UPDATE 2-U.S. supermarket chain Supervalu investigating potential data breach

Comments (1)
Ann8lise wrote:

If the breach had been “quickly contained” it would not have gotten into the payment network in the first place. Almost all breaches of a payment network start in some other Internet facing network partition. The breach started where the breach occurred first, and then propagated to the payment network. If the 25 days it took to contain the breach started when the payment network was breached (which is probably the case) then you can easily assume the breach started earlier.

The basic points we keep seeing with all of these breaches are:
1. Payment network breaches starts in other network partitions and laterally propagate to the payment network.
2. Once malware is on a POS, vertical propagation to other POS systems unabated over MPLS and VPN connections.
3. All of the breached companies had an inadequate containment architecture to halt a breach to the breached segment alone.
4. The complexity of the existing networks rendered most logging and malware detection tools ineffective, not because they did not work, but because the expanse and complexity of the network is overwhelming the IT staffs.
5. The perimeter of the network is undefinable and the attack surface is un-defendable.

What is even more surprising is that corporate IT staff are still investing in the belief that more layers of security will solve the problem. As the old saying goes, continuing to do the same thing over and over again hoping it will work is insanity. Especially when the CIOs livelihood and company’s survival is potentially at stake.

Eric Schmidt, Vice Chairman of Google, is quoted as saying that the current enterprise network architecture is broken and he attributes the tablet as the straw that broke the camels back. The rise of the Internet and Internet facing applications have eroded the security of a 50 year old architecture. Mr. Schmidt predicts that enterprises will have to rip out their current network architectures and replace them with application specific architectures. Did you get that? The Vice Chairman of one of the worlds most visionary companies has clearly stated that the status quo will not work. More layers will not work. More of the same will not work. He also gives a clear recommendation – application-specific networks.

Why? Because application-specific networks segment each application into their own dedicated virtual logical network that does not share routing elements with other networks. In other words, they provide end-to-end network-wide segmentation that enables a containment based architecture that stops breaches to the breached segment. Think about that for a moment…
Wait for it…
Wait for it…

Yes, had application-specific networks been used at Target and the 600 plus other breached companies in 2013, the breach would have never reached the POS system in the first place. Each of those companies may still have been breached, but they would have prevented the lateral and vertical propagation that has ultimately damaged their businesses.

The writing is on the wall. Smarter people than I have pointed out a better approach. The technology is available. Companies like Google, Shell, Little Ceasers and ExxonMobil have already made the switch to application-specific networks. The clock is ticking. Why are you still investing in what is not working?

Aug 15, 2014 11:21am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.