How Better Log Monitoring Can Prevent Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2887924/security0/how-better-log-monitoring-can-prevent-data-breaches.html

Evidence suggests that high-profile data losses at major retailers such as
Home Depot, Sony, Target and Michaels Stores are a major ongoing trend, not
a one-and-done anomaly of the IT infrastructure on which most companies
rely.

The wholesale loss of millions of customers’ personally identifiable
information (PII) to hackers and other ne'er-do-wells creates a crisis of
public confidence that can directly impact corporate financial results --
and yes, Virginia, IT professionals really can lose their jobs in the
aftermath of such corporate hacking incidents.

Rather than re-examining how these attacks could have been prevented in the
first place -- if that's even possible -- we posit that the mitigation of
these events isn't purely about prevention; it's about detecting intrusions
at the earliest possible moment and reacting immediately to limit any data
loss.

A key tool in recognizing data intrusions is the lowly log file, a standard
feature of almost every operating system, application, server platform and
related software in the corporate IT world.

Isolated Is as Isolated Does

Like many others in IT, we used to firmly believe that only an isolated
computer -- that is, one that is not connected to an internal corporate
network or to the Internet -- is totally immune to hackers. However, the
Stuxnet malware attack on the Iranian nuclear program in 2010 proved that
even computers on a totally isolated internal network can be infected with
malware, in this case most likely via a previously infected USB drive that
was used to load software updates onto industrial process computers
controlling centrifuges used in the uranium enrichment process.

It was an epiphany to see that what we used to call the venerable
"sneakernet" -- moving software between computers via a floppy drive, USB
drive or other removable media -- is still exposing isolated computers to
destructive malware, even in the highest-security environments imaginable.

As a matter of fact, many companies disable USB ports and removable drives
on corporate computers precisely to avoid such a circumstance. We are
pretty confident that all USB ports and drives that use removable media on
those "isolated" Iranian process logic controllers have in the intervening
years been turned off or perhaps even physically removed.

The Log Ride

Log files have always been the lowest-tech, most verbose way to monitor the
health and operation of IT software and hardware. In many cases, the level
of log file messages can be configured from no log messages written, all
the way up to highly detailed log file messages that can track every
activity occurring to or within your software and hardware.

The good thing about log files is that you can easily create gigabytes of
data just by configuring log files to collect said data. The problem is
that finding specific information and pertinent warnings in those
gazillions of log file messages is a daunting task. Log file parsing
software has been available for many years, but just installing and
configuring log file monitoring on your mission-critical IT components
isn't going to produce much valuable information, owing to the sheer amount
of data that log files can capture.

Protect and Serve(rs)

Step 1 is to turn on log file auditing for all hardware and software in
your infrastructure. Step 2 is to acquire log file monitoring software that
can parse those log files and create alerts, constantly vigilant for any
indication of network intrusions or malware attacks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!