It’s every company’s worst nightmare. Even before the bad news is splashed across the press, word makes its way up the chain of command: Your company has been hacked. Customer data has been stolen, and you don’t know by whom.
No doubt this is the scenario that flashed through your mind when you heard about the Neiman Marcus and Target breaches this winter. From a damaged brand reputation and loss of consumer confidence, to financial costs, getting hacked can be catastrophic. But here’s an element that hasn’t been publicized quite as widely; some of these high-profile attacks could have been mitigated, if not prevented entirely.
In the case of the Neiman Marcus attack, the high-end department store missed 60,000 chances to stop the breach. You read that right. The company was reportedly warned over and over by roughly 60,000 alerts triggered in its own security system, but the warning signs went unnoticed. Interestingly, the card-stealing software was such that it was automatically deleted each day, then uploaded again by the attackers, triggering dozens to hundreds of alerts each time – something the attackers obviously felt safe in doing.
There’s a lesson here for everyone: the most advanced technology in the world is only as good as the people and systems behind it. Otherwise your sophisticated security device is nothing more than a paperweight. If you’re using self-detection devices to guard perimeter security and network security, for example, your devices inspect your systems, compile logs of activity and alert you when something is anomalous. But your organization still needs a skilled and diligent team to monitor and analyze those events, draw correlations and react appropriately.
Your team also needs efficient systems that make the information manageable. Neiman Marcus’s alerts represented only 1% of their daily log actions and were named almost identically to other files on their servers, making them very easy to overlook. Even a a smart and dedicated team will have trouble spotting a needle in a very large haystack.
Managing Security Through a Macro-view
All too often organizations view security as a strictly technical operation. In fact, the strongest security comes from a proactive partnership where technology and human ingenuity work together.
For instance, once your security system is in place, you’ll need to create mechanisms to retrieve and analyze all the pertinent data. Look at normal activity versus anomalous activity and correlate those into a relatively small number of actionable events.
It’s entirely plausible that in the case of Neiman Marcus, the tens of thousands of alerts were simply lost in the noise of log data that was not important. Some systems are active and some are reactive; make sure you know what you’re dealing with and don’t leave anything out.
Also make sure that your systems play nice together. One of the issues at Neiman Marcus was that the feature that could have automatically blocked the malware was turned off because it blocked other maintenance programs.
From there you can begin to build a contextual blueprint that highlights disruptions in typical activity. The key here is to take a macro view. An anomaly might look benign here and there, but considered as a whole, the activity may be suspicious. Log aggregation can help you analyze rising threats and spot trends like attacks morphing from type X into type Y, however, event correlation will help determine what log entries were important and which were just normal, everyday logs.
Be aware this is a long-term and cumulative process, rather than a piece of knowledge you can acquire overnight. But it will give you an accurate, lucid picture into what’s “normal” for your system, and will amplify your power to detect unauthorized activity. Through this larger pane of glass, you can identify issues and vulnerabilities before they become serious; you can also evaluate the effectiveness (or inadequacy) of your counter-measures and prioritize any new security measures that need to be implemented.
Achieving Security Omniscience
To monitor your system effectively and keep your company safe from malicious attacks, consider adopting the below practices.
• Have a daily security checklist of systems to monitor. Don’t just check some systems on some days; be thorough every day.
• Implement a log aggregator and SIEM to preserve the integrity of system logs, and correlate them into a manageable number of actionable events.
• Review all logs to detect not just individual abnormalities, but patterns as well. Build a macro-data view that helps you understand your system as a whole, then investigate anything that seems amiss.
• Set up layered alert systems. This means instituting multiple methods like email and text that go to multiple people, with prioritized alerts assigned to different employees. The idea is to cover all bases, so that a recently terminated employee or lost phone won’t create a gap in the system.
• Examine what comes into your system, but also what goes out. Too many self-detection systems focus only on what’s entering the network, when it’s the data leaving the network that can indicate a truly dangerous problem. (The recent Target breach, where a steady stream of cardholder data exited the network, is a good example of that.)
If there’s one lesson we all learned from the recent data breaches in the news, it’s that many organizations need a smarter approach to security. Cybercriminals will never go away, and malware and malicious URLs will continue to thrive for as long as they’re successful. But by adopting preemptive practices that pair system intelligence with macro-data analysis, you can reduce threats and minimize breach damage – and avoid becoming an embarrassing security failure story in the news.
Related Reading: The Next Big Thing for Network Security: Automation and Orchestration
Related Reading:Making Systems More Independent from the Human Factor
Chris Hinkley is a Senior Security Engineer at FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines. Previous Columns by Chris Hinkley:When Technology Isnt Enough: Elevating the Human Element in Preventing Data BreachesGetting a Grip on The Internet of ThingsDisclosure: A Case for Bug BountiesPCI DSS 3.0: The Impact on Your Security OperationsThe New Compliance Checklist
Tags: INDUSTRY INSIGHTS