Detect an intrusion
As already stated, failure in protection is inevitable. It is critical to have a detection architecture in place to identify when protection fails. For example, I cannot imagine a specific example where a single system should access all 143 million records in the database in a short period of time. There is no reason that the entire database should be copied. There are many tools that would detect such access. Data access is the most paramount of concerns for a company like Equifax, and all data access should be constantly scrutinized.
There are also tools that should detect a compromise of the systems or applications running on those systems. If Apache Struts was modified or manipulated in any way, it should have been detected. The technical architecture of a critical infrastructure should be constantly monitored for any form of compromise.
Network analytics can also look for anomalous activity, including peer to peer activity that is traditionally associated with advanced persistent threats (APTs). While I do not want to loosely use the term APT, it is synonymous with sophisticated attackers who demonstrate discipline, use covert channels, and constantly evolve techniques. Environments such as Equifax should use tools that look for unusual network activity that would indicate any unusual activity.
Behavioral analytics is another detection capability that should be standard for any environment with sensitive information. In the Equifax case, if there was a vulnerability in its web interface application, there should have been a detection capability that looks for unusual access patterns. This is the case for any process that is involved with any type of access or manipulation of data.
As with protection, you need to not only look for what detection was in place and failed, you also need to understand what detection capability should have been in place that would have detected the compromise.
React to the data breach
Upon learning about the breach, it appears that Equifax hired FireEye to perform the investigation. While the hiring of FireEye was a reasonable step, everything else created a public relations disaster.
Shortly after the breach, several executives sold a portion their stock in the company before values plummeted. Equifax claims that those executives did not know of the breach at the time of the sale, but their actions did exacerbate the PR nightmare that has ensued. That reaction was then worsened when Equifax attempted to limit recourse of those impacted.
Public relations should be a concern, however that should not be the first reaction. There needs to be a comprehensive, proactive plan created for as many types of incidents as possible. Clearly, the nature of the incident response depends upon what it is and how it was detected. If it is a technical attack detected early in the reconnaissance phase, it is different than after there was a complete compromise of the database.
Sign up for CIO Asia eNewsletters.