Sunday, May 19, 2013

Detecting Evil: Network Security Monitoring

Trying to clear out the backlog of posts in my Drafts folder and this one is long over due...

News Headlines

These are just a couple of the new stories that caught my eye [in the hopefully not too distant past].

BofA Confirms Third-Party Breach

"Bank of America systems were not compromised. Our customer data is secure." Mark Pipitone, BofA Spokesman

Evernote Security Notice

"Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service."


LA Times Serving Up Malware

"To ensure safety, the Offers & Deals platform has been rebuilt and further secured. The sub-domain generates only advertising content and does not contain any customer information."

So What's Going On?

When ever I read headlines like this, they almost always come with some disclaimer that "There is no evidence that the intruders gained access to..." and rightly so.  A lot of companies don't have the ability to detect the breach in the first place, and then when they are notified about it by some third party (customers, law enforcement or the attackers themselves) they most certainly don't have any way to tell what information was stolen, so they claim that customers need not worry because there isn't any evidence of their information being stolen.

"Is it just me or am I the only one who thinks how can these attackers be so good as to break into the networks of companies yet those companies always seem to stop the attack just before the attackers gain access to sensitive information?" Brian Honan, SANS NewsBites Vol 15 Issue18.
 

Assessing the Damage

Because of all of the cover-up attempts by companies to minimize the negative publicity falls out from disclosing a data breach, it can be difficult to find relevant data to use to education the decision makers in your organization about the importance of good Network Security Monitoring.  Here are some resources that I have found useful in describing the impact of a security breach to executives and senior management:
 
And some other interesting statistics in regards to the accuracy of claims that companies caught the bad guys "just in the nick of time".
  • Trustwave 2012 GSR states breach to detection was 173.5 days within the victim’s environment before detection occurred. 
  • In the Trustwave 2013 GSR breach to detection window widened to 210 days. 
  • The Mandiant 2012 Annual Threat Report on Advanced Targeted Attacks sites a much larger window, "The median number of days from the first evidence of compromise to when the attack was identified was 416 days." 
  • The more recent Mandiant APT1 Report states "[attackers] were inside victim systems for avg of 356 days; longest observed: 1764 days"
  • The Verizon DBIR 2012 states, "It saddens us to report that, yet again, breach victims could have circumnavigated the globe in a pirogue (not from the bayou? Look it up.) before discovering they were owned. In over half of the incidents investigated, it took months—sometimes even years—for this realization to dawn. That’s a long time for customer data, IP, and other sensitive information to be at the disposal of criminals without the owners being aware of it."
  • The Verizon DBIR 2013 concludes that it still takes on average 221 from breach to discovery.
These numbers seem to echo a common sentiment that there are two kinds of companies out there; those who know they've been breached and those who have been breached and just don't know it yet.

No comments:

Post a Comment