|  The Impact of Stolen Credentials  |

This multi-part series is designed to provide a deeper understanding of the threats that your organization and its data face. As we speak to customers and partners, we see gaps in understanding when it comes to data security. Our goal is to educate our readers to understand the broad threat to your organization derived from your data and drill down to show the interdependencies and connections to help you take a holistic view of protecting your data.

2018 was an interesting year for those following data security and data breaches. Not only did we see the trial between Waymo and Uber highlight a glaring hole in the security model, but we were also witness to the Marriott (it actually occurred in the Starwood systems) data breach. As a refresher, the breach exposed approximately 339 million guest records and was revealed through the investigation to have been ongoing for nearly four years. Not everything has been made publicly available regarding how the breach occurred, but from what we do know we can learn some valuable lessons.

How does something like this happen, and how could it have been prevented? Looking at an organization of Starwood’s size, with the resources available, it seems as though it should have never happened, let alone been allowed to persist for four years. We learned the breach was discovered by an internal security tool that alerted a third-party consultant to a suspicious query. Apparently, this was the first such anomaly detected in the four years the breach was ongoing. This is not a slight on the consultant, or even the tool, it is an awakening to the sophistication of hackers and their ability to get around these types of tools. In other words, while there are components that might have prevented it from persisting for that long, hackers know what those tools are, how they work, and how to get around them. Further and more alarming, was that the query was made by a user with administrator privileges, although it was quickly determined this user was not the person making the query. Investigators discovered a RAT (remote access trojan) along with MimiKatz (a means of stealing credentials stored in memory) on the system, which provided the ability to take over the administrator account.

Covax Polymer incorporates user behavior analytics into the user authentication process. Using a number of factors, a probabilistic determination is made as to the likelihood the individual entering the credentials truly is the credential owner. If the probability does not meet a threshold, the access may require additional means of authentication, generate an alert, and/or even be denied altogether. If that check is successful, the request itself is scrutinized as well. One may think this is similar to the anomaly detection that failed for four years to detect the ongoing breach in the Starwood environment, but Polymer goes deeper. Using deep-learning paired with peer group and non-connected systems analysis, the requests are scrutinized based not just on what is normal for a user, but also what is right for that user.

It took months to investigate what Starwood data had been compromised. The hackers had been encrypting the stolen data within the system for extraction as a means of evading data loss prevention tools, which also made it difficult to determine what they had accessed. Here is an often overlooked or unknown fact about database logs – they are not immutable. Hackers will often access these logs to obfuscate or remove traces of their presence and activity. This makes it nearly impossible for an organization to fully understand the breadth of a breach. This is why the numbers can get so large. With a breach, organizations are required to assume that all records in a data structure have been compromised because they are unable to definitively know which records actually were compromised.

Covax Polymer’s chain of custody brings immutability and auditability to logging. Not only does the chain of custody solidify the log files, it provides greater visibility into the logs and can generate alerts based on the activity captured. With Covax Polymer in place, a breach like this would have been near impossible to pull off using the same attack vector. Even if the hackers would have been able to get past the MFA and user behavior analytics on login, and then survived the request analysis day after day—all of which would be very challenging in and of itself—Starwood would still have been alerted to the activity in the system and been able to identify that it was not legitimate. This information would have allowed them to immediately shut down the threat and make determinations to the specific data compromised.

Starwood has been able to survive this breach because it is a huge multinational brand that can afford the fines and penalties. Not all businesses are in that position. The financial impact has reached into the multiples of hundreds of millions of dollars. Marriott, Starwood’s new owner, has faced fines from most of the major markets in which they operated. There have been the costs of notifying and remediating the impacted customers, the lost productivity to investigations – both civil and regulatory – legal costs, as well as reputational harm. All-told the fallout will continue for years.

In next week’s post, we will discuss the threat created by deploying the wrong type of solution. “Data security” has become a hot buzz-phrase today, much like blockchain three years ago and the cloud ten years ago. However, much like you saw with those hot topics, it can be buyer beware when it comes to choosing and deploying a system.

Originally Posted On: October 13, 2020