On March 14th, Bloomberg BusinessWeek published a lengthy article entitled, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”. The article highlighted the fact that Target had purchased $1.6M in FireEye advanced threat defense gear that had indeed detected two related pieces of malware on the Target network, but that Target had failed to respond to the alerts issued by the MSSP in Bangalore that was monitoring the equipment.
Unfortunately, we see this all too often in the network incident response investigations we are called on to conduct. Companies pay good money for network security tools with the expectation the technology will protect them from a breach. Unfortunately, that is often not the case! Where is the disconnect? Were the tools oversold? Were they implemented incorrectly? Were they poorly tuned? Or were incident response personnel not properly trained to understand the alerts and data provided by the tools? These are the questions Target and its incident response providers need to grapple with in order to develop effective remediation strategies and avoid a reoccurrence in the future.
A number of subsequent articles focused on whether Target should have reacted to these alerts. Many of the articles provided balanced perspectives on the challenges of responding to a few specific alerts against the background noise of hundreds, often thousands of attacks hitting large networks every day.
What these articles uniformly missed was the crucial question of why did the network security systems employed by Target provide so few actionable alerts….so late in the life cycle of the attack?