The recent data breach at Sisense, a prominent provider of big-data analytics tools, has triggered an urgent alert from the US cybersecurity agency CISA. This breach not only compromised customer data but also highlighted the inherent vulnerabilities in the supply chains that interconnect various industries globally, mostly through the use of NHIs (Non-Human Identities).
Sisense is a major player in the field of business intelligence, providing advanced tools that analyze and visualize massive volumes of data. Its flagship product, the Sisense Fusion Analytics Platform, is widely used by global enterprises, including major players like Verizon, Nasdaq, and Air Canada. As a central system in these organizations, Sisense has access to highly sensitive data, making it a crown jewel in the IT infrastructure and most often also being considered a data sub-processor for those organizations. Its role in integrating and processing data across various platforms elevates its criticality, thereby increasing the ramifications of any security breach.
NHIs play a crucial role in modern IT ecosystems and were pivotal in the Sisense breach, acting as critical nodes through which sensitive data access may have been inadvertently exposed. Integral to the operations of Sisense’s analytics platform, these NHIs provided automated, programmatic access to a variety of data stores and systems—from Snowflake and Databricks to MSSQL or RDS—used by Sisense customers.
Despite their importance, NHIs are often overlooked in cybersecurity measures; however, in this incident, their compromise became a significant liability. The breach demonstrates how NHIs can serve as gateways to highly sensitive information, such as Personally Identifiable Information (PII), Protected Health Information (PHI), intellectual property, and other confidential data.
Following the breach, Sisense and its customers faced the daunting task of securing their systems by resetting credentials and secrets across potentially compromised areas, a clear demonstration of the extensive efforts required to mitigate the breach's impacts. These instructions, while seemingly straightforward, require considerable effort—mostly in understanding the actual systems integrated with Sisense, the credentials being used within Sisense, and the impact—because most often when you go about remediating such breaches, you must prioritize what to do first, usually based on the sensitivity of data and the extent of the impact.
This incident highlights the complex challenges organizations face in the immediate aftermath of a breach, where the scope can extend far beyond the initially identified areas due to the interconnected nature of modern software systems.
- Resetting customer database credentials within the Sisense application to maintain system connectivity
- Changing all usernames and passwords in the database connection strings of data models
- Rotating HTTP authentication credentials in every Git project
- Rotating associated keys in Infusion Apps and resetting all Web Access Tokens
Each of these steps was crucial in securing various components of Sisense customers’ infrastructure, demonstrating the extensive and intricate nature of the security overhaul necessitated by the breach.
Sisense's response to the breach included issuing comprehensive instructions to its users to reset the aforementioned passwords, tokens, and keys within their systems. However, the effectiveness of these measures in any incident response depends crucially on the speed and thoroughness of the action, which is often undermined by a lack of insight into the usage and location of NHIs throughout the enterprise. Gaining initial visibility into the Sisense ecosystem, particularly for companies using Sisense as a sub-processor, likely presented a significant challenge. This involves navigating through extensive data store credentials utilized by Sisense and creating timelines to determine whether, and to what extent, malicious activity occurred using the NHIs—a process that could be time-consuming and complex.
This takes us to the element of time in incident response. Time is a crucial factor in managing any breach effectively, especially this type of supply chain breach, where you have very little ability to be able to prevent it to begin with, or to ascertain with high conviction what happened and why. Very much Similar to the well-known CircleCI breach, the ability to respond swiftly in this type of incident can drastically alter the outcome. In scenarios like the Sisense breach, where every minute can lead to further data exposure, having systems in place that can quickly identify the breach scope and impacted systems is invaluable. Reducing response time is not just beneficial; it's a game-changer that can significantly mitigate the impact of breaches.
The Sisense incident serves as a critical reminder of the vulnerabilities associated with NHIs and signifies the importance of tailored incident response strategies for these entities. To enhance the speed and effectiveness of responses to similar breaches, organizations should focus on the following incident response-oriented takeaways:
- Comprehensive Mapping of NHIs: Implement security frameworks that enable complete visibility into NHIs, including detailed mapping of their interactions, origins, and dependencies within the enterprise ecosystem. This granular view helps incident response teams quickly understand the scope of a breach—often referred to as the blast radius—and implement targeted containment strategies.
- Comprehensive NHI Incident Response Playbooks: Develop detailed, role-specific playbooks for coordinated incident response involving NHIs, including rapid war room setup protocols, clear personnel roles and escalation guidelines, and procedures for swift decommission or rotation of compromised NHIs. These playbooks should also include pre-prepared communication templates to ensure consistent and accurate messaging both internally and externally during an incident.
- Rapid Assessment Tools: Utilize advanced monitoring and analytics tools to assess the real-time status of NHIs. These tools should provide immediate insights into which NHIs have been compromised, their role in the enterprise, and the specific data or services they access. This capability is essential for developing an informed and effective response plan that addresses all affected elements promptly.
- Regular Audits and Permissions Adjustments: Conduct regular audits of NHIs to ensure they possess only the necessary permissions and are accessed solely from authorized sources. Adjust permissions based on changing risk landscapes and decommission unused NHIs promptly to minimize potential exposure. Regular audits help maintain a secure NHI environment that can respond more flexibly and swiftly in the event of a breach.
- Integration of NHI Management into Overall Security Operations: Seamlessly integrate NHI management with the organization's broader security operations to ensure that NHIs are continuously monitored for signs of anomalous activities. Integrating NHI monitoring with overall security operations enhances the ability to detect and respond to incidents early, potentially preventing a breach from expanding beyond its initial point of compromise.
By focusing on these incident response-focused measures, organizations can enhance their ability to respond to NHI-related breaches more effectively, reducing potential damages and restoring operations swiftly.
The Sisense data breach highlights an urgent need for improved management and security of Non-Human Identities in safeguarding critical data assets. Companies must evaluate their cybersecurity strategies and incorporate robust mechanisms to monitor and protect NHIs. As the digital landscape evolves, so too must our approaches to securing it, making the protection of NHIs a top priority for any data-driven enterprise.
