Every couple of weeks I will do a web search for "data breach 2014" to check for newly reported incidents. On Monday, that was the situation at Monsanto. While many details are still unknown since it was just discovered, there were a number of interesting bits that already caught my eye:
I will update this post as more information becomes available. In the meantime though, I highlight this incident for a number of reasons:
1) Recent incidents at eBay and Target appear to have started with stolen credentials. This incident reminds us that our external-facing servers remain a common source of vulnerability and potential entry. If you don't have at least IPS and ideally Web Application Firewalls shielding server vulnerabilities, it's something to strongly consider.
2) Even after hardening the network and strengthening access controls, don't trust that activity inside the network. Sure seems like the attackers in this case were rooting around looking for something after entry. If you don't have internal gates with deeper content inspection- IPS, Antimalware and/or sandboxing- it's another thing to strongly consider.
3) Even if you don't do any of the previous two, look for ways to effectively monitor your network (I know it is tough the amount of information available) for indications of compromise. Existing products like a FortiGate build "reputations" for devices based on network activity, others like FortiSandbox provide additional analysis of activity in "virtual" environments. And many SIEM products have additional "big data" analytics tools to analyze across product. There are many other techniques out there in existing or new products. Leverage what is manageable for your team.
Knowing some of the folks at Monsanto, I am confident they did most of the "right" security things. So if this happened to them, it could happen to any of us. Which is why we advocate a defined approach, like our Advanced Threat Protection Framework, to addressing this emerging class of sophisticated cyberthreats in a structured way.