'Watch Your Business Partners' - Bryan Sartin of Verizon Business on the Latest Data Breach Trends
In an exclusive interview, Bryan Sartin of Verizon Business, discusses the company's exhaustive research of data breaches, offering insight on:
Sartin heads up the investigative response team at Verizon Business. As a senior forensics examiner, he has taken the lead in many high-profile data compromise investigations in the Americas, Europe, and Asia-Pacific. In addition, Sartin is well-versed in both criminal and civil computer forensic procedures, is a certified expert witness, and is a frequent course instructor and speaker on the topics of incident response planning, computer forensics and regulatory compliance.
TOM FIELD: Hello, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about data breach trends and with us is Bryan Sartin, Director of Investigative Response with Verizon Business. Bryan, thanks so much for joining me.
BRYAN SARTIN: Good to be here; thank you.
FIELD: Just as some context, perhaps you could tell us a little bit about yourself and your role with Verizon business.
SARTIN: I head up a team within Verizon Business called Investigative Response that handles all external-facing computer incident response, computer forensics, IT investigative work, litigation support and eDiscovery. In addition to being the group lead, I am also one of our senior computer forensic examiners and I spend a fair percentage of my time traveling the globe to company server rooms and data centers, helping them respond to investigator perceived computer security emergencies.
FIELD: And unfortunately you have been very busy the last year or so haven't you?
SARTIN: I certainly have been. First to go and last to know.
FIELD: Now Bryan, in my eyes there are two big events that have occurred this year; one is the Heartland Data Breach that was announced in January and then there was the release of the Verizon Business Breach Study, which has certainly gotten a lot of buzz. How do you see financial institutions in particular responding to these events, the big breach and then your report about breaches?
SARTIN: There is a little bit of a long-winded answer I'm afraid. There are a number of ways that we see organizations having sort of a knee jerk reaction to some of these big incidents. In general there is a realization, a shift in expectation that a lot of companies have when they see other entities, even their competitors in their own industry getting hit with data breaches. I think there is that realization that a company has that this type of thing doesn't just happen on television, it doesn't just happen in other parts of the globe; it happens to us. And that knee jerk reaction they have then becomes what security measure they start to put into place with the expectation that it can happen to them.
One of the things we particularly see around financials is that as more and more of them get hit, you see that the knee jerk reaction a lot of these companies have is to start hardening security and looking at security measures, technologies and more intelligent people. They seem to be always about getting more technology, more smart people and hardening security as it relates to external threats. Most of these financial organizations we work with that become data breach victims for the first time, you see very clearly that that's sort of their expectation and their mentality around security. They want to protect everything within the confines of this conventional perimeter network.
And to them it is really about network security, and in the course of becoming a data breach victim they realize they it is not about network security. It is about data security, their responsibilities around data and the confidentiality, integrity and availability. All those aspects of data, not just within the confines of their network but also when it leaves their network and goes on an employee's laptop, goes to their home, goes on the road or goes on an airplane need to be considered. The short response to that is that you see by and large that financial companies tend to be very hardened against threats originating from the outside world, external breaches, things originating from a cross the internet. But the unfortunate side effect is that as they become more hardened against external threats it seems as if they become more vulnerable over time to internal threats and in particular, threats originating from business partners.
FIELD: Wow, that's interesting. What are the breach trends that banking institutions should focus on most? It sounds like you are getting to that in your discussion of the insider threat.
SARTIN: I don't know why it is that we see this particularly with banking. This is not just within one certain part of the world; this seems to be true with banking around the globe. With business partners, particularly support organizations, not B-to-B type connections but the company who picks up their backup tapes, their group of consultants, the company who dials in to fix their mainframe, their call center, those types of business partners, why is it that they oftentimes treat these entities with a better security privilege level than they do their own employees? We are seeing right now business partner related breaches increasing at such a rate. You see this in this year's data breach report and you have seen that in last year's data breach report where 39% of all of our cases involve business partners.
If you took out our case load bias and you looked across all investigative entities, private sector investigators like ourselves, look at the number of cases we handle in a given year involving business partners. That number would show you very clearly.
We are expecting in the next 18 months to two years to see parody between all external breaches and business partner related breaches. And it is a staggering thing to think, "What if in another three or five years someone laughed about it and said 'remember back in 2009 when some security breaches came out across the internet?'" What if at that point all of these things are business-partner related situations?
We always recommend to organizations when it comes to business partner-related connections to make sure that they have firm accountability on those. In particular, when we start an investigation and we ask what kind of data control you have over this business partner's connection. In other words, what security hurdles does this business partner need to successfully circumnavigate to gain access to your critical servers and sensitive data? The inevitable answer we always receive is they have to fill out this form and they have to express consent. They need to have a one-time password. They need to have a trouble ticket and you know they have to stand in line and fill it out in triplicate. In reality, when we plug into their network to validate that ourselves we find out that business partner can connect whenever they want to.
It is the lack of accountability over that connection, that freedom that is granted to that business partner that ultimately is that organization's undoing.
FIELD: Now do you find that this is where financial institutions are most vulnerable?
SARTIN: Insider issues are perhaps their greatest vulnerabilities. There is that old adage that says with all the vulnerabilities that people see, a large majority of those are internal. We certainly see that with insider related breaches.
There are employees, past or present to blame. What we are seeing is that when those situations do occur, the exposure in those breaches is just massive and it underscores this concept. A lot of times internal employees and users, as well as IT technical employees, understand that "big brother" is not watching and they take advantage of the situation.
SARTIN: So we've got a series of recommendations in the data breach report to help companies circumnavigate those.
FIELD: Where do you see that financial institutions have got good protections in place?
SARTIN: I mentioned financial institutions. I mentioned the external piece but the other side of that, the other side that you see in financial that is better than most other industries is financial versus retail, if you look at the data.
One of the things our report calls out is the 'unknown unknowns' in the back of the report. Nine out of ten of our cases involve at least one of these and one of those aspects is 67% of the 285 million unique records we saw compromised in last year's study, stolen from sources of data the companies didn't know they had. That is a staggering figure when you think about it. What that really means is we are retained oftentimes to prove or disprove a suspected crime, and if we are there to prove or disprove one of our first questions is, "If all of this data or information you believe is stolen was actually stolen in a security breach on your network, show me the handful of systems that had to get hacked into in the process? Then we conduct our investigation from there.
That is the preliminary scope and we start the investigation. Then the company comes back to us and says that they put a lot of work into this, looked at their policies and looked at the information flow and your investigation is really limited to just these four systems. Well it is never just those four. It is 14 or it is 24. It is always these other 10 or 15 systems they didn't know about that had the data where information was stolen from.
Where financials do a much better job is quantifying and understanding at the top level. And from the top down, what sources or types of information does the company have that absolutely cannot leak out? Where on their network is that data located? I think there is that concept that sensitive data can be a company's greatest liability. It's that notion of thinking data loss prevention, as opposed to just protecting the perimeter and the network components within it. That is something that financials do better than most other organizations, particularly retailers.
FIELD: I know that data loss prevention certainly is something that institutions have paid attention to, identity and access management. Where do you find some of the security technologies are that institutions really should be exploring?
SARTIN: Data loss prevention has a great edge right now and it is fascinating how we are seeing almost a cottage industry, one developed around the protection of data in transit, particularly strings of data like magnetic stripes that are required to counterfeit credit cards, or Social Security and social insurance numbers, little bits of whatever that variable is; that piece of data that can't leak out. You see a cottage industry developing around picking that up in transit.
You see yet another cottage industry developing around helping organizations detect data at rest that shouldn't be there. I think that is where one of the single greatest sources of vulnerability we see comes from, an information security perspective around companies that suffer real data breaches, this concept of knowing where that information is.
It certainly does seem that from our experience a lot of the technologies around capturing data in transit are starting to work. What companies really need is a real, portable and simple solution that helps them identify critical bits of data, whatever that data is that they are concerned about. They need a simple capability to look and search out for strings of information in whatever format it might be stored upon, data at rest on a given system. They need something portable that can move form one system type to the other and doesn't have or represent a large footprint on the server.
We are starting to hear a lot of information about solutions pop up with some of that capability and I think when those solutions do really appear on the radar screen, it is going to help companies mitigate a lot of the risk that we see. I would go so far as to say that if you could conclusively identify all sources of sensitive data at rest in the network and get rid of that or at least align that with a company's policy as it relates to data retention planning, if you could get rid of all that data you might mitigate 75% of the risk of data breach that we see. And that is a significant amount.
FIELD: That's major. Last question for you Bryan. We've talked a lot about what you saw in 2009, trends going forward. What are some of the things that you are looking at as we head into 2010?
SARTIN: As we head into 2010 one of our biggest focuses from an investigative perspective is pushing through to arrest and prosecution. I can tell you one of the most difficult things as a forensics investigator to see, and it is something that the general public really doesn't have much optics into, is commonality in our investigations.
It is almost painful. A lot of people don't see that investigations come in to us in closely related groupings. For example, we might have 15 competitors in the same industry call us in a two-week stretch and every one of them says the exact same problem. What you realize as you listen to the background and the facts is that they are suffering the exact same breach or a related breach and commonality in tools, background and facts in different aspects of the cases we find out about. What that suggests is that there are common perpetrators behind it.
As we have the emergence of partner related breaches on the radar screen, we are finding a new attack vector that cyber crime is using. You are no longer hiding behind high-jacked servers, proxies and staging points and things like that out on the internet, using systems as an abstraction level to protect themselves from arrest and not using people.
They are compromising individuals, business partners and people like that. They go to people who close trouble tickets, who work in support centers and work in the call centers which have access to all the banks in a given country. They say if you hate your boss and you are in financial dire straights we are your solution. Give us access to your customers; or better yet give us access to your data.
One of our big focuses going forward for the next year is to make sure that these people don't strike again and how can we identify evidence of these types of crimes and closely coordinate with law enforcement, particularly at the federal level in different countries. How do we coordinate with industry regulators as well as federal regulators to help identify these sources and bring these people to successful arrest and prosecution before they can strike 20 or 30 other companies? That is really where the cutting edge of investigation is today and there are many different ways where we are not just using traditional investigative tools. We are able to bring to bear data we can derive from our network, from underground monitoring, monitoring the information black market and supervising online transactions involving stolen information to help identify the source and open up entirely new fronts on our investigations.
The idea is to expedite arrest and prosecution. That is where the cutting edge is and one of the things we have been very successful with and something that we will continue to focus on going forward.
FIELD: Bryan you are giving me great insight today. I appreciate your time.
FIELD: We've been talking with Bryan Sartin, Director of Investigative Response with Verizon Business. For Information Security Media Group, I'm Tom Field. Thank you very much.