Preventing data breaches is hard; detecting them later can be harder

Case in point: The recently disclosed breach affecting TJX

Protecting corporate systems against intruders isn't easy. But detecting a breach that has already happened can sometimes be even harder, IT managers and analysts said this week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn't discovered until mid-December -- seven months later.

In a similar incident at Ohio University last year, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year until it -- and several other breaches -- were discovered last spring.

The time gap between the intrusion at TJX and its discovery, though large, isn't entirely surprising given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named. "The reason it's so difficult [to discover a data breach] is because it can come at you from any angle," Maness said. "With physical security, it's very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall."

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. "You've got to know what every single packet on the network is doing, where it's coming from, where it's going and which ones are bad."

That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to capture and store all of them, said David Jordan, chief information security officer for Virginia's Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.

For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost to custom-build such capabilities can be prohibitive, added Deeba.

But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.

USEC Inc., a $1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the database administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC's financial data in real time, said CIO David Vordick.

The technology also enables USEC to monitor compliance with its Sarbanes-Oxley financial reporting obligations and provides the company with a real-time, security-alerting capability, Vordick said.

Accor North America, a Carrollton, Texas-based company that operates hotel chains such as Red Roof Inns and Sofitel, is using a similar monitoring technology from Imperva Inc. to monitor for unusual database activity as it occurs. Such tools can allow companies to move from a "passive security" model to a more aggressive one, said Jaimin Shah, a senior security engineer at Accor.

Unlike the logging capabilities built into database products, stand-alone database monitoring tools are optimized for security and have less of an impact on performance, said Phil Neray, a vice president at Guardium. Stand-alone products such as Guardium's are also more difficult to turn off by privileged users and are able to generate real-time, policy-based alerts, he said.

Extending the same kind of monitoring to all network and system assets could help detect suspicious activity more quickly, Shah said. "The problem is that monitoring generates a tremendous amount of logs," he said. The challenge lies in "getting the right information as quickly as we can," from the log data.

Some vendors such as LogLogic Inc. are beginning to offer more efficient ways to sift through voluminous log data and focus on the issues that matter, Maness said. Such products can complement security event management tools, he said.

LogLogic's hardware appliances are designed to automatically capture and store log data from firewalls, routers, servers, applications, operating systems and other devices, said Andy Lark, a spokesman for the San Jose-based company. The appliances can be configured to generate near-real-time alerts when the logs show violations of predefined polices, such as those associated with Payment Card Industry standards, he said.

Products from vendors such as Vericept Inc. and Vontu Inc. that allow companies to monitor the content flowing across their networks can also be useful, Maness said. The products work by inspecting every packet flowing across a network and sending an alert when prohibited or sensitive data is found, he said.

An emerging class of network behavior analysis tools from vendors such as Arbor Networks Inc., Mazu Networks and Lancope Inc. are beginning to give companies a way to more quickly detect unusual or suspicious network behaviors, according to a November Gartner Inc. report. The products work by analyzing traffic and creating a baseline model of typical network behavior. They can then be used to generate real-time alerts when behavior strays from that norm.

Such products are designed to provide a defense against unknown vulnerabilities and threats, said Marty Roesch, chief technology officer and founder of SourceFire Inc., a Columbia, Md.-based vendor of network behavior analysis products. "It is somewhat naive to assume that people are going to be able to craft detection capabilities for every possible break-in," he said. Behavior analysis tools can enable a "continually updated awareness" of the network to detect patterns that might otherwise be missed.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon