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”
Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:
— Alan Woodward (@ProfWoodward) May 19, 2020
It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.
Advice for affected customers
“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.
“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.
Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.
“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.
“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”
The UK National Cyber Security Centre (NCSC) has advised affected customers to:
- Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
- Change their password on their EasyJet accounts (and other accounts that have the same password)
- Check if their account has appeared in any other public data breaches, and to
- Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.
As most of the UK’s cybersecurity workforce now sits at home isolated while carrying out an already pressurised job, there is every possibility that this could be affecting their mental health.
In light of Mental Health Awareness Week, and as the discussion around employee wellbeing becomes louder and louder amidst the COVID-19 pandemic, we spoke with five cybersecurity experts to get their thoughts on how organisations can minimise the negative mental and physical impacts on newly-remote employees.
Remote but not alone: the power of communication
“In the current global situation, focusing on mental health is more important than ever,” says Agata Nowakowska, AVP at Skillsoft. “Now is the time to raise the profile of workplace wellbeing – even though our understanding of the physical workplace has shifted dramatically. Employers need to take workplace wellbeing virtual – meeting the needs of all employees, wherever they are and whatever environment they are in. Even if this is just regular check-ins – whether by phone or video call – everything you do as an employer makes a difference.
“Employee wellbeing should be a strategic priority for organisations, particularly given the uncertainty we’re all facing. Being supportive and lending a hand when employees need it will not just nurture their mental health, but the fundamental health of your organisation as a whole.”
Rob Shaw, Managing Director, EMEA, Fluent Commerce, adds: “Statistics reveal that 1 in 6 of us will have experienced a mental health problem in the past week alone. The importance, therefore, of ensuring discussions about an illness that will affect so many of us, remains in the spotlight cannot be underestimated. We all have our part to play.
“As an employer there are many things we can do to look after our team’s mental wellbeing. First and foremost is creating a culture where employees can talk openly about how they’re feeling without fear of repercussion. From online resources, having dedicated chat platforms where employees can share concerns, to having a qualified staff Mental Health First Aider, the range of things an employer can do to support employee’s health is vast.”
Protect employees by protecting valuable data
“With the COVID-19 pandemic causing devastation across the world, businesses in every industry are quickly having to adapt to a new working style,” says Krishna Subramanian, COO at Komprise. “Some technologies are getting more attention than others at the moment, such as video conferencing tools like Zoom, but there are other technologies that can make a huge impact on employee wellbeing too. With so many employees connecting from home, keeping data safe and secure at all times is a much bigger concern, so generating a cyber resilient safe copy of your business data in a separate location that is not subject to attacks is very important.
She continues, “implementing data management solutions that can help you create what is essentially an “air-gap” cyber resiliency solution to protect your data will give peace-of-mind to your employees, and help them focus on the job at hand.”
“A data breach can happen at any moment, demanding the attention and expertise of cybersecurity professionals,” adds Samantha Humphries, Security Strategist at Exabeam. “It’s an ‘always on’ profession, and there is an unspoken expectation for security teams to work excessive hours, but this leaves many with the inability to ‘switch off’ when they leave the office. Even the most hardened security professional cannot outrun this in the long term; it will inevitably take a toll on their health and personal lives… and this was before lockdown.
“Current events have introduced a whole new level of unprecedented pressure. We have seen the number of data breaches, compromised video-conferencing and COVID-19 related phishing scams soar. In addition, working from home for many individuals also means balancing parenting and home-schooling with their professional responsibilities. In any job, it would be easy to feel overwhelmed by the situation. For our friends in security, it’s a formidable task.”
Promote and honest and open employee culture, both from home and the office
“Encourage employees to take the tough decisions for an easy life when it comes to managing sometimes unrealistic workloads,” says Rob Mellor, VP & GM EMEA, WhereScape. “Honesty also applies to our mental wellbeing that keeps us happy and focused. If appropriate, it can be useful to know about issues that affect performance at work, so managers must make it clear that they’re available to talk.
“As long as organisations continue to make progress in promoting mental fitness, no matter how slow that improvement might be, they are making the move in the right direction. During Mental Health Awareness Week I would like to encourage organisations to share tips and technology that have enabled their progress through social media, websites, Slack groups and other channels.”
Sam Humphries concludes: “I would like to remind our valued security teams that they are not alone. Check in with one another, engage positively with the rest of your organisation and listen to one another. A simple phone call and an understanding tone goes a long way. For those relying on the cybersecurity team – make them feel valued and supported. Particularly for us Brits who tend to ‘suffer in silence’ – stress and isolation doesn’t have to be a battle fought alone. Honest and transparent communication will help provide more certainty in these uncertain times. We all have a role to play in this – make sure you stay connected and kind.”
With the help of things like Mental Health Awareness Week, the conversation around mental health in the workplace is one that is growing momentum each year. This week is a good reminder for employers to help relieve workplace stressors and to prioritise their one number asset, their people.
Marriott International has suffered a new data breach in mid-January 2020, which affected approximately 5.2 million guests.
What information was compromised?
According to the incident notification published on Tuesday, the attackers got into an application that hotels operated and franchised under Marriott’s brands use to help provide services to guests at hotels, by compromising and using login credentials of two employees at a franchise property.
The breach was identified at the end of February 2020, and they believe it dates back to mid-January 2020.
Contact details, loyalty account information, additional personal details (e.g., company, gender, birthday day and month), partnerships and affiliations (e.g., linked airline loyalty programs and numbers) and stay and language preferences of some 5.2 million guests have been compromised.
“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” Marriott International stated.
“Upon discovery [of the compromise], we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
Marriott International 2020 data breach: Potential consequences
The company has offered personal information monitoring services for some affected customers, has reset their Marriott Bonvoy (loyalty program) account password, and has warned them about the possibility that the compromised information may be used by criminals to “phish” additional sensitive information from them.
The phishing warning was echoed by several security experts.
“From what we know of the information exposed, this is the kind of data that provides good, raw material for cybercrime — exposed personal data is used for anything from generating phishing campaigns to targeted business email compromise,” Tyler Carbone, Chief Strategy Officer at digital risk protection provider Terbium Labs, told Help Net Security.
“Because employer affiliation is also exposed here, again, we can expect to see an uptick of attacks of this kind against the businesses whose employees’ data were compromised here. What’s been exposed here is data that enables certain kinds of attacks, as well as a list of companies those attacks can be directed toward. This illustrates exactly why it’s so important for all companies to understand and monitor for exposed data — when other companies have breaches, that exposed data makes future breaches of other companies more likely, and so on.”
Dylan Owen, senior manager for cyber services at Raytheon, added that information about travel and specifically travel patterns can be used for intelligence gathering purposes by many adversaries.
Potential consequences for Marriott International
Kelly White, CEO of RiskRecon, noted that this breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring.
“Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior,” he added.
Samantha Humphries, security strategist at Exabeam, noted that if there is something positive to say about this breach notification, it’s that Marriott’s security team seems to have minimised the attacker’s dwell time to a little over a month.
“While still significant, 5.2 million compromised guests is a drastic reduction from almost half a billion the last time this organisation identified an attack. Despite this improvement – if we can call it that – whether the organisation did enough to shore up its security posture after the last breach will certainly be called into question,” she added
As a reminder: Marriott International, which operates hotels and lodging facilities under different brands (Marriott, Starwood, Ritz-Carlton, Le Méridien, etc.), has revealed in late 2018 that the Starwood network had been accessed without authorization since 2014 and that an unauthorized party had copied the contents from the Starwood guest reservation database.
In July 2019 the U.K. Information Commissioner’s Office announced its intention to fine Marriott International a little over £99 million for infringements of the GDPR, but the final decision has yet to be made.
“For Marriott, this breach will likely mean another round of expensive disclosures, and possible legal action. It will also mean an increased cost in fraud and misuse going forward, for any guests whose personal information is used to compromise Marriott itself in the future (fraudulent or erroneous reservations, upgrades, etc.),” Carbone pointed out.
“For businesses generally, we can expect this data to recirculate, creating more criminal activity against other businesses, and, in turn, other possible data breaches, if any of the exposed data here enables another attack in the future to be successful.”
The survey highlights data privacy, unauthorized access, server outages and integration as key concerns.
Not everyone has migrated to the cloud yet
The survey shows a mixed picture when it comes to firms migrating security tools to the cloud. While just over half of respondents (52 percent) began migrating to cloud-based security products during or before 2018, around a fifth (18 percent) waited until 2019, three percent started in 2020, 13 percent have not yet started and the remainder don’t know when they’ll migrate.
Of those that have started their migration, over half (58 percent) have migrated at least one quarter of their security tools to the cloud, while one third (33 percent) said more than 50 percent of their security tools are now cloud-based.
Typically, organizations migrate security tools to the cloud to minimize the resources and overhead associated with owning and maintaining on-premises equipment and software. This means security teams can avoid system sizing, maintenance, uptime management, and product upgrades.
Reducing engineering effort to deploy and maintain new solutions allows security analysts to complete tasks faster and frees engineers up to focus on other projects.
The survey results support this, with improvements in monitoring and tracking of attacks (29 percent) and reduced maintenance (22 percent) considered the most important gains from using cloud-based security tools.
CAPEX reductions (18 percent), faster time to value (17 percent) and access to the latest features (13 percent) are drivers for cloud adoption, but considered less important.
However, when asked what concerns they have about moving security tools to the cloud, data privacy (30 percent) remains high on the list, with unauthorized access (16 percent), server outages (14 percent), integration with other security tools (14 percent), and data sovereignty (13 percent) also being raised.
Lack of understanding about migration
While 22 percent stated migration to the cloud was not a priority for their organization, the results suggest a lack of understanding about the migration issue as a whole. Around a third (32 percent) said they did not know what concerns their organization has about moving security tools to the cloud.
Furthermore, despite about a third (32 percent) of respondents saying they consider it to be too difficult or too risky to migrate security tools to the cloud, nearly half said their preference is to migrate legacy products to the cloud (46 percent) rather than replace legacy on-premise products with new cloud-native security tools (54 percent).
Organizations are protecting a variety of data types with cloud-based security tools, with email the most widely protected (22 percent), followed by customer information (21 percent), file-sharing (20 percent) and personnel files (18 percent). However, few organizations (12%) have extended cloud-based security to protecting corporate financial information.
“I think regardless of what security teams want, their monitoring and response tools will follow where organizations are moving their infrastructure for business services. Ultimately, security teams might have opinions, but they really don’t have a choice. They need to operate in a way that enables the business to function, grow, and profit. That said, if history has proven anything, it is the continuous, multi-decade ebb and flow between centralized and distributed computing and cloud is the next phase of that iteration. Ultimately, security teams need to be flexible in order to be able to integrate and interoperate both their cloud and non-cloud security tools and be in a position to enable the business to deliver capabilities and services where it is best for the business – not exclusively what is good for security,” Swimlane CEO, Cody Cornell, told Help Net Security.
“If the recent events are any proof of the security impacts to the security visibility of centralized vs distributed workforces, a lot of organizations that felt they were well-positioned to secure their users and devices have been caught flat-footed as their ability to gather security information from the endpoints and network perimeters have evaporated depending on some of the infrastructure decisions and assumptions they’ve previously made. If distributed workforces are the new normal, technologies that can be both cloud-deployed and managed have some obvious advantages in that they don’t lose visibility when endpoints data and the perimeter (e.g. traditional versus newer DNS, Proxy, Browser Isolation, & CASB solutions) telemetry are no longer available for detection and response.”