The 2019 Capital One Breach
Data breaches are major security threats for enterprises and end users. Previously, we discussed the Equifax data breach that leaked the social security numbers of 147 million US citizens. Last month (07/2019), in the Capital One data breach, a hacker gained access to the names and addresses of about 100 million individuals in the United States, as well as 6 million people in Canada. Yet again, a breach has compromised the identity of more than 100 million people! Whose name will be next in the headlines? How could we prevent such cases from happening?
How did it happen?
A pioneer of digital banking, Capital One has embraced the digital transformation (DX) trend.
Capital One CIO Rob Alexander transformed his organization from an IT shop into a software company with Agile development, public cloud, new talent, open source technology, and machine learning (according to InformationWeek). Because the public cloud is one of the core components in their strategy, Capital One is one of the first financial institutions who are more dependent on the public cloud. The complex attack surface of the mix of clouds and enterprise infrastructures renders traditional perimeter defenses ineffectual, and attackers are actively looking to exploit security holes in companies’ cloud adoption. Paige Thompson (nicknamed ERRATiC), a 33-year old former Amazon engineer, launched an attack against Capital One’s cloud components in Amazon AWS and stole about 30GB of customer data through the AWS S3 web-based data object storage.
The breach can be broken down into the following major steps:
How can we do better?
It is important for organizations to improve their security hygiene, to reduce misconfigurations, and to patch vulnerabilities in a timely manner. Still, it is extremely difficult to prevent all possible bugs in a system. Today, hybrid cloud deployments are common and create complex attack surfaces. Monitoring and collecting relevant data, advanced AI detection, powerful investigation, and fast responses are necessary elements in mitigating possible attacks.
In order to shed some light on the complexity of both enterprise internal infrastructure and cloud vendors, many different types of data from the network, from servers, and from cloud logs need to be collected and fused for deeper visibility. The Stellar Cyber Unified Security Analytics Platform (USAP), Starlight, can easily ingest data from all kinds of data sources—from network sensors, Linux/Windows host agents, and cloud logs — as well as leverage advanced AI and machine learning techniques to detect unusual system behaviors. Its user interface allows users to correlate anomalies across the Kill Chain and deep-dive into surrounding incidents. Quick remediation is facilitated by its integrated tools for automated incident response, such as adding firewall rules and disabling users.
In the Capital One data breach, we would identify the following anomalies:
These anomalies together create a highly convincing attack story. During the investigation, security analysts might leverage Stellar Cyber’s big-data platform and automated threat hunting to discover even more anomalies in the neighborhood of this attack, and quickly stop the threats from progressing.
In the era of digital transformation, AI, and big-data, organizations have found that the protection of data requires great responsibility. Data is valuable, and data breaches cause huge damage to the reputation and revenue of any organization. The advanced Stellar Cyber USAP Starlight is optimized to defend against the sophisticated attacks that threaten the network, giving system administrators the confidence that critical assets are well-protected.