4 Quick Thoughts On The Marriott Breach: Not A Usual Crime

My phone’s been ringing this morning from people wanting to talk about the massive Marriott breach — the revelation that private data associated with up to 500 million people may have been compromised. I’m sure there’s a lot more to learn from the details, but in the meantime, I’ll take a quick minute to jot down some initial thoughts:

1. Motive matters: Look deeper than PII and payment data theft. People have become almost numb to high-volume data theft—cases where there is a clearcut, singular mission on the part of attackers to grab a ton of personal information. There is still a big market for this data in the cybercrime underground so these incidents will continue to occur, but we’re also seeing a blending of cybercrime and nation-state attacker communities. It is right to consider, as some commentators have speculated, that the attack objective in this case could have been to spy on high-profile individuals. Knowing that government or corporate officials will be in a particular place at a particular time, what better time to take advantage of weak wi-fi networks? Attackers in this case may have been far more interested in compromising the safety or privacy of high-profile people, or digging for strategic information. 
2. Fight compliance complacency. Most organizations do their best to comply with the various privacy regulations. But it can actually work against real security. In a study we recently conducted with Ponemon, the amount of attention devoted to compliance activity was named as the top obstacle to better threat detection! Its astounding: the very programs that have been put in place to enforce better security standards are detracting from better security. While it’s important to have a foundation that meets regulatory standards, this alone is not likely to protect a company’s most strategic objectives. The right defense strategy is different for every organization—and it can only be formed from a careful focus on why attackers would want to go after you, and then be designed to combat the specific approaches they would use to accomplish those objectives. Numbness to data breaches might be expected at this point…. But the Board of Directors will not be numb when a crisis of a more strategic or existential nature occurs.
3. Put a “Stop lateral movement” line item in your 2019 budget. We don’t know the details yet, but clearly the Marriott attackers are sophisticated; they maintained a silent foothold since 2014. In most incidents, attackers use the organization’s own credentials and inter-system connectivity to reach critical assets. Traditional tools can’t detect the signs, or if they detect some signs, can’t put the pieces together enough to discern an actual attack taking place. There are now options—Illusive being one of them—for detecting and stopping attackers that masquerade as the organization’s legitimate users. It is not yet standard to have a “stop lateral movement” line item in the cybersecurity budget—but it should be.
4. Prevent the acquisition of cyberthreats. This appears to be another case in which an acquiring company bought more than the business assets of another entity—Marriott also acquired Starwood’s cyberthreats. The cyber investigation portion of M&A due diligence requires more than just ensuring that audits were passed—it means doing some deep digging on the cyber posture of high-value assets, and having a means to monitor for advanced threat activity during the longer process of business integration between entities.

Please reach out if you’d like to arrange a meeting to talk about how we can help you prevent your version of a Marriott breach.