Another day, another data breach. I'd like to offer two opinions with respect to breaches we read about regularly.
1) Its really not about the data with some data breaches - its about the money.
2) Why is it that so many organizations don't take a proactive, continuous stance in protecting their assets? You don't have to wait for a post-breach forensics investigation to understand what went wrong.
It was reported late yesterday that Community Health Systems experienced a data breach that impacted 4.5M customers across potentially 28 states. This attack is in fact interesting, given that the same attackers have been attributed to pilfering trade secrets within the healthcare industry in successfully executed hacks previously. It looks like by all accounts, the attackers used some targeted malware to break into Community Health Systems to steal patient data and not exactly IP that ultimately may get sold to China.
However interesting this breach seems, and despite the fact that it looks like over 4.5M patient records were exploited and stolen, patient records aren't really the most coveted types of records. Typically the records that hackers want are those that they can monetize.
That's not to say that stolen patient records can't be sold or exploited, or even serve as an initial data set for a hacker's investigation of individuals. But the reality is that with everything that everyone shares today anyway, if their medical records get out to a public location, it might not be ideal, but it likely won't have the same, immediate impact that your debit card being breached would have.
What this news demonstrates very clearly also is that there is a critical need for forensic-level analysis of attacks of all kinds - malware, APTs and targeted campaigns - so that organizations can counter attacks in real-time to mitigate the damage caused and the time that attackers spend inside those systems.
A post-breach forensics investigation, while helpful long-term, is an antiquated approach, if that is what companies are relying on to understand attackers' lateral movement, methods they are using and the overall impact of what they executed against you. I'd argue that's not security - I would call that an audit of a breach due to lack of real-time visibility on my endpoints and applications. Its necessary and likely required from a compliance standpoint, but this does nothing to support a continuous approach to endpoint security.
There is no substitute today for organizations who are experiencing high-volume security incident occurences and don't have visibility into the behaviors of their attackers...regardless of the nature of the data records involved.
Real-time threat detection and the ability to respond to what matters most and what will have the largest impact to the organization - only accomplished through an engine that can help quickly detect different types of threats across the enterprise - removes the need for post-breach forensics, and will help responders mitigate that impact, as the attack unfolds.