Experts Weigh In: What the Marriott Breach Means for Dwell Time
Today, all eyes in the cybersecurity field are fixed on the Marriott data breach. One of the largest in history, affecting up to 500 million individuals, it certainly constitutes eye-catching in the most devastating way possible.
However, one of the biggest questions involved the hacker dwell time on the Marriott Network. Investigators have discovered the breach actually began in 2014 and was only discovered in September of this year.
What does this mean for hacker dwell time? What does it mean for future breaches and network visibility?
To answer these questions, we compiled the perspectives of 4 key cybersecurity experts. Here are their thoughts, edited for readability:
Franklyn Jones, CMO, Cequence:
Unfortunately, we can also expect to see a long tail effect from this breach. As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.
Satya Gupta, CTO and Co-founder, Virsec:
What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered. All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.
Tom Kellermann, Chief Cybersecurity Officer, Carbon Black:
It appears there had been unauthorized access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organization – they’re getting in, moving around and seeking more targets as they go.
The report also found that more than a third (50%) of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organization’s affiliates, often smaller companies with immature security postures and this can often be the case during mergers and acquisitions. This means that data at every point in the supply chain may be at risk, from customers, to partners, to potential acquisitions.
Amit Ashbel, Security Evangelist, Cognigo:
The breach started almost 5 years ago and supposedly increased in size over this year, but it took IHG more than a month to confirm that finding. Under new regulations such as the GDPR and CCPA, incidents should be reported and analyzed within the span of 72 hours. Obviously, IHG had to spend quite significant efforts to get all the data about the breach if it took so long.
Organizations need to be able to constantly monitor all their data – whether DB structured or unstructured. The key to protecting consumer data is not by placing a firewall or a DLP but being able to make sure you continuously have the ability to discover data, classify it accordingly, and take actions on the data itself to prevent access or exfiltration of any valuable or sensitive information.