Matt Zanderigo Senior Product Marketing Manager ObserveIT

Legendary boxer Mike Tyson once said that “everyone has a plan…until they get punched in the mouth.” The same is true in the business world, where every company has a solid IT security strategy…until they suffer a data breach.

Such was the case with Home Depot, the latest victim in a recent string of high-profile hacking attacks. Despite their preventative measures, the retail chain is said to have lost millions of customer credit and debit card numbers. In this case, like others, hackers were able to metaphorically “walk through the front door undetected” by stealing the credentials of trusted users and then accessing customer data; a classic user-based attack.

So how can Home Depot ensure that data breach like this doesn’t happen again? Truthfully, they can’t. What they can do is ensure that any future breach will be detected instantly (and more importantly, internally) thereby mitigating the negative effects. To do this, they must monitor their users – not their data. This is a hard truth for many organizations to accept, which is why so many IT departments still leverage a “prevention-centric” security approach. As we’ve seen, this approach has left many companies – not just Home Depot – feeling like they’ve been punched in the mouth.

In basic terms, a prevention-centric approach security focuses on systems, infrastructure and data. It identifies the risk areas (i.e. what hackers might target) and places barriers to entry, so that data can only be accessed by authorized personnel. The obvious problem with this approach is when unauthorized personnel steal user credentials and access data as if they were a trusted user.

A user-centric approach, on the other hand, shifts the focus away from data and infrastructure to the actual users themselves – these people whose actions result in a data breach. Had Home Depot been monitoring user activity instead of their infrastructure, they would have known the exact moment the data breach occurred, whose credentials were used and what files were downloaded.

The weakness of a prevention-centric approach are littered throughout the Home Depot story:

• Slow Response Time: According to some reports, hackers might have had access to Home Depot’s systems since May of this year. A lag in response time is a key indication that an organization was focused solely on preventing an attack, but had no methods for detecting one.
• Lack of Evidence: Home Depot spokespeople confirmed that the company was looking into some “unusual activity” but made no mention of any specifics. While we cannot say for sure, it would be safe to assume that they are still looking for answers to the most pressing questions of any data breach: who did what and when?
• Third-Party Discovery: When a company only watches the data (i.e. not monitoring for suspicious user activity) a data breach will often go undetected by the organization, and will instead be discovered by a third party. In this case of Home Depot, this third party was a tech news reporter. In order to reduce the negative impact of a data breach, the organization must be the first to know about it – not consumers or the media.

Home Depot is not the first major brand to suffer from an overreliance on prevention-centric IT security, and they will not be the last. We hope that this breach serves as a wake-up call for organizations who are considering a more realist approach to IT security.