TORONTO—In July 2015, Toronto-based infidelity website Ashley Madison was breached, exposing information on more than 37 million individuals around the world.
Since then, Avid Life Media, the parent company of Ashley Madison, rebranded itself as Ruby Life and brought in new cyber-security expertise, including Chief Information Security Officer Matthew Maglieri. In a session at the SecTor conference here, Maglieri detailed Ashley Madison’s journey from the edge of failure after the data breach to the company’s recovery and new cyber-security model.
“I’m discussing what I believe to be a rarely heard perspective—that of an organization that has gone through a worst case scenario with a headline-grabbing breach—to share the lessons learned from that event and our recovery, so that we can begin to tackle the fundamental problem of how do we achieve prevention or if breach prevention is even possible,” he said.
The Ashley Madison breach involved the theft of over 30GB of customer data that leaked out to the public internet. Maglieri noted that as a result of the data breach, there were multiple class-action lawsuits, as well as different regulatory actions with the U.S. Federal Trade Commission and the Office of the Privacy Commissioner in Canada.
“There was a tremendous loss of consumer trust and extended negative media exposure and reputational damage, which continues to this day,” he said.
Maglieri said that when he joined the company in the aftermath of the data breach along with a new general counsel and privacy officer, the mandate was to build a leading privacy and security program.
“The company knew that if it was going to be able to recover from the incident and indeed survive as a business, that it would not be sufficient to do anything less. We needed to become leaders in our industry sector,” he said.
Ruby Life engaged with multiple organizations to help enact its security transformation. A team from the Canadian office of consulting firm Deloitte came in to complete what Maglieri referred to as a series of transformation engagements.
The transformation engagements included a full network redesign as well as the deployment of a leading security solution stack that included both network and endpoint technologies. In addition, Ruby Life developed a 24/7 security operations center (SOC) that is staffed both with internal resources as well as members of Deloitte’s cyber-intelligence center.
“They also performed an active threat hunting compromise assessment for many months after the incident to identify any potential lingering element of the compromise,” Maglieri said.
In addition, Ruby Life completed a full manual source code review of more than 1 million lines of code to identify any potential artifacts or leftover injections that came from the attack. Maglieri said Ruby Life worked with FireEye and its Mandiant team to complete a series of assessment and penetration tests to assess the company’s overall security posture.
“Ultimately, this gave us the foundation that we needed to begin to tackle some of the regulatory compliance concerns,” he said.
Compliance
Ashely Madison and its parent company collect credit card information and as such are subject to the Payment Card Industry Data Security Standards (PCI DSS). Maglieri explained that a little-known fact about PCI DSS is that if you do suffer a data breach, you’re automatically considered from that point forward to be a level one merchant regardless of transaction volume.
“As a level one merchant, you do need to go through a full report on compliance every year by an independent QSA [qualified security assessor],” he said. “We’re now going into our third year certified under the highest level of the standard.”
In Canada, the Office of the Privacy Commissioner took a privacy-centric approach in its enforcement action against the company. Maglieri said Ruby Life worked with Deloitte as well as Ryerson University’s Big Data and Privacy Institute to implement the Privacy by Design framework.
“Privacy by Design seeks to embed privacy controls into systems design and development, thereby ensuring the maximum level of consumer privacy protection,” he said.
In the United States, the FTC took a much more information-security-centric approach in its enforcement action, asking Ruby Life to be aligned with a recognized cyber-security framework, according to Maglieri. The U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was chosen by Ruby Life to be the standard it planned to align against. Maglieri said that as part of the FTC enforcement action, Ruby Life is assessed every two years against the CSF and will be for the next 20 years.
“The CSF is somewhat unique in the sense that it was developed by a consortium of government, academia and private sector experts,” he said. “So the result is a framework that is both thorough and comprehensive, but also pragmatic and agile and included many of the key controls that we felt that we should be doing.”
Maglieri said it took six months of effort to get the CSF approach implemented at Ruby Life. Afterward, he said that consultants from management firm EY were brought in to complete a full maturity assessment, which was submitted to the FTC.
“So with all that, it really gave the business the air support they needed to begin to normalize business operations and resume growth,” he said.
In 2017, two years after the Ashely Madison data breach, Maglieri said growth began to return, with more than 15,00 new signups every day.
Beyond Compliance
Maglieri said it was clear to him and the management of Ruby Life that the data trusted to the company by its customers is very sensitive and it wasn’t sufficient to just meet the benchmark set by the regulators. As such, Ruby Life set itself the goal of developing a leading program of being able to defend the company from even the most advanced threats.
The approach that Maglieri built is an offensive risk model, with a constant stream of friendly hackers taking aim at Ashley Madison. Those friendly hackers include internal Red Team efforts to regularly test resilience and penetration testing from outside firms, as well as the use of bug bounty programs.
“Really, even as I’m speaking to you up here on stage, my network is under friendly attack,” he said. “We are continuously emulating the adversary, analyzing their performance, seeing how our SOC responds and how our incident response plan works.
“We analyze the results, adapt, feed the results back in, and we move the needle to get a little bit better, and then we do it all over again.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.