Preventing data breaches is hard; detecting them later can be harder

Computerworld - Protecting corporate systems against intruders isn't easy. But detecting a breach that has already happened can sometimes be even harder, IT managers and analysts said this week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn't discovered until mid-December -- seven months later.

In a similar incident at Ohio University last year, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year until it -- and several other breaches -- were discovered last spring.

The time gap between the intrusion at TJX and its discovery, though large, isn't entirely surprising given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named. "The reason it's so difficult [to discover a data breach] is because it can come at you from any angle," Maness said. "With physical security, it's very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall."

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. "You've got to know what every single packet on the network is doing, where it's coming from, where it's going and which ones are bad."

That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to capture and store all of them, said David Jordan, chief information security officer for Virginia's Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.

For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost to custom-build such capabilities can be prohibitive, added Deeba.

But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.

USEC Inc., a $1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the database administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC's financial data in real time, said CIO David Vordick.