THE BALBIX BLOG

Musings on predictive cyber risk and resilience.

 

Why AI would have stopped the Equifax Hack

The recent Equifax data breach, which put 143 million US consumers' personal data at risk— including names, SSNs, birth dates, addresses, and some drivers license and credit card numbers—drove home the dangers facing any organization that stores a valuable trove of data.

Let’s look at the security issues plaguing Equifax that have come out:

  • Equifax has blamed the breach on a security bug on a server running a vulnerable version of Apache Struts . Equifax had failed to patch this system despite the vulnerability being made public earlier in the year.
  • There have been reports that one of Equifax's servers in Argentina had a default username/password combination of admin/admin. Furthermore, it was also reported that employee credentials and passwords were being stored in the clear on these servers. 
  • Credit freeze PINs generated by Equifax are easy to guess

At the time of this writing, Equifax's stock price is down 35% from before the breach disclosure. The CSO and CIO have been fired, and the company is promising to clean up its act. 

So why did Equifax have all these issues? Security experts have claimed that these issues are extreme negligence on Equifax's part, but then why do organizations fail to get their act together and stop getting breached. A few factors to consider. 

  1. The attack surface of an enterprise is massive and continues to expand. It makes it increasingly hard for security teams to keep up with the adversary. Companies have zero visibility into big and important chunks of their networks. 
  2. Prioritizing what security issues to fix and what can wait is a hard and manual process, exacerbated by the myriad of security events being generated on a regular basis – there is way too much data and few insights to go on. Patching thousands of devices every week is hard!
  3. Almost all security tools used are fundamentally reactive, even if they make use of analytics. By the time a security analyst or executive is looking at a report, the damage has already been done. 

But there is more! We must remember that the Equifax failure(s) were not just those by their erstwhile CIO and CSO. There are many human roles responsible for securing an enterprise business, especially customer data: the business owner(s), the CISO & security team, the CIO & IT team, internal audit, senior management including CFO, General Counsel, and the CEO, the Board of Directors, external auditors,  regulators, and insurers. The Equifax breach was a cascading failure of all of these functions. Why? 

I am sure these people at Equifax are well meaning, competent people who are scratching their heads on what they could have done differently. These people failed because our security systems today fail to produce information that is relevant to them. Auditors typically look at self-attested questionnaire data, and look to judge percieved configuration which might be very different from actual on-network state. A CEO or board member does not have the means to get answers to simple business questions like: "what is my breach risk", and "what investments do I need to make to become cyber-resilient". Can you "google" for your company's or business unit's specific risk from "the equifax breach"?    

The deep technical nature of security has made relevant information hard to deliver to all stakeholdersAs a result, the right decisions don't get made, and the right projects don't get prioritized, funded, or tracked.  A poor appreciation of risk has left some with a lack of urgency, and others with a feeling of being overwhelmed

How can AI help? By delivering Relevance

critical_assets.png

At Balbix, we use AI to answer key security questions such as:

  • Where are attacks likely to originate?
  • How will an attack propagate through my network?
  • What key assets will the adversary go after?
  • What mitigations will stop the attack?
  • What gaps do I have which I need to fix? 

Balbix automatically discovers all assets in your enterprise by observing your extended network from inside-out and outside-in, and then calculates the business impact for each asset by examining its access to sensitive networks, services and data. We automatically and continuously analyze indicators of risk across 200+ dimensions, including weak and shared passwords, misconfiguration, susceptibility to phishing, attack propagation, unpatched software, quality of encryption, etc. 

hmap.png

Balbix also provides tactical and strategic prescriptions to help you deploy and track the correct mitigations, reduce breach risk and improve your enterprise's cyber-resilience. 

Perhaps most importantly, Balbix is aware of the different personas interacting with the system and produces relevant information for the different stakeholders with the right business context from a single integrated system.  We don't bug the CFO and board members with stats from the Qualys dashboard showing a gazillion unpatched systems, or technical details from an attack simulation involving an exotic exploit in order to get their attention. Instead, we let them understand the business risk by interacting with the system from their own viewpoint. 

bod.png

So, yes, Balbix's AI would have stopped the Equifax breach!

Balbix can provide relevant security and risk answers to you. If you would like to get ahead of the adversary, then Balbix is your vehicle. Let's get started.