One employee gets the blame at Equifax. Fair?
October 5, 2017
In late August, Richard Smith, former CEO of Equifax, gave a speech that included this line: “There are those companies that have been breached and know it, and there are those companies that have been breached and don’t know it.” (As Fortune notes, at the time of the speech Equifax was breached and they knew it).
In testimony to Congress earlier this week, Smith claimed that the company’s massive data breach was caused by an unnamed IT employee who failed to patch an Apache Struts implementation on Equifax’s online disputes portal. If Smith knows breaches are inevitable, does it make any sense to blame the incident on a single missed patch? Does it mean the loss of 145M records was, in fact, inevitable?
Attackers enjoyed undetected access behind Equifax’s firewall from May 13th to July 30th. During those 10 weeks, we can confidently conjecture that many, many indicators of compromise were either not detected, were ignored, or were simply judged to be innocuous. Failure to patch was merely the first step in a multi-step cyber kill chain. The real problem is that the attackers were in Equifax’s playground for far too long.
If (as Smith correctly noted) breaches are inevitable, then incident detection and response need to become as important as patch discipline (or firewall management, or authentication frameworks, or any other front-line preventative defense). Asserting that the first step in the kill chain is responsible for the entire breach will lead policymakers and practitioners down the wrong path.
Lacework takes a different approach. We detect ALL anomalies in your computing environment and give the security team immediate insights to determine if it’s an expected change, a misconfiguration or an actual threat. With Lacework, organizations can stay on guard throughout the entire cyber kill chain to detect threats and stop attacks fast, before any damage is done. Our customers can testify to the effectiveness of Lacework in their environment – read how a recent PEN test team at one of our customers found that Lacework was the only solution capable of detecting every penetration attempt they made.