What IT Can Learn from Target's Data Breach

[Update, September 15, 2015: The ExtraHop Discovery Edition mentioned at the end of this post is no longer in active development or maintenance, but current license-holders may continue to use all features as described.]

[Update, February 6, 2:42 PM: The security blog Krebs on Security has new revelations concerning the Target breach, including that the hackers may have used the network credentials belonging to a HVAC contractor to gain access to the environment. The blog also quotes a Gartner analyst who estimates that Target may be facing losses up to $420 million as a result of the breach.]

For 19 days during the 2013 holiday shopping season, thieves collected credit and debit card information from 40 million shoppers at Target. The stolen information included everything stored on the card's magnetic stripe—card numbers, customer names, expiration dates, encrypted security codes for credit cards, and encrypted PINs for debit cards. Target's data breach is the second-largest reported ever for the retail industry.

Assume a Data Breach, Then Use ExtraHop

For IT teams, the data breach at Target reaffirms the need for healthy paranoia. Primarily, this means shifting from a protect-the-perimeter stance to an assumption that your systems have already been breached. If you wake up every morning assuming that bad actors—Russian crime syndicates, hacktivists, or disgruntled employees—are already at work inside your network, then you've got the right mindset.

For security-conscious team members across the IT organization, ExtraHop plays a key role in helping to detect and investigate data breaches. Security industry analysis shows that detection and containment processes are shockingly slow and reactive. Verizon's 2013 Data Breach Investigations Report reveals that 66 percent of data breaches go undiscovered for months or longer, as illustrated in the charts below.

Timescale for data breaches Timescales of data breaches. In 66 percent of incidents, the breach went undiscovered for a month or longer. Source: Verizon 2013 Data Breach Investigations Report.

As the report puts it, "Prevention is crucial, and we can't lose sight of that goal. But we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense."

How One Major Retailer Caught a Data Thief with ExtraHop

ExtraHop's wire data analytics can help IT teams detect and contain data breaches faster. While no technology is a cure-all, numerous customers have used ExtraHop to identify anomalous behavior, quickly determine the root cause, and then take remedial action.

One large online retailer uses ExtraHop to monitor the databases at the heart of their popular e-commerce site and applications, handling thousands of transactions per second and storing sensitive customer data. The retailer uses ExtraHop primarily to monitor database performance by passively recording methods and errors, as well as network and server processing time. However, ExtraHop proved to be a critical security forensics tool as well.

The retailer had noticed that some database responses were much larger than the normal <2KB size. To investigate, the IT team modified their ExtraHop analysis in minutes using Application Inspection Triggers, a programmatic interface to the ExtraHop Context and Correlation Engine. Their trigger captured the client IP address, timestamp, user name, and SQL query for every response over 10MB. This revealed that an application server in another datacenter had been compromised. Disabling the user, the IT team stopped the data exfiltration.

This example underscores the flexibility of ExtraHop's wire data analytics platform. By passively analyzing all transactions, the IT team was able to obtain precisely the data it needed without adding any overhead. If the IT team were to run a SQL profiler on the database, it could take hours to create, run, and analyze traces—not to mention severely impact the performance of the e-commerce application in the process. ExtraHop's approach makes much more sense.

Use Wire Data Analytics to Detect and Investigate Data Breaches

Perimeter defenses are critical but none are impenetrable. Bad guys will get in (or are already, if they are insiders). To prepare, IT needs continuous, pervasive monitoring to detect anomalous activity and an analytics capability that facilitates fast, ad hoc investigations. ExtraHop's wire data analytics meets this need.

Read more about the ExtraHop security and compliance solution. Detecting malware such as BlackPOS using ExtraHop.
The video below demonstrates how to use the free ExtraHop Discovery Edition to use wire data to detect potential data leakage.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.