Today the State of Montana Department of Public Health and Human Services issued an announcement that hackers broke into a server containing sensitive information the state was housing.
It was reported that the breach happened in May, and due to the number of records potentially breached, which they are estimating at 1.3 million.
The fact that they are tracing an attack to a singular server compels me to write not just for the benefit of CounterTack, and not just to say ‘I told you so’ either. But really, its yet another example of how organizations simply do not have a visible way to trace behavior when an attack starts.
For compliance purposes, its clear that the State issued a notification. However, had they had a means to detect behavior that was out of the ordinary, inadvertent or potentially malicious, they could have significantly reduced investigatory cycles for what they might define as an incident.
This breach is representative of so many breaches in the sense that large amounts of data from presumably a single source - a server - were in breach due to a successfully executed hack. What's particularly interesting is that whatever data was stored on this server contained basically the two types of PII that you don't ever want exposed: financial and medical.
With as much information as is available on this breach, the timeline of the attack launched on this server suggests there was activity that went unnoticed to potentially exfiltrate data prior to being shut down.
This underscores a three-pronged problem that most organizations face in the wake of protecting sensitive data on the endpoint:
1) Data sources, aka, endpoints, are typically the weakest link in any network. When you have data that is accessible internally, or if you aren't monitoring activity across all endpoints, you have no visibility into behavior you might deem unacceptable or malicious.
2) Detecting every attack or small behavior that may or may not contain malicious intent just isn't possible with a singular platform. There's an emerging need for a more robust combination of tools to pull the right data. The heavy reliance on network-based detection has put security teams in a difficult position without any context for what is actually happening on server, laptop, workstation and mobile endpoints.
3) All too often, security teams either are not looking for indicators of compromise on all endpoints, or are potentially monitoring only specific groups. The reality is that organizations need to understand the importance of scaling their coverage of endpoints, which means they are scaling operationally to support the volume and severity of attacks they are facing.