This headline from a recent Dark Reading article is important. The reality is that stealing identity and credit card data is big business. Thieves aren’t interested in attracting attention. Their goal is simple – steal as much money as they can without being detected.
Unfortunately, the article suggests that the solution for dealing with this threat is keeping log data for longer periods of time to provide a broader set of historical data for analysis. This approach is purely forensic. It’s a great way to uncover the source of a breach after the fact, but it does little to prevent the breach or even improve overall network security…which leads some to conclude that log management and traditional SIEM solutions aren’t as valuable as the market had hoped. The reality is that a reliance on forensics is the issue.
Let’s look at this from another perspective. Let’s imagine that the anti-virus and anti-malware market focused on data collection, storage, reporting and searching. Those are all useful features, but none of them will actually protect you from threats. Instead, anti-virus and anti-malware focus on real-time analysis and even more important, an active response…
Who would buy an anti-virus or anti-malware solution that produced a daily bar chart listing the anomalies infecting our networks, or worse required that we periodically search a mountain of data for suspicious activity?
Why shouldn’t we expect, and even demand, that SIEM and Log Management solutions also provide us with that same level of analysis, detection and response?
Let’s look at what the article reported. Dark Reading describes the “slow and silent” attack as a “methodical attack, where the attacker covers his tracks as he penetrates the network, sometimes ceasing the attack for days at a time to avoid raising suspicion”. It also notes that intruders “…can turn off logging”. What’s easy to miss is that this activity leaves tracks. Even the simple act of disabling the logging is itself logged, and frankly that action should warrant an immediate inspection - given its classic association with intruders and insiders looking to cover their tracks.
In discussing the TJX hack, the article describes this as a classic “low and slow attack.” Once inside they created new accounts which they used to tap into the TJX credit card data.
Wouldn’t it be great if there was a product that could monitor authentication activity and alert you to the creation of new accounts? No doubt, a large retail organization has lots of turnover, so perhaps the volume of new account creation is too high… So let’s focus on group membership. How many of those new accounts were added to the Administrators group? How many of those accounts logged directly on to core servers, accessed the high value databases, changed firewall policies, or installed new applications?
My point is simple, all of these events can be analyzed in real-time, and any one of them is sufficient to generate an incident that should be investigated. If any of them are correlated with access at unusual times or locations, it’s likely a compromise is in progress - right now. Whether you respond automatically, or via notification and subsequent manual response, the point is that you’re able to respond while there’s still an opportunity to protect the data.
Mid-Market Threat
Some have the mistaken notion that this topic is solely the realm of the “enterprise” organization. Given the stories that make the national headlines, it’s easy to fall into this trap, but there’s something else at work here that needs attention. A recent TechTarget article on the Heartland breach suggests that the SMB market isn’t likely to be a target for the kind of attack used to compromise the Heartland Payment Systems network.
The article reveals a common misconception that the SMB market is comprised of “mom and pop” businesses. I agree that the law firm example given in the article isn’t a likely target for this attack, but your local restaurants, convenience stores and many other retail merchants are significant targets. One case was detailed in last year’s Black Hat Las Vegas conference and represented over $1 million lost in associated credit card fraud from about 60 days of captured transaction data – using a method nearly identical to the Heartland breach.
Why do hackers target this market?
They’re often seen as easy prey, and the rewards are more than sufficient to justify a relatively small investment by the attacker. A hacker can net thousands of credit cards by capturing every transaction at a few different locations over a period of a month or two. While such a breach won’t break the Heartland record, and almost certainly won’t make the national news, that doesn’t mean midmarket businesses are not at risk.
Bottom Line:
Is forensic analysis important? Absolutely. It’s simply not enough. Given the realities of today’s world, it’s time we start thinking about SIEM as a tool for prevention and focus on real-time analysis and response. The alternative is another chalk outline around another business and another job for the forensic team.
Leave a Reply