Beyond the Patch – Heartbleed Drives New Security Requirements

In the last 18 months we have seen some of the largest data breaches ever, and now the Heartbleed bug further erodes the small amount of remaining  trust we might have had that sensitive information and access to critical systems is protected. Given the scope of the hardware and software impacted by the Heartbleed bug and the time it will take to address the bug, companies and consumers are exposed more than ever to criminal attacks, even after patches are in place, new keys are issued and passwords are reset.
The impact of Heartbleed, the massive number of identities exposed in 2013 through data breaches – 552M – and the ongoing attacks on our sensitive information and systems will be long term and far reaching, ultimately requiring a rethinking of the fundamentals we use to protect ourselves and our customers.
The flaw and the successful exploitation of it calls into question the effectiveness of the controls and tools enterprises use to detect attacks on consumer accounts and corporate networks.   At the heart of the issue:

  • The bug exposes information used to validate users – usernames, passwords, personal information, payment information, health and medical information.
  • The bug allows criminals to attack and highjack traffic to gain access to networks and systems.
  • It is unknown how much information has already been exposed and how long internal systems will take to patch.

Given these, criminals can successfully access consumer applications and corporate networks and go undetected by most common authentication and network and security controls.  With access to credentials, authentication-related information and network traffic, criminals will look just like legitimate users – no malware used, no other attacks on networks or servers needed.
Companies can no longer have confidence that users (consumers, employees, vendors, partners) are who they say they are.
The immediate focus was naturally been on stopping the bleeding through patches, new keys and password changes. While the majority of websites have been fixed, enterprises face the daunting task of identifying all of the software and equipment exposed and implementing patches.  In the meantime, they are exposed.
Enterprises, therefore, need to think “beyond the patch” and also implement a more comprehensive, effective and resilient change to their approach to securing access to applications and systems.   In the wake of this flaw, malware detection, network monitoring, sandboxing, and authentication all fail to detect the unauthorized access.   Companies cannot rely on looking for known patterns of bad actors – they won’t find any. Rather, they need to start with the perceived good actor and look for anomalies in their behavior as a signal of unauthorized access.
Bad actors hide behind legitimate credentials – but behavior never lies.
Companies at the forefront of security have already adopted user based behavioral analytics to strengthen consumer and corporate security. The Heartbleed bug means this approach is a new fundamental security requirement for all.