The JPMorgan Chase data breach rocked headlines early this month as the latest in a series of security breaches hitting nearly a dozen financial companies in 2014 alone. The news also follows similar breach disclosures from Target, Home Depot, Albertsons and others.
The massive security breach compromised 76 million households and seven million small business accounts. As a result, the bank will no doubt spend millions of dollars over the next few months repairing the extensive damage and working to restore its reputation.
The Bad News: An Inherent Flaw in Information Security Architectures
As if the sheer reach of the JPMorgan Chase breach itself isn’t bad enough, it spotlights an inherent flaw with most modern information security architectures. Specifically, state-of-the-art “prevention” technologies are not 100 percent foolproof for detecting and blocking persistent attackers.
Several industry analyst firms—like Gartner, for example—recognize that decades of information security prevention systems have failed to produce an architecture that can stop committed attackers, and in response, they’re making a dramatic shift in their recommendations to security practitioners.
The Good News: Early Breach Detection
The good news—and yes, there is good news—is that JPMorgan Chase was able to identify the network breach and remove the offending malware before any highly-compromising confidential data was stolen and before irreparable harm was done to customer accounts.
According to a filing made by JPMorgan Chase with the U.S. Securities and Exchange Commission, only names, addresses and emails were exfiltrated in the breach. There was no theft of money, account information like credit card numbers, passwords or social security numbers stolen.
Considering many of the other recent breaches in which highly confidential customer information was stolen, this is a success. While a network breach is never good, JPMorgan Chase was able to stop the data exfiltration before it reached a scale that would have caused irreparable harm to customer accounts and corporate brand equity.
Taking Down the Bad Guys
Organizations have a lot to learn from JPMorgan Chase on how it caught the attackers before they were able to cause significant damage. There are also several noteworthy lessons learned in understanding why the financial institution’s experience was so different from Target’s disastrous breach, which resulted in the loss of 40 million customer credit cards.
There are a handful of large and highly profitable organizations—like JPMorgan Chase—that have vast resources dedicated to information security. With billions of dollars of annual IT budgets, these elite organizations can afford to buy the latest and greatest network logging and security analytics products, and hire large groups of security analysts to filter through and triage the hundreds and thousands of false positive alerts that are generated daily by these products. Wading through all of these alerts takes a considerable amount of time and can consume a team of analysts full-time.
Target’s much smaller security team, on the other hand, wasn’t able to keep up with the high volume of alerts being generated by its security infrastructure, which involved many of the exact same technologies used by JPMorgan Chase. It’s well-documented that Target had deployed many state-of-art security products in its network that produced numerous alerts that a breach was occurring — very similar to the situation at JPMorgan Chase. The problem is that those alerts were buried within thousands of other simultaneous “false positive” alerts, making it extremely difficult for Target’s much smaller security staff to react and take action. Mainstream security products, including intrusion detection systems (IDS), sandboxing and security information and event management (SIEM) solutions, are all known to create very high ratios of false positives—sometimes on the order of thousands per day.
The poor signal-to-noise ratio of these products is due to two factors. First, they only see attempts of malware to enter the network through links within web pages and files within emails—not actual compromises where users take action to initiate an actual breach (clicking on links and downloading files). Also, these products typically employ “correlation” algorithms that send alerts when they see behavior remotely resembling typical attack patterns without known certainty that it’s an actual attack. As a result, these systems produce an extremely high ratio of insignificant alerts relative to actual, true breaches of network hosts (i.e. poor signal-to-noise ratio). For these reasons, a large percentage of IDS, SIEM and related products deployed today cannot be utilized to take action, and instead are used primarily to meet compliance regulations and for “CYA” purposes.
The Silver Lining
The contrasting experiences of the JPMorgan Chase and Target data breaches illustrate the critical need for technology architecture to evolve within the information security industry in order to stay ahead of the bad guys.
Security vendors and practitioners need to develop better products and processes that automate ongoing analytical tasks, similar to the actions taken by JPMorgan Chase’s security analysts. Products need to more accurately identify known breaches and eliminate the huge volume of noise produced by traditional security defense infrastructure. Organizations also need to eliminate the information overload that typically paralyzes lesser staffed security teams, and replace it with actionable information that they can use to remediate known attacks, reduce dwell time and minimize data loss exposure.
There’s a long way to go to ensure that the vast majority of enterprise security practitioners avoid catastrophic data breaches and drive outcomes similar to JPMorgan Chase. Until new approaches and techniques come to market, an increasing number of organizations will continue to experience damaging breaches.
The silver lining of the JPMorgan Chase attack is that it gives the industry hope that proactive measures can stop an attacker before a breach drives catastrophic results. Now, it’s up to organizations to make those proactive measures work for them.
*This post originally appeared in Wired.