June 24, 2008

The Discovery Channel

A couple of weeks ago Sharon discussed the Verizon 2008 Investigation Report. In particular, the monitoring and real time security issues as published in the report. He also included one of the report's graphs, that of Data Breach Discovery Methods.

It is this chart I'd like to focus on today. As the chart shows, 70% of data breaches are discovered by notification of third parties. This picture is the same as depicted from reading through news headlines of data breaches, as we presented in Imperva's webinar "Reading between the Lines" more than a year ago. Notification by third party is indeed the worst way to get informed of a security breach but this is mainly the way it occurs when Google Hacking is involved. We do not lack stories where a surprised individual finds her Social Security number appearing on the Web during a simple Google search. But we do not restrict the discovery only to Google Hacking. Take for example the data breach at UVa, published last summer. An SQL injection attack slipped under the radar for nearly 2 years before becoming public. Secure monitoring tools did not detect the flaw, nor was the illegal access identified in a timely fashion. Only when reviewing an unrelated defacement incident, the data theft was detected by chance - one year after the first hacking incident.


Verizon has also shown that only 4% of data compromises are discovered by event monitoring or log analysis. Verizon suggests that organizations install and manage event-logging type solutions. Going back to our above example, we read that the university maintains an extensive audit trail which allowed investigators to track 54 different attack incidents over a time frame of one year. Such an audit trail could not have mitigated the extent of this attack as it did not help the university to detect the breach in a timely fashion nor assist in providing details about the actual stolen records.


It is safe to conclude that event logging does not provide a comprehensive solution; rather we require a solution which separates the wheat from the chaff, and in our usage - to sift only those relevant events. In the best case, the solution should also go the next step and block malicious usage (as Sharon has suggested this week), but at a minimum any solution must be accurate enough to alert the proper resources.

Tags:

By
Amichai Shulman
| June 24, 2008 8:34 AM | | Comments (0) | TrackBacks (0)
  • Digg it!
  • Add to Del.Icio.Us
  • Add to Technorati
  • Stumble It!
  • NewsVine
  • Slashdot
  • Google Bookmarks
  • YahooMyWeb
  • Live
  • Add this post to Reddit

0 TrackBacks

Listed below are links to blogs that reference this entry: The Discovery Channel.

TrackBack URL for this entry: http://blog.imperva.com/mt/mt-tb.cgi/40

Leave a comment