The JPMorgan Chase Breach: Could There be Something Good?
It’s hard to admit that anything good came out of the recent massive data breach at JPMorgan Chase, which compromised 76 million households and 7 million small business accounts. And the same could be said of the other recent breach disclosures from Target, Home Depot, Albertsons, and almost a dozen financial companies in 2014.
The good news is certainly not the millions of dollars the bank will likely be spending over the next few months to repair the damage and restore its reputation. So, what could possibly be good?
The Bad: A Deep-Seated Information Security Architecture Weakness
First, the bad news.
As if the mere scale of the JP Morgan Chase breach isn’t bad enough, it highlighted a deep-seated flaw in today’s information security architectures: the illusion that intrusion prevention technologies – advanced though they may be – can detect and deflect 100% of attacks by persistent attackers.
Industry gurus like Gartner agree: information security has definitively failed in the past several decades to create an architecture that can stop a truly committed attacker. That’s why they’ve recently made a dramatic shift in what they’re recommending to their security clients.
And now we get to the better news.
The Better: Faster Breach Detection
The better news in the JPMorgan Chase breach was that they caught it early.
Their security teams identified and removed the malware at the source of the breach before seriously-compromising confidential data was stolen. According to their filing with the U.S. Securities and Exchange Commission, only names, addresses and emails were exfiltrated in the JPMorgan Chase breach – no money or account information such as credit card numbers, passwords or social security numbers were stolen.
Why is this good? Firstly, if we take into account the numerous recent breaches that have resulted in highly-confidential customer information being stolen, JPMorgan Chase was actually a network security success, since they managed to shut down the data exfiltration before it caused irreparable harm to their customers and their brand.
More importantly, the JPMorgan Chase breach teaches us how the attackers were caught early on, before real damage was done. This is in sharp contrast to more disastrous recent breaches, like that at Target – where 40 million customer credit cards were compromised.
What JPMorgan Has that Target Doesn’t
Only JPMorgan Chase and a handful of other similarly sized very large enterprises have the resources to fund IT budgets in the billions of dollars, and can afford to fund the large teams of security analysts needed to filter and triage the hundreds or thousands of false positives generated daily by their security infrastructure products.
Conversely, Target’s more humble security team was not able to keep up with the false positives generated by some of the very same state-of-art security tools that JPMorgan Chase used. The alerts that could have prevented the theft of 40 million credit cards were there – but were buried in thousands of false positives, making it nearly impossible for Target’s security staff to take action.
The Good: Strive for Fewer False Positives
And here’s the actual good news that came out of the JPMorgan Chase breach: proactive measures taken in response to some of the security alerts were proven effective at stopping an attacker before a breach results in catastrophic loss. But the question is which security alerts can be viably and effectively pursued by the non-JPMorgan Chases of the world?
It’s recognized that mainstream security products like intrusion detection systems (IDS), sandboxing and security information and event management (SIEM) solutions have huge false positive ratios — sometimes thousands per day. The reason for this is that these products produce alerts every time they detect the presence of malware or detect an event that correlates to malicious behavior — not actual active attack behavior. These products employ signature, correlation algorithms other static logic that send alerts when they identify behavior that resembles a typical attack pattern, but cannot be certain that it is an actual attack.
The key differences between the outcomes of the JPMorgan Chase and Target data breaches illuminate the need for technology (like LightCyber’s Magna) that automates the type of analytical tasks that JPMorgan Chase’s massive teams of security analysts conduct. Enterprises of all sizes need cost-effective yet highly-accurate tools that can sift through the noise produced by security infrastructure and identify actual breaches. This is the only way that organizations can eliminate the information overload that paralyzes security teams – creating actionable information that can be used to remediate known attacks, reduce dwell time and minimize data loss exposure.