The Anthem data breach has garnered a lot of press over the past few months. Today at HITRUST 2015, a member of Anthem’s Information Security office gave a talk entitled “Anatomy of a targeted APT: Lessons learned from the trenches” that gave their side of the story.
The Anthem attack was discovered when a database admin logged in and found a SQL job running. Since he hadn’t started the job he was naturally suspicious and called for a formal investigation. The server was promptly isolated and over two or three days the scope of the attack came to light.
As the talk unfolded it became clear that Anthem has a sophisticated info sec program and many controls in place. They are managing multiple petabytes of data over a wide variety of systems. Data loss Prevention and Intrusion Detection Systems technologies are in use throughout the organization, and the vast majority of their approaches are well beyond best practice.
So, how did things go so very wrong?
The core problem at Anthem was a single database that was not adequately encrypted. I say adequately, because data file encryption would not have helped in this instance.
The only workable solutions to reduce loss would have been field level obfuscation, tokenization or field level encryption by applications, but none of these solutions were used on this database.
Anthem did use field level protection on other databases in the environment, just not this one.
Here then is the crux of the matter. You are as good as your weakest link.
Old school security experts tend to ignore this issue. They focus on a secure perimeter and isolating assets that cannot be adequately secured.
As the speaker commented today, if you are relying on your perimeter you are fooling yourself. In today’s world every high risk asset needs its own protection, be it through advanced analytics, data loss protection, application whitelisting or a range of other techniques.
Did Anthem do the right thing? No. They probably should have put application field encryption in place.
Having said this, the practices they had in place were sophisticated and well thought out. They have staff with extensive security backgrounds, they’re spending lots of money on security and they did a credible job on reconstructing the incident and working with law enforcement.
As is often the case in security, the weakest link let Anthem down.