Health insurance provider Anthem was recently the victim of a data breach that saw the loss of medical information for up to 80 million Americans. From what has been gathered, an IT administrator at Anthem became aware of a database query with his credentials attached. Further investigation by Anthem IT led to the discovery that client protected health information (PHI) was being held in an offside public cloud storage service. That’s when the FBI was called in to help investigate what turned out to be the largest data breach to a healthcare company.
While no credit card information nor personal health records were exposed, thieves came away with names, social security, numbers, addresses, and health coverage ID numbers, which is potentially more damaging. The use of healthcare IDs fraudulently are harder to prove, and even so, when another person uses your medical information, your medical records are changed, causing potentially life-threatening issues. Not to mention, according to Ponemon Research, PHI information can fetch as much as 10-50 dollars per record, as opposed to 1-5 dollars for credit card info.
Throwing more money at this problem isn’t necessarily the solution. Focus in recent years has been on strengthening preventive defenses against APTs and elusive malware, resulting in technologies such as sandboxing, which increases signatureless threat protection. What has been missing is an emphasis on post-infection strategies like containment. Organizations need to deploy the best preventative security possible, but as important is the need for the same level of commitment to post-infection security. Techniques like leveraging evasive ports and protocols, riding on hidden data channels, or the use of polymorphic malware that fools sandboxes, are getting past even the best security. As much as security providers believe their preventative products won’t be breached, it happens, and you need to be prepared in case it does.
Data isn’t lost until it leaves the network. That’s the mission of the malware, and it is not complete until the data is stolen. The gap between malware infection and detection and where data exfiltration occurs, is not being covered. Even if detection security, without the means to automatically stop malware data will continue to leave the network even as you work on solving the problem.
In order to close this gap, technology must detect and contain malicious data transfers:
- Network Anomaly Detection will be critical factor to post-infection security.
- Automatic containment is the key to reducing data exfiltration.
- Actionable intelligence delivered in real-time speeds remediation.
With recent breaches fresh in mind, companies will want to increase network and data security efforts. Just be sure that you are closing the gaps, covering the bases, and securing all aspects of prevention, detection, and containment. Learn from the mistakes of the past and don’t get burnt in the future.