Target's failure to act when alerted that malware was in its network is a reminder that spending large amounts of money on technology is a waste without the right people and processes.
Weeks before hackers started siphoning 10s of millions of credit card numbers from Target's payment systems during last year's holiday shopping season, security personnel were warned that malware was in the retailer's computers, Bloomberg BusinessWeek reported.
The alert came from a newly installed network-monitoring tool from security vendor FireEye. The system, which cost $1.6 million to install, apparently did its job. The failure was in not responding to the alerts, experts say.
Technology like FireEye's is good at spotting potential problems, but the number of alerts is overwhelming without fulltime staff dedicated to separating the false positives from warnings that point to a serious computer breach.
"It's technology, process and policy and technology is only one-third of the solution," Avivah Litan, analyst for Gartner, said.
"If you don't have the process, which includes organization, and if you don't have the policy saying what you are going to do when you see a high alert, then it doesn't matter if you have the best technology in the world.
"The alarms are going to go off and no one is going to pay attention to them."
Why Target did not follow up on the FireEye warnings is not clear. Nevertheless, companies that deploy the same type of technology should be aware "that none of these systems are perfect," Litan said.
To make effective use of these systems, an enterprise needs to have fulltime security pros monitoring alerts. Since this is often considered too expensive, than companies have to be willing to hire a managed service provider (MSP) to do the monitoring for them, Rick Holland, analyst for Forrester Research, said.
"For the majority of companies out there, they're going to have to rely on a third party to do their SOC (security operations center) operations for them," Holland said.
Companies that go that route have to have a tight and well-managed relationship with the service provider. That partnership has to include locating in advance the computer systems that process and store the information that drives revenue for the company or would cause tremendous harm to the business if stolen. This systems list should be updated every quarter.
Knowing all of this in advance will give the MSP a clear understanding of what areas of the network to watch closely.
"The number one priority should be focusing on the important assets and detecting bad things against them way before the exfiltration (of data) occurs," Holland said.
Overall, network-monitoring tools require manpower. While the FireEye system could have been configured to remove malware automatically, that feature was turned off.
Target had determined that the software was too new and untested to have it delete files on its own. The decision was the right one, because if the software made a mistake, it could easily taken down a critical system.
"It is always the recommendation to fully test the product in the environment before turning on automatic checks," Joe Schumacher, security consultant for risk management company Neohapsis, said.
"In my opinion, it takes a lot of additional work by an enterprise to reach an automatic block level with a product as the last thing security wants is to make the business grind to a halt."