A 2014 panel of four cyber security experts discussed evolving data security threats to the retail industry and the challenges of dealing with data breach response and investigations. Their conversation yielded some valuable insights. Ryan Knisley, former security expert with Accenture, moderated the panel that included Lou Stephens, special agent in charge, United States Secret Service; Shawn Henry, president of CrowdStrike Services; and Rich Noguera, head of information security, Gap Inc. Following are excerpts from the discussion courtesy of the Retail Industry Leaders Association (RILA).
KNISLEY: Rich, as an IT security leader for a retail company, how do you work with asset protection professionals to protect your company?
NOGUERA: First and foremost, it’s important for me to be an information resource helping my loss prevention peers understand what my team thinks is really happening in cyber security. As we move closer to closing the gap between brick-and-mortar physical space and digital space, it’s going to be absolutely critical that IT and LP partner more closely to understand what the data security threats are, and how we react to those threats. Beyond that, it’s very important to partner with law enforcement. We need to get the right actionable information to our law enforcement peers.
KNISLEY: Shawn, what is “actionable intelligence” that Rich mentioned, and how does it help retailers be more secure?
HENRY: Actionable intelligence is really just information that you can take some overt steps to respond to. Whether we’re talking about physical security or cyber security, it’s not enough to just react to what happened. If you’re reactive, then something bad has already occurred. We want to be proactive, we want to make sure that we understand in advance what’s coming around the corner, and we want to know how to prepare for it.
One part of actionable intelligence is understanding who the cyber security adversaries are. Who is likely to target you? What are they looking for? What are the techniques or the tactics that they’re going to be employing against you? If you understand these things in advance, if you understand who your adversaries are and how they think, you are in a much better position to make your organization and your network resilient and robust to protect against them.
KNISLEY: Lou, we continue hearing about data breaches and critical information being lost, and often the Secret Service is tasked with working with these companies to investigate a data breach. Can you shed some light on law enforcement’s role in working with companies, and what a company’s expectations of law enforcement should be after a data breach?
STEPHENS: First and foremost, when there’s a data breach, the company has been victimized, so they should expect to be treated by law enforcement with the support and discretion that law enforcement would provide any victim. That discretion is very important. In our view, a breached network is like a crime scene. There might not be a broken window or a broken door, but there are digital equivalents on the network where the hackers broke in. We want to find those clues, understand them, and try to trace them backwards to where they came from.
Furthermore, we want to know what they did while they were in the network. Are they still there? How long were they there? What type of malware and hacking tools did they deploy? This information is really key evidence that, along with a company’s server logs, help us to understand exactly what happened, and how they did it.
Data breach cases are very technical. They are very complex. So the outcome is much better when law enforcement works hand-in-hand with companies very collaboratively and transparently. One of the things that you can expect is for law enforcement to want to work with you face-to-face to gather evidence. We’ll want to send over our investigators to work with your IT professionals or any third-party cyber security vendors that you might have hired to help you deal with this.
KNISLEY: Given your experience working with retail, what sorts of changes could retailers make to be better prepared?
STEPHENS: It’s important for people in corporate security to get to know their law enforcement counterparts, and vice-versa, before there is an cyber security event. We should have each other’s phone numbers before we need them. You don’t want to be looking for them in the middle of a crisis. Quite frankly, the last thing that law enforcement wants to do is meet you for the first time while we’re handing you a grand jury subpoena because we think you’ve had a data breach. In my experience trust comes through relationships. But it’s a two-way street. It’s really incumbent upon law enforcement to be proactive in getting to know you as well as you getting to know law enforcement.
HENRY: I couldn’t have said it better. And I think one of the key pieces is understanding who the actors are. There are a variety of actors looking to access your data for a lot of different reasons. In the retail industry they are primarily cyber security thieves looking for personally identifiable information that they can exploit and turn into cash. But there are other groups as well. There are nations that are targeting organizations for their research-and-development assets, intellectual property, and corporate strategies. They are looking at companies that are moving overseas and partnering with foreign nations, looking for that very critical information.
As it relates to organized crime groups that are targeting the retail industry, it’s important to identify them, and then take law enforcement actions to mitigate the threat. These hackers will continue indefinitely for years until they’re caught because they’re making a lot of money. The risk of getting caught is relatively small, comparatively speaking. And until you are actually able to take them off the playing field through the efforts of law enforcement, these things continue.
It really is kind of a big dance and requires great collaboration between law enforcement, the retailer, and the cybersecurity consultancy that is coming in to help secure the network. Law enforcement’s role is about collecting evidence, and then looking for the adversary; looking for the bad guy. Those folks all have to be able to work together in a very cohesive fashion in order to be successful and to have a positive outcome.
STEPHENS: A lot of these actors are a world away, safe from the prying eyes of law enforcement. And many have virtual immunity because the countries they live in will not only refuse to work with us as law enforcement, but may actually aid them. So, one goal we have is to identify cyber security threats and put them in jail. But another goal is to protect the larger industry and the larger infrastructure. We really want close collaboration with the company and with third-party cyber security vendors so we can understand what the indicators are and how exactly this stuff is deployed. That way, the retail industry as a whole can get an idea and an understanding about what the immediate and current threats are that are out there. Here is how they’re working. These are the techniques they use in their attacks. And now that we know, we’re trying to build up defenses as well.
HENRY: I know in my experience in retail that asset protection historically has done a much better job with information sharing than our cyber security leaders have. Whether formal or informal, asset protection has formed groups for information sharing. Many of the loss prevention leaders in this room know each other personally and are friends. They do a really good job of calling up their colleagues and sharing information about bad actors and their stories. Maybe it’s Lowe’s letting Home Depot know that an incident has just occurred and to be on the lookout for such-and-such individuals. I think we can learn some really good lessons from what they’re doing in the store environment and apply that to what we’re trying to do in the data security space. Because as soon as an adversary succeeds with some given attack on one organization’s network, you can rest assured they’ll be targeting others.
STEPHENS: I think that you’re absolutely right. If everybody is able to better defend against data breaches, everybody becomes stronger. I think there are actually lots of similarities between the physical security world and the cyber security world, but of course there are also differences. And one of the differences is the speed at which things occur. In data security, the adversaries are changing their tactics and their techniques literally on a daily basis. And to be able to stay a step ahead of that is very, very difficult. The way we normally think to share information, by phones calls, list serves, emails, personal contact—these things don’t always scale in this cyber security environment because of how broad the threats are and how broad the adversary pool is. They’re working globally from anywhere in a hundred different countries. So, there are a lot of efforts toward making people much more capable of sharing very specific cyber security threat information that will allow them to better protect their needs.
KNISLEY: Rich, in the context of these worries about the data security and bad actors getting into our network from outside, how does the in-person threat in physical stores concern you?
NOGUERA: Network segmentation, hardening of the devices, testing thoroughly—both in-store testing and external store testing—all this is essential for data security. But, as always, the first line of defense is in-store associates, and the training and understanding and responsibilities necessary to protect those assets. Especially when you add in additional capabilities at POS, it becomes even more critical. So, the in-store associate is our best defense here.
KNISLEY: Rich has worked for some of Silicon Valley’s biggest companies, so he has deep experience in the cyber security world. What challenges are you facing in retail that are unique to the retail industry; those that you didn’t see elsewhere?
NOGUERA: That’s a good question. When attacking a retail network, it’s typically a smash-and-grab approach to the data breach. The goal of an attacker is to get in there as quickly as possible, grab as many credit cards as possible, and get out. The methods of entry and methods of attack are the same whether it’s crime-motivated, a nation-state-type motivation, or a larger coordinated type of event. Coming from high tech, we were always at the leading edge of applying the latest and greatest cyber security technology to get as predictive as possible. So, one of our primary challenges in retail is how do we accelerate that game?
KNISLEY: Shawn, you work with companies in every industry. When you’re working with retailers, what are the nuances or differences that you see compared to a high tech or energy company?
HENRY: When we’re talking about protecting against data breaches, I don’t think that there really are major differences. There are some differences within the architecture and infrastructure—POS devices, for example. But the reality is that the cyber security techniques and the capabilities that retailers need to employ to prevent and detect these types of attacks are essentially the same.
In IT, for years we’ve been practicing defense-in-depth. We do it in the physical world as well, of course. But in the information world, it’s about firewalls, intrusion-detection systems, two-factor authentication, and encryption. You layer your cyber security defenses so that you can be more resilient. But the reality of it is, in the IT space, the most sophisticated adversaries will get into the network one way or another. Maybe that sounds defeatist, but let me illustrate.
We’ve worked with organizations that have 100,000 network endpoints. Imagine in a brick-and-mortar store trying to protect a building with 100,000 doors. Every one of those endpoints is a potential ingress into the network. They’re going to get in. While the old paradigm in data security used to be preventing an attack, the reality of it is that now we can’t do that. We have to assume that an adversary is going to be there. The new paradigm needs to be about minimizing the time between them gaining access and us detecting them. It’s not enough to just monitor the perimeter; to watch the parking lot and watch the loading dock. That’s not going to work in cyber security. You’ve got to work on hunting throughout the environment and actively looking for adversaries, looking for an indication that they’ve been there, and if you can mitigate that threat, you’re going to be successful.
When I was in the Bureau, our agents would go out dozens of times per week and knock on the doors of major companies around the country, and tell them that they’ve had a data breach. When the FBI or Secret Service shows up at your door and says, “You’ve been breached,” in most of the cases, the organization say, “No, we haven’t.” So we say, “Really? Is this all your stuff right here? Look at this database we found. It’s on a server getting ready to head over to Guangdong Province. You’re saying that’s not yours?” And then they say, “Well, yes, maybe it is.” Then they would go back, search, and ultimately they’d find out that, yes, in fact, they had had a data breach. And it turns out they were breached four months ago or eight months ago or two years ago.
Now, if you allow a cyber security adversary in your network for four months, eight months, or two years, bad things are going to happen. In the physical world if you allow somebody into your stores for eight months undetected, being able to do whatever it is that they want to do, and walk in and out with pallets of merchandise, bad things are going to happen. If, on the other hand, you can detect them within a couple of minutes or a couple of hours, you can mitigate the threat.
STEPHENS: Let me speak broadly here. We are spending billions and billions of dollars as a nation on cyber security and protecting our networks, yet we’re still getting breached all the time. To use a sports analogy, the best defense with zero offense isn’t going to win a game. Conversely, an offense needs a robust defense. I would like to suggest that when you do work with law enforcement, you are assisting with the offense. We don’t always get the bad guys because of the reasons we’ve discussed before, but sometimes we do. There is a strong, coordinated effort to go after these people and to get them to stop doing what they’re doing.
Shawn mentioned that we’re never going to be able to have a completely invulnerable defense. They’ve got tons of time. And when they get in, they spend months figuring out how to do what they want to do while hiding their tracks. So, the longer they’re in, the harder it is to catch them—not easier. And so in my view we need a strong, robust, cyber security defense, but we also need a strong, robust offense. Frankly, I don’t know that we’ll ever stop data breaches. But we can make ourselves more of a hard target, so hackers are disincentivized to come after us, and they’ll go after more low-hanging fruit.
KNISLEY: Shawn, building on what Lou is saying, companies are spending billions every year to protect themselves, yet we continue to see data breaches. In your opinion what can companies do pre-breach to mitigate the effects post-breach?
HENRY: This is the whole piece about being proactive. Rather than putting the pieces of the puzzle together to figure out who did what, you need to be “left of boom,” as I’ve heard it said. I want to be there to prevent it before it occurs; I want to be hunting. I think it’s a really important term, and I use it a lot. Hunting on a network is being proactive and being engaged.
Yet there are just too many people who have said, “We’ve got our cyber security defenses in place. The fence is up. The alarm system is on. We’re good.” And then they go to sleep. That is just the wrong way to do things. You don’t just find a particular server that was compromised, fix it, and go on. What’s important is understanding who was there, why were they there, how did they get there, what have they done, are they still here, what did they leave behind, and what did they take? We do all that on the front side as well. You don’t have to wait for a data breach to collect that type of intelligence, and it’s absolutely critical that we’re doing that.
Again, in the physical world, we have done it to prevent terrorist incidents. We have not had a significant terrorist event in this country since 9/11, not because we live in a completely secure environment. Quite the opposite. There are lots of people walking into this hotel with big suitcases, any one of which could contain a bomb or something of that nature. The reason that we haven’t had one of those serious incidents is because of law enforcement, the intelligence community, and the Department of Defense are constantly identifying bad actors that are coming in and mitigating the danger before any of us watch it on CNN.
KNISLEY: Shawn, you’ve had the opportunity to work with companies after they’ve been compromised, which is a traumatic time for companies. In your experience, what do you see as best practices post-data breach?
HENRY: During a remediation, I think the first important thing is that the leadership of the organization gets it. I think you have to have all of the key executives as part of the response—the general counsel, the COO, the CFO. You are going to have to have the key leadership together, because it’s going to be a whole organizational response.
Then you want to stop the bleeding. You want to prevent the network from being further damaged. You want to prevent the cyber security adversaries from stealing additional information. So, internally it’s about hardening the network and preventing further damage.
But from an external perspective, it’s going to be about managing the media. Do we need to deal with the regulars who have got DCIs that were stolen? How do we communicate this to our clients, to our customers, to the general public? This is why leadership needs to be so closely involved. They’re looking at risk—operational risk, financial risk, and reputational risk. If your reputation is damaged, and it has taken you two decades or five decades or a hundred years to build, to lose it in a course of a three-week incident is not something anybody is going to be happy to see.
STEPHENS: Let me jump on that. Organizations that have a data security plan ahead of time that is written and practiced seem to fare better. Most organizations are now routinely preparing for major power outages or natural disasters. We suggest having a similar plan for a data breach.
Step one is who are we going to assign and what roles will they have? And I agree, I think you’re going to want people at the highest executive level that you can get on the leadership team, to evaluate the situation on a day-to-day basis and make key decisions. But I also think you want a data breach response team, and these would be people more like IT security professionals who would work directly in trying to find out and understand what happened in a data breach and also work with cyber security vendors if you choose to hire them. That response team would deliver a written plan to the leadership team and actually practice it. Do an exercise once a year. That way you’ll find out the holes that are in the cyber security plan and what needs to be changed.
KNISLEY: We talked a lot about what retailers should do in preparation, pre-breach, post-breach, and some expectations in working with law enforcement. Lou, I’d like your opinion on what retailers should not expect in working with law enforcement after a data breach occurs?
STEPHENS: Law enforcement will not remediate your network. You’ll have to do that yourselves with whatever help you decide to hire. That’s probably the biggest takeaway. We’re there to investigate the crime.
HENRY: I will add another point. From the perspective of law enforcement and the US government’s role, they will share intelligence to the extent that they can, but the government is not going to protect your networks. In the physical world, it’s very clear what our government does. The government’s fundamental responsibility is to protect you as citizens. If there are armies massing on the border, the US government is going to be able to intervene and protect us. That’s clear. Everybody knows what it looks like when an adversary physically poses a threat to us, and what the government’s response is going to be.
But the government is not stopping the ones and zeroes from coming through the fiber. That’s not happening. The government is not scanning the ISPs and filtering traffic. That is not happening. Therefore, the first defense, the first initial response to every one of these attacks—every single one—begins with each of us sitting here—our companies, our IT specialists, our cyber security partners. And that’s why this intelligence piece, this idea of hunting on the networks; the things that we’ve all been talking about today are so critical.
Why? Because this is the first time in history where the private sector has the primary responsibility for defense and protection. The government is doing some great things in cyber security. With the intelligence they’ve collected, there are some things that can be shared and some actions that they can take proactively. But that’s not from a defensive perspective on your networks. You own the responsibility for cyber security. You own the obligation to prevent data breaches. The information that’s being stolen is funded by your investors. It’s your clients’ information, your customers’ information, your employees’ information that they’re entrusting to you, and you are solely responsible at the outset to protecting it and making sure that it really is safe.
For more on this topic, see the LP Magazine article “Building a New Data Security Defense Team”.
This article was first published in 2014 and updated August 11, 2016.