Lessons Learned from OPM: Prioritize Your Activities, Focus on Your Crown Jewels

July 20, 2015
Ryan Kalember

We’ve all read about the cyberattack on the Office of Personnel Management (OPM). The records of 22.1 million people were compromised in what is now considered the worst cyberattack in U.S. history. With all the sensitivity around data privacy and the publicity around high-profile hacks, why was OPM still so vulnerable?

When OPM’s security was found lacking a year ago, the audit revealed some positive progress, but the findings, which measure against FISMA, NIST, etc., also pointed OPM in too many directions. Given its limited resources, the great quantity of issues OPM needed to address was overwhelming, and the organization failed to adequately prioritize its activities.

The reality is that hackers are able to rapidly evolve their technology and strategies, and most organizations are currently playing catch up. Meanwhile, major hacks such as the one on OPM merely add fuel to the fire. For example, we’ve seen techniques like social engineering and phishing emails follow a large scale attack because cybercriminals know they can trick email recipients into enabling malware or revealing proprietary information simply by claiming they are trying to protect the recipient from the recent attack.

With the threat level so high, what should organizations do? First, they should ensure that they have the best protection they can afford across the major attack channels (email, web, and increasingly social media). Next, they should assume they will be breached and work to ensure they can detect a breach and respond as quickly as possible. Lastly but no less critically, they should reduce their attack surface, focusing especially on what they consider their “crown jewels”—in OPM’s case, the database for security clearances.

By combining a focus on the crown jewels with the recognition that no perimeter defense is perfect so a fast response is also essential, companies can begin to better prioritize their activities and where they put their resources. At a high level, every organization should:

  • Enhance their detection and protection capabilities, especially for key attack vectors like email, social media, and third-party contractors.
  • Develop an orchestrated threat response capability, and make responders more efficient by investing in intelligence to help them prioritize their efforts.
  • Recognize that attackers are using cloud-based approaches to attack organizations, constantly changing their attack chains. Organizations should consider the adoption of defenses that are able to adapt as quickly. They should prioritize fast-updating solutions that leverage the cloud over boxes that may take months to roll out and lack visibility outside of the managed network.

What best practices have you implemented for prioritizing your cyber defense strategy? Let us know on Twitter @Proofpoint_Inc.