Marriott-Starwood: How can a threat survive that long?

Author: Keshav Kamble

In yet another sensational announcement, Marriott International revealed that hackers breached its Starwood reservation system and stole the personal data of up to 500 million guests. The New York Times reported, “The assault started as far back as 2014, and was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax.”

If you have not yet read the whole story, you can read it here at the New York Times. Obviously, the FBI and many other private forensics agencies are involved. Preliminary indications are that the threat had been doing its job since 2014 and remained active until September 2018 when it was detected due to an unauthorized access to Starwood’s registry. Starwood was acquired by Marriott for $13.6B in 2016.

Customers across the globe have started filing lawsuits against Marriott, including Europeans with GDPR compliance for data protection. At this rate, just like Equifax which required $400M to half-cleanup the breach, Marriott is looking at hundreds of millions of dollars in damages.

If you are a business executive, your second question would be – How on the earth can the breach survive, undetected that long? The breach could be state sponsored to collect intelligence, privately funded, industrial espionage, insider job, or even mere somebody’s mind game. But still, how can the threat stay undetected for so long?

Thoughts and analysis

As a business executive, you have spent large part of your professional life in building and rebuilding your business to better serve your clients.  A breach of this nature can destroy decades of good will and successful enterprise operations.

So let me offer a few observations:

  1. The malicious software (malware/Advance Persistent Threat) might have been part of Starwood’s enterprise IT ecosystem before the acquisition. Despite what I am sure was some of the best perimeter security money could buy, Starwood’s security might have failed to detect it. While most enterprises focus on perimeter security many do not have strong internal application security. Consequently, reliance on superior perimeter security can in the end be catastrophic.
  2. Polymorphic malware infested application ecosystem: This method of malware or virus architecture generates highly dynamic signatures. When plotted on top of the application, it becomes highly difficult to differentiate between the real application versus the malware. Because today’s enterprises have very loosely defined application sanctioning and verification methods built in to the IT security practice they struggle to detect, much less remediate this kind of threat.
  3. False positives in security screening: False positives and false negatives in the threat interception go uninvestigated about 90% of the time due to the employment of expensive manual expertise. Most security methods deployed by enterprises lack deterministic threat interception that can reduce or eliminate false positives and automate the verification process.
  4. Last but not the least – if the administrative credentials were stolen then the security methods of Starwood could not stop data exfiltration due to privileges. One of the biggest deficiencies in the enterprise security today is inability to detect access violations committed by applications with administrative permissions. How do you protect when credentials are stolen?

The root cause will be known to the world after the forensics are analyzed and the attack footprint identified. Detecting the source of the threat is an monumental task.

However, Application Security and DevSecOps automation certainly provides you the capability to build real-time threat response. Holiday season is fast approaching. It is time to reassess the security methods and practices of your enterprise. Avocado is always here to help.

Happy Holidays to all the hardworking security professionals, business owners and executives.

Comments are closed.