Sony hack highlights importance of breach analysis
Determining the scope of a breach can be a huge challenge for enterprises without the right tools and data
Computerworld - Sony's apparent difficulty in figuring out the extent of the damage from the recent intrusion into its PlayStation Network, while frustrating for those affected by it, is not too surprising, given the bag of tricks that hackers employ to hide their tracks.
All too often, companies simply don't have the forensic tools or enough log data to be able to reliably piece together what might have happened and to determine the true scope of a breach. Sometimes it can take weeks or months to get an accurate picture, and even longer for a breached entity to entirely clean out its networks.
Sony itself has offered no reason why it waited more than six days to inform consumers that their account information, including name, address, birth date, purchase history, online ID and possibly credit card data, had been compromised.
And it has said nothing about why it's taking so long to restore the network. In all, a staggering 77 million consumer records, including those of many minors, were potentially exposed, making it one of the largest data breaches ever.
It's possible that Sony's initial silence was prompted by PR worries, a law enforcement request or both. It's also possible that the company did not have the data it needed to quickly determine the true scope the problem, IT managers and security analysts said.
That's because often the security tools that companies deploy are oriented toward discouraging and preventing data breaches, said Matt Kesner, CTO at the law firm Fenwick & West. "Most haven't focused on instruments that would create a great record if you were hacked or breached," he said.
While companies probably look at log data from their firewalls and other security devices, "it's very difficult to build a trail" without more data, he said.
"A lot of organizations keep and monitor logs from security devices [such as] firewall, antivirus, intrusion detection," said Johannes Ullrich, CTO at the SANS Internet Storm Center. "But they fail to create and collect application logs, in particular from custom applications, with the same rigor."
Custom applications, especially Web applications, are a huge target for malicious attackers, Ullrich said. Yet because companies don't often collect and maintain these logs, "a lot of intrusions are not detected and the damage can not be quantified." he said.
Another problem, especially in large companies, is that old log data often gets overwritten with fresh logs by the time an intrusion is detected, said Alex Cox, principal research analyst at NetWitness, a security vendor that was recently acquired by EMC.
Though it is relatively inexpensive for companies to store multiple years' worth of raw log data if they want to, many don't. As a result, log data that might have revealed critical data related to a break-in might get overwritten by fresh data over a period of time.
"If you are lucky, you can get to a point where you find some piece of information you need to put the puzzle together, and sometimes you don't find it," Cox said.
In addition to log data, companies also need to have the right host- and network-based forensic tools to be able quickly sift through and correlate event data to figure out what might have happened.
- Snowden advocates at SXSW for improved data security
- Joomla receives patches for zero-day SQL injection vulnerability, other flaws
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts