TORONTO – In July 2015, Toronto based infidelity website Ashley Madison was breached, exposing information on over 37 million individuals around the world.
Over the last three years, Avid Life Media, the parent company of Ashley Madison has rebranded itself as Ruby Life and brought in new cyber-security expertise, including Chief Information Officer (CISO) Matthew Maglieri. In a session at the SecTor conference here, Maglieri detailed Ashley Madison’s journey from the edge of failure after the data breach, to the company’s recovery and new cyber-security model.
“I’m discussing what I believe to be a rarely heard perspective, that of an organization that has gone through a worst case scenario with a headline grabbing breach, to share the lessons learned from that event and our recovery, so that we can begin to tackle the fundamental problem, of how do we achieve prevention or if breach prevention is even possible,” Maglieri said.
The Ashley Madison breach involved the theft of over 30 Gigabytes of customer data, that leaked out to the public internet. Maglieri noted that as a result of the data breach, there were multiple class action lawsuits, as well as different regulatory actions with the U.S. Federal Trade Commission (FTC) as well as the Office of the Privacy Commissioner in Canada.
“There was a tremendous loss of consumer trust, and extended negative media exposure and reputational damage which continues to this day,” he said.
Maglieri said that when he joined the company in the aftermath of the data breach along with a new General Counsel and Privacy Officer, the mandate was to build a leading privacy and security program.
“The company knew that if it was going to be able to recover from the incident and indeed survive as a business, that it would not be sufficient to do anything less, we needed to become leaders in our industry sector,” he said.
Ruby Life engaged with multiple organizations to help enact its security transformation. A team from the Canadian office of consulting firm Deloitte came in to complete what Maglieri referred to as a series of transformation engagements.
The transformation engagements included a full network redesign as well as the deployment of a leading security solution stack that included both network and endpoint technologies. Additionally, Ruby Life developed a 24/7 Security Operation Center (SOC) that is staffed both with internal resources as well as member’s of Deloitte’s cyber-intelligence center.
“They also performed an active threat hunting compromise assessment for many months after the incident, to identify any potential lingering element of the compromise,”Maglieri said.
Ruby Life also completed a full manual source code review of over 1 million lines of code to identify any potential artifacts or leftover injections that came from the attack. Maglieri said that Ruby Life worked with FireEye and its Mandiant team to complete a series of assessment and penetration tests to assess the company’s overall security posture.
“Ultimately, this gave us the foundation that we needed to begin to tackle some of the regulatory compliance concerns,” he said.
Ashely Madison and its parent company collect credit card information and as such is subject to the Payment Card Industry Data Security Standards (PCI-DSS). Maglieri explained that a little known fact about PCI DSS is that if you do suffer a data breach, you’re automatically considered from that point forward to be a level one merchant regardless of transaction volume.
“As a level one merchant, you do need to go through a full report on compliance every year by an independent QSA (Qualified Security Assessor) ,” Maglieri said. “We’re now going into our third year certified under the highest level of the standard.”
In Canada, the Office of the Privacy Commissioner took a privacy centric approach in its enforcement action against the company. Maglieri said that Ruby Life worked with Deloitte as well as Ryerson University’s Big Data and Privacy Institute to implement the Privacy by Design framework.
“Privacy by Design, seeks to embed privacy controls into systems design and development thereby ensuring the maximum level of consumer privacy protection,” he said.
In the U.S, Maglieri said that the FTC took a a much more information security centric approach in their enforcement action, asking Ruby Life to be aligned with a recognized cyber-security framework. The US National Institute of Science and Technology (NIST) Cybersecurity Framework (CSF) was chosen by Ruby Life to be the standard they planned to align against. Maglieri said that as part of the FTC enforcement action, Ruby Life is assessed every two years against the CSF and will be for the next 20 years.
“The CSF is somewhat unique in the sense that it was developed by a consortium of government, academia and private sector experts,” Maglieri said. “So the result is a framework that is both thorough and comprehensive, but also pragmatic and agile and included many of the key controls that we felt that we should be doing.”
Maglieri said it took six months of effort to get the CSF approach implemented at Ruby Life. Afterward he said that consultants from management firm EY were brought in to complete a full maturity assessment , which was submitted to the FTC.
“So with all that, it really gave the business the air support, they needed to begin to normalize business operations and resume growth,” he said.
In 2017, two years after the Ashely Madison data breach, Maglieri said that growth began to return with over 15,00 new signups every day.
Maglieri said that it was clear to him and the management of Ruby Life that the data trusted to the company by its customers is very sensitive and it wasn’t sufficient to just meet the benchmark set by the regulators. As such, Ruby Life set itself the goal of developing a leading program of being able to defend the company from even the most advanced threats.
The approach that Maglieri built is an offensive risk model, with a constant stream of friendly hackers taking aim at Ashley Madison. Those friendly hackers include internal Red Team efforts to regularly test resilience, penetration testing from outside firms, as well as the use of bug bounty programs.
“Really, even as I’m speaking to you up here on stage, my network is under friendly attack,” Maglieri said. “We are continuously emulating the adversary, analyzing their performance, seeing how our SOC responds and how our incident response plan works.”
“We analyze the results, adapt, feed the results back in and we move the needle to get a little bit better, and then we do it all over again.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.