What could have Prevented the Anthem Breach?

There exists a universal truth behind every cyberattack which is that the behavior behind the attack never seems normal.

IT security can base its future on just this – coming up with a way to identify behaviors that are abnormal.

By utilizing a behavioral analysis approach, companies will be in front of the power curve and the persistent streams of morphed and brand new exploits to which they have to deal with every day will no longer pose the same threat as they do now.

That said, how can abnormal behavior be detected in an accurate way?

The process takes monitoring, analyzing, and the application of machine ‘learning’. And only then will it be possible to accurately identify behaviors that are indicative of a larger, or smaller, attack prior to it occurring.

So, what approach can be taken in future? We can make some valuable analysis and insights by using the Anthem Inc. breach, which occurred at the end of January, 2015.

It’s known that the attackers posed as insiders, in which case they were easily able to access the databases. Thus, is it possible that the activities may have been identified prior to the 80 million records being breached?

To ascertain an answer to that, we should assess how the attack was eventually discovered.

The reports say that the suspicious activity of an administrator was what finally tipped the scales. An Anthem employee noticed abnormal behavior and began an investigation.

After which, and at this point, Anthem uncovered what was to be one of the most sizable Personally Identifiable Information (PII) data breaches to have occurred in history.

The abnormal behavior was undiscovered for months as the attackers’ activities remained opaque to the security staff and Anthem’s defenses.

And yet, the activities were not stealth. Instead, there were no tools in place to monitor or to analyze database traffic which would have identified abnormal behavior.

As it happens, those that attacked Anthem implemented a ‘backdoor’ approach on a database client to gain access to records. Thus, using administrative logins and passwords that were compromised, the PII records were leaked remotely.

Behavioral and continuous monitoring technology would easily have detected the Anthem attack early on as it would have flagged up abnormal behavior.

That sort of abnormal behavior would have been picked up by a number of products today that utilize machine learning behavioral analysis – products such as Aorato (acquired by Microsoft), Vectra Networks X-series Platform, McAfee’s Network Threat Behavior Analysis, and DB Networks DBN-6300.

 

For further insight into how to protect against company security breaches, read the Monument Capital Group article at Huffington Post.