An Adaptive Approach to the Changing Retail InfoSec Landscape – Part 1
Information Security as a distinct discipline has a relatively short history of 25 years. During most of that time, InfoSec professionals have operated under the doctrine of “defense in depth,” which seeks to construct fortifications around critical IT assets in much the way that medieval kings built castles to protect themselves. Just as castles have drawbridges, high walls, and sentries; defense in depth has its own set of tactics. It has a broad set of preventative, administrative and, detective controls such as firewalls, access controls, and logging to protect an organization’s critical assets. Nowhere is defense in depth more heavily utilized than the PCI Data Security Standard whose 12 sections provide controls that span the InfoSec spectrum.
To be clear, we are not declaring the end to the doctrine of defense in depth as a core security practice. To the contrary, defense in depth continues to be the gold standard of strategies to protect mission-critical IT assets, especially where the nature of the targets and the value of the information is well understood. However, with the proliferation of information technology across the digital store, the problem of protecting IT assets has simply gotten bigger and more complex. Just as we cannot build castles around every patch of land, we cannot leverage defense in depth as a means of protecting all IT assets in the store, the cloud, or in your data centers.
If we are to offer an appropriate and economically viable level of protection across the IT spectrum, we need a new and additional InfoSec doctrine to do so. We believe that the next step is an adaptive approach, where the controls deployed can be more closely matched to the profile of the particular threat environment and adapting to changes in the threat environment as they morph. A number of important industry changes are driving the need to re-evaluate defense in depth.
Changes in the retail threat/vulnerability landscape. Due to the segmentation requirements of the PCI standard, most retailers have adopted IT architectures where their payment systems are heavily defended while other retail IT assets have little to no defense. Additionally, these environments are subject to programmatic attacks where malware that might find itself installed on a headquarters or vendor-connected workstation can effectively probe IT assets in the store at will and mine them for data that can be monetized. Such attacks are “always on.” They don’t get tired or take time off to spend with the kids. They do, however, get better with age and adapt to exploit the latest vulnerabilities as store technology and the threat landscape evolve.
Emergence of the InfoSec Media. Breaches of security have become big news and there is an entire segment of the media dedicated to covering the latest businesses that have experienced a breach. Public backlash against such entities is swifter and more damaging than ever. In addition to heightened public awareness of InfoSec events, security researchers have begun to play on media hype by rolling newly discovered vulnerabilities like heartbleed and Krack on slick websites that not only inform the public, but also promote themselves. Finally, government agencies like the Department of Homeland Security regularly release the details of security breaches as a public service. Because of the media, managers have a much clearer picture of what to look for in their investigations. For example, Grizzly Steppe, which was a series of infiltration tactics used by Russian actors in influencing US elections was accompanied by a detailed analysis providing specific forensic signs of compromise and attack vectors.
The New Economics of Data. With lessons learned while infiltrating integrated POS systems, criminals have become cleverer in finding ways to monetize the vast store of data that retailers posess. We are aware of two strategies completely independent of payment card data. The first incorporates the ransomware of the POS rendering POS systems useless by encrypting critical data such as sales, inventory and merchandising. By denying retailers the ability to properly operate their mission-critical POS systems, thieves put themselves in a position to collect large ransoms. The second strategy (successfully executed at Underarmor and Panera Bread) involved the collection of non-payment card data such as customer names, email addresses, birthdates, etc. to force a disclosure of this data to the InfoSec media with considerable embarrassment and legal exposure to the retailers involved. What makes both of these strategies frightening is that the most vulnerable areas of the retail network are not protected by the fixed fortifications imposed (often at great expense) by PCI.
Based on these changes, we believe that a new, more agile approach to defense in depth is required. This approach requires an agile infrastructure combined with system automation that allows retailers to mount an adaptive defense. Such defense would allow retailers to rapidly place the right controls in the right place based on the nature of the assets to be defended and the magnitude of the threat.
In Part 2 of this blog, we will explain how the emergence of new technologies such as DevOps and containerization can be used to support an adaptive defense. We will also show how such a defense can be implemented using Reliant Platform and provide a few examples of controls we have built to facilitate an adaptive defense.