LastPass Breach Lessons: Companies Need User Behavior Analytics
4 Lessons From the LastPass Breaches
Password management firm LastPass fell victim to data breaches in 2011 and again in 2015. Experts recommend use of password managers, since strong passwords unique to each user account are not feasible to recall without organized assistance. However, placing all one’s eggs in a single basket — then for millions of users to each place their egg basket into one super-basket — creates an irresistible target for hackers of every stripe. Cryptology experts who have studied this recent breach at LastPass appear cautiously optimistic that major harm has been averted, but there are still important lessons we can draw from this episode:
1. There Is No Perfect Security, There Is No Perfect Authentication
Any skilled, patient, and determined adversary will eventually breach any practical cyber defenses—even if yours is a cyber defense enterprise! Sadly, for many enterprises today, it doesn’t often require much skill or patience to breach their patchwork defenses and penetrate their sprawling, porous perimeters. Compromise of user credentials — even those of highly privileged domain administrators — is also quite common. Again, sadly, many enterprises rely on single-factor password authentication, which simply invites rampant credentials compromise. But even multi-factor authentication can be breached, as was done with the 2011 compromise of RSA SecurID’s.
2. When Defenses Fail, You Need Situational Awareness
Once the attackers have breached your defenses the clock is ticking on your detection, containment, and remediation of the incident. Industry data suggests this clock has a long time to tick—hundreds of days on average—before awareness sets in. By that time the attackers have pwned your digital assets and picked your enterprise carcass clean. Critical situational awareness is essential if this too-frequent tragedy is to be averted.
3. Comprehensive Situational Awareness Fuses Network and Endpoint Contexts
In the recent LastPass incident detection was accomplished by analysis of network traffic from server logs. The attacker dwell time before detection was not disclosed. Network anomalies are not always the fastest way to identify an attack in progress. A fusion of network and endpoint context provides a far better decision basis than either context individually. For example, being able to merge network flow data with the originating process identification can shed far more light on a potential intrusion. A suspect network contact by a new and unreputed executable is far more suggestive taken together than when analyzed independently.
4. When Authentication Fails, You Need User Behavior Analytics
Compromised credentials frequently wreak havoc across breached enterprises, allowing attackers to pivot laterally through the network and operate largely beneath the security radar. But this misuse of valid credentials varies markedly from normal user behavior of the legitimate credential holder. Even rather rudimentary user behavior analytics can spot anomalous discontinuities in learned user behavior. Always employ user behavior analytics, especially for your more privileged users and administrators.