The JPMorgan Chase data breach rocked headlines early this month as the latest in a series of breaches hitting nearly a dozen financial companies in 2014 alone. The news also follows similar breach disclosures from Target, Home Depot, Albertsons and others.
The massive security breach compromised 76 million households and seven million small business accounts. As a result, the bank will no doubt spend millions of dollars over the next few months repairing the extensive damage and working to restore its reputation.
The bad news: An inherent flaw in information security architectures
As if the sheer reach of the JPMorgan Chase breach itself isn't bad enough, it spotlights an inherent flaw with most modern information security architectures.
Several industry analyst firms recognize that decades of information security prevention systems have failed to produce an architecture that can stop committed attackers, and in response, they're making a dramatic shift in their recommendations to security practitioners.
The good news: Early breach detection
The good news - and yes, there is good news - is that JPMorgan Chase was able to identify the network breach and remove the offending malware before any highly-compromising confidential data was stolen and before irreparable harm was done to customer accounts.
According to a filing made by JPMorgan Chase with the U.S. Securities and Exchange Commission, only names, addresses and emails were exfiltrated in the breach. Considering many of the other recent breaches in which highly confidential customer information was stolen, this is a success. While a network breach is never good, JPMorgan Chase was able to stop the data exfiltration before it reached a scale that would have caused irreparable harm to customer accounts and corporate brand equity.
Taking down the bad guys
Organizations have a lot to learn from JPMorgan Chase on how it caught the attackers before they were able to cause significant damage. There are also several noteworthy lessons learned in understanding why the financial institution's experience was so different from Target's disastrous breach, which resulted in the loss of 40 million customer credit cards.
There are a handful of large and highly profitable organizations that have vast resources dedicated to information security. With billions of dollars of annual IT budgets, these elite organizations can afford to buy the latest and greatest network logging and security analytics products.
Target's much smaller security team, on the other hand, wasn't able to keep up with the high volume of alerts being generated by its security infrastructure. It's well-documented that the company had deployed many state-of-art security products in its network that produced numerous alerts that a breach was occurring - very similar to the situation at JPMorgan Chase. The problem is that those alerts were buried within thousands of other simultaneous “false positive” alerts, making it extremely difficult for Target's much smaller security staff to react and take action. Mainstream security products are all known to create very high ratios of false positives - sometimes on the order of thousands per day.
The poor signal-to-noise ratio of these products is due to two factors. First, they only see attempts of malware to enter the network through links within web pages and files within emails Also, these products typically employ “correlation” algorithms that send alerts when they see behavior remotely resembling typical attack patterns without known certainty that it's an actual attack. As a result, these systems produce an extremely high ratio of insignificant alerts relative to actual, true breaches of network hosts.
The silver lining
The contrasting experiences of the JPMorgan Chase and Target data breaches illustrate the critical need for technology architecture to evolve within the information security industry in order to stay ahead of the bad guys.
There's a long way to go to ensure that the vast majority of enterprise security practitioners avoid catastrophic data breaches and drive outcomes similar to JPMorgan Chase. Until new approaches and techniques come to market, an increasing number of organizations will continue to experience damaging breaches.
The silver lining of the JPMorgan Chase attack is that it gives the industry hope that proactive measures can stop an attacker before a breach drives catastrophic results. Now, it's up to organizations to make those proactive measures work for them.