Spotting System Intrusions a Big Challenge for IT

Computerworld - Protecting corporate systems against intruders isn’t easy. But detecting a breach that has actually happened can sometimes be even harder, IT managers and analysts said last week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn’t discovered until mid-December — seven months later. TJX publicly disclosed the breach two weeks ago.

In a similar incident at Ohio University, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year before being discovered last spring along with several other security breaches.

The gap between the intrusion at TJX and its discovery isn’t entirely surprising, given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named.

“The reason it’s so difficult [to discover a data breach] is because it can come at you from any angle,” Maness said. “With physical security, it’s very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall.”

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. “You’ve got to know what every single packet on the network is doing, where it’s coming from, where it’s going and which ones are bad,” he said.

That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to store log data about all of them, said David Jordan, chief information security officer for Virginia’s Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.

Few Existing Products

For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost of custom-building such capabilities can be prohibitive, added Deeba.

But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.

USEC Inc., a $1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC’s financial data, said CIO David Vordick.