First the latest SC magazine:
http://www.scmagazine.com/anthem-brings-in-mandiant-to-investigate-resolve-breach/article/396749/
1. Anthem did right in discussing and revealing the breach “early”, as most companies sit on the information and reveal after several months.
2. Did not encrypt data due to needing speed for various reasons (mining the data etc. Although it is questionable whether that would have hindered the hackers. Securosis says it would not have helped.
3. It has been mentioned several times that there was a sophisticated breach and some are attributing to the Chinese group “Deep Panda”. the Database is guessed to be used as a future espionage data trove.
4. An obtained user password was the initial method into the DB.
My thoughts on this is that we do have to have a difference of thinking on how we defend.
From Securosis blog:
“They discovered a weird query siphoning off data, using valid credentials. Now I can tell you how to defend against that. We have written multiple papers on it, and it uses a combination of controls and techniques, but it certainly isn’t easy. It also breaks many common operational processes, and may not even be possible depending on system requirements”
We have to “assume the breach” and get to detecting the attack
http://blog.norsecorp.com/2015/02/02/assume-breach-is-not-a-defeatist-point-of-view/ It is not “defeatist” just the new reality. there still is a defend mentality, but now we focus on looking for a breach from inside.
Instead of defending everything and keeping it outside the firewalls, the new method is to look for assumed breaches inside the network.
It _requires_ an Intrusion detection/prevention system to properly handle this. I don’t know if Anthem had this kind of system.
Then of course you must have the resources to check the network for breaches.
Contact Us to start the conversation – we are experts with IPS/IDS.