OPM Data Breach Reveals the Limitations of Cybersecurity Solutions

The fallout from the record-breaking breach disclosed by the Office of Personnel Management (OPM) earlier this month reached a low point at a Capitol Hill hearing on June 16. During the hearing, members of the House Committee on Oversight and Government Reform scolded OPM officials and IT executives for their “complete and utter failure” to protect sensitive personal information stored in compromised systems. The breach is estimated to impact at least 3.2M federal employees and contractors. However, the number of breached records may be as high as 14M.

While the root cause of the breach is yet to be disclosed, there are several factors that are suspected to have contributed to the successful attack against the OPM. The first is OPM’s sluggish response to the recommendations of a systems audit performed by the Inspector General last year. The Inspector General Audit Report identified numerous material weaknesses in OPM’s security program and practices, including missing configuration baselines for operating platforms and ineffective security monitoring procedures. OPM has been widely criticized for failing to implement many of the key recommendations made by the Inspector General.

The second is weaknesses in cybersecurity tools put in place by the Department of Homeland Security to detect and contain the type of incident that led to the breach at OPM. The most widely criticized tool is Einstein, the multi-billion dollar intrusion detection system deployed by US-CERT to monitor government Internet gateways for malicious traffic. Einstein is at the cornerstone of the $4.5 billion U.S National Cybersecurity and Protection System (NCPS) program. Despite a recent $200M upgrade, it failed to expose the original attacks that led to the breach at OPM. Yet again, this serves to illustrate known limitations with signature-based intrusion detection systems that can be circumvented by scrambling or encrypting attack payloads. These and other drawbacks have led institutions such as SANS to conclude “It is far too easy to fool or shut down an IDS machine for them to be utilized as the primary line of defense against intruders”.

It also illustrates the broader concern over the effectiveness of cybersecurity solutions, not just network-based IDS or, for that matter, IPS systems. According to a joint study performed by Juniper Networks and RAND earlier this year, worldwide spending on cybersecurity is growing between 10 to 15 percent per year. However, despite investing increasing amounts on cybersecurity tools, most companies report a low level of confidence in the ability of such tools to improve the security of their infrastructure. This sentiment is understandable and is based on the questionable success of conventional tools to combat cyber threats. The irony of sky-rocketing costs for cybersecurity tools against the backdrop of the declining value of such tools is not lost on customers.

For this reason, organizations would be better served by redirecting budgets from dubious investments in redundant tools to tackling the most critical issue in cybersecurity today: the shortage of skilled resources capable of modelling and managing the wide array of risks in complex and evolving threat landscapes. The global cybersecurity skills shortage is borne out by the following startling facts:

83% percent of enterprises lack the skills to protect their IT assets (1)

1 out of 3 security professionals are not familiar with advanced persistent threats (2)

62% of organizations did not increase security training in 2014 (2)

There are 1M unfilled positions for security professionals worldwide (3)

One of the consequences of the skills shortage is that it often leads enterprises to rely on a patchwork of third parties for core security services. OPM, for example, is alleged to have granted privileged access to contractors in China, one of the nation states suspected of perpetrating the attack.

For SAP systems, the aim of fostering an effective security operations center or center of excellence is made easier by the availability of a wide array of powerful monitoring tools in Solution Manager. The most important of these tools is Configuration Validation (ConVal) which can be leveraged to implement automated, policy-based vulnerability management. The accessibility and convenience of tools such as ConVal eliminates the need for third party security software and enables customers to focus more resources on staffing, training and other needs.

ConVal performs system configuration monitoring. It also monitors critical authorizations, transactions and profiles. For security information and event monitoring (SIEM), most existing platforms can analyze event data in SAP log files including the Security Audit Log. Platforms such as HP Arcsight, RSA enVision, McAfee/ Intel, and Splunk can be tuned to review SAP logs using available connectors or modules. For more information on ConVal or integrating SAP systems with your SIEM platform, contact Layer Seven Security.

Sources:
1 ESG, March 2015
2 2014 APT Study, ISACA, April 2014
3 Annual Security Report, Cisco, January 2014