Tuesday, February 3, 2009

Heartland Breach

  • Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
  • Attacker installed tools on Heartland server, inside the PCI trust path network
  • Tools “sniffed” transactions and sent data to system(s) outside North America
“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.

Breach analysis:

Root cause includes but is not limited to the following:
  • Failure of host based intrusion prevention system (HIPS)
  • Failure of network based intrusion prevention systems (IDP)
  • Failure of configuration management, to detect changes to host and network configuration
  • Failure of separation of duties and detection of abuse or escalation of privilege
  • Failure to segment the processor network and enforce a zone of trust

In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.


Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:
  • Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
  • Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
  • Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
  • Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group

In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.