As news slowly leaks about the Sony Pictures breach, yet another highly targeted attack, senior management has to be grappling with this question (again) today. Sony, who has dealt with repeated attacks across multiple business units over the past few years, has to be asking “What else can we or should we do?”

What is known about this latest attack is that Sony Pictures shut down its IT infrastructure after discovering a breached server and demands from a group called GOP. The group claims to have exfiltrated data and posted it on external servers, ransoming it against compensation and threatening to release it to malicious groups or the public. The entire Sony Pictures network has been down now for almost 2 days now.

Photo via imgur

The first order of business for Sony’s CISO -- wait, have they replaced Phil Reitinger yet? Phil left Sony earlier this year to found VisionSpear, a private security consultancy. I’m not sure if they’ve named a replacement, so let’s say the first order of business for the Sony security team is get that network back up and running. In order to do that they have to (1) understand how this breach happened and (2) clean it up in a manner that prevents similar attacks in the future.

I’m not intimate with Sony’s security systems or architecture, but I can offer that they will be in a much better position to tackle the above list if Sony Pictures has an endpoint security solution in place. With a data-aware endpoint agent, Sony would have the ability to capture data being manipulated at a low level, detect a process searching across the endpoint or corporate network, and gather intelligence on the data that would be exfiltrated. This kind of visibility would enable them to make an informed decision on the exact nature of the attack and the resulting data loss (if indeed any was stolen at all - there is not yet evidence that the data had been stolen).

Without an endpoint agent-based solution in place, the Sony team may want to call Phil Reitinger’s new security firm, as they are going to need a lot of manpower to manually unravel what just happened to them… again.

Like other security professionals, we’re waiting to learn more and will keep you posted on developments.