Best Practices, Managed Detection and Response, Security Trends/Attacks, War Stories
Todd Thiemann

Marriott Breach Exposes 500 Million Guest Records: Preliminary Lessons

Massive data breaches. By now, they are simply par for the cybersecurity course, and they show no signs of slowing. On Friday, the Marriott International hotel chain announced its Starwood reservation system’s database had been hacked and personal details from up to 500 million guest records going back to 2014 were compromised. It ranks with Yahoo! and Equifax as one of the largest breaches to date.

Marriott was informed in September about an attempt to access the database, and the subsequent investigation revealed the extent of the compromise. Personal details including names, addresses, dates of birth, password numbers, email addresses and phone numbers were possibly exposed. The hackers also obtained encrypted credit card information of some customers, but whether hackers can use those payment details is uncertain.

What follows are a few lessons enterprises can take away from the Marriott breach:

Marriott took its time in reporting the breach and there may be regulatory consequences. The company learned of the breach in September but did not report it until the last day of November. GDPR violations can escalate to 4% of global revenue, and companies are required to alert government authorities within 72 hours of a known attack. And their website explanation of the breach took a confusing detour. (Why does info.starwoodhotels.com go to a Kroll URL for a Marriott breach announcement?) If your organization is affected by state data breach laws or HIPAA, make certain you are prepared with an incident response plan that includes promptly reporting the breach to relevant authorities. For the IT crowd, this means your tabletop incident response exercises need to include all constituents, including legal, corporate PR, and business operations.

Behavioral Monitoring Across the Attack Surface
Reduces Time to Detect

Bad guys typically leave a trail. The breadcrumbs left behind can be correlated to find abnormal behaviors that are indicators of compromise. Monitoring your network means intrusion detection at the network gateway, but it also means ingesting and correlating log sources across the entire environment. This includes on-premises logs (Active Directory, endpoint protection platforms, firewalls, and more) as well as SaaS/IaaS logs (Office 365, G Suite, AWS, Azure, etc.). The more sources you monitor for abnormal behaviors (artificial intelligence is imperative to sift through billions of observations), the more opportunities you have to spot something. Overall, this helps ensure you reduce the time to detect a threat.

Spearphishing Attacks Will Get More Sophisticated

Expect future phishing attacks to get more sophisticated. The information gleaned from the Marriott breach will provide a goldmine of information limited only by a cybercriminal’s imagination. For instance, to lure in an unsuspecting user, one could zero in on recent hotel reservations and send a notice that the reservation transaction failed and requires additional information or a new credit card. And then voila, that data is compromised.

Focus on Threat Detection and Response

According to the 2017 Ponemon Cost of Data Breach Incident Report (DBIR), companies can lower their cost of handling such breaches by investing in security tools and services that speed up mean time to identify and contain cyberattacks. While protection with a layered defense-in-depth strategy is good, you need to detect what slips through.

Arctic Wolf Networks can help you manage threat detection and response to reduce business risks. Learn more about MDR services by clicking on the banner below: