ADOWPArticle Directory on WordPress

This past year, corporations and consumers alike experienced an intense economic climate. Fraught with threats to global financial markets and personal financial security, companies and individuals were dealt additional blows when several of the largest data breaches in history occurred. Firewalls were penetrated, networks were hacked, malware infiltrated servers and web applications, and confidential records were compromised. A myriad of companies publicly and painfully experienced the challenges of data exposure.

Regardless of the level of sophistication and aggressiveness of these attacks, many companies failed to detect breaches when they occurred. Yet high-profile, damaging data breaches are nothing new, and they have sparked many companies in recent years to employ more intelligent, proactive information security measures within their organizations. At the same time, regulatory compliance demands continue to intensify across industries, putting companies under additional pressure to better protect valuable, confidential data. So why these data are breaches still occurring in such alarming numbers with often devastating consequences to companies and consumers?

In some breaches, the root cause is clear, such as a stolen laptop or employee negligence. In other cases, it takes an intense investigation to determine what happened and how. Recently, the Verizon Business RISK Team, a world-renowned data forensics organization, investigated suspected breaches occurring from 2004 to 2008, presenting detailed firsthand evidence in their report, 2009 Data Breach Investigations Report. The results are enlightening and offer companies reason to revisit their security strategies. According to Verizon, “The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization.” They add, “Most of these incidents do not require difficult or expensive preventive controls; mistakes and oversight hinder security efforts more than a lack of resources.” Yet more often, the opportunity for detection is there. Investigators noted that “66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources.”

In essence, simply collecting event data through log management — though important and almost always required by compliance mandates — is not enough to secure the enterprise. Companies must expand their log management efforts to include in-depth visibility into logs across the company. This requires correlating the logs for a complete and clear understanding of events, patterns, and trends in real time, so organizations can stop the attacks before they reach important data. Security information management (SIM) solutions together with log management tools can provide companies with the insight needed to successfully protect important business data and ensure a secure environment.

Recent Data Breaches: A Closer Look

Whether they inflict their pain on a well-known, global corporation or an unassuming small, local business, data breaches can impact companies and their customers in many unsavory ways — from creating inconveniences for network administration teams, to exposing personal information to theft, to causing long-term damage to businesses. Consumer accounts are hacked and huge sums of money disappear. Personal identities are stolen. Consumer trust in targeted companies dwindles, causing profits to fall. Organizations must dedicate funds, sometimes in the millions of dollars, on reporting data breaches to any customers potentially exposed.

Clearly, cyber attackers and their techniques continue to evolve, yet many companies are not keeping pace with the growing level of sophistication underlying security attacks. Rather than lacking the necessary resources to sufficiently protect their corporate data, they often lack the right tools and processes to adequately analyze events as they are happening. The security data exists in their organization, yet they have not figured out how to leverage it to prevent and mitigate risk. As noted by Verizon, “All too often, evidence of events leading to breaches was available to the victim but this information was neither noticed nor acted upon. Processes that provide sensible, efficient, and effective monitoring and response are critical to protecting data.” Importantly, companies need to do more than collect event logs. They must correlate them to identify suspicious patterns in the logs that could indicate an impending attack or inappropriate activity.

Defending Against Threats and Breaches

Organizations must refine their security efforts, as evidenced by the recent increase in security breaches and the resulting compromise of sensitive information. Security intelligence is necessary for prevention, including enterprise-wide visibility into security events — and effective alignment of people, processes, and technology. Organizations should have a standard log-review policy that requires them to review security event data beyond operating system, network, and firewall logs to include databases, Web applications, remote access services, and other critical applications. Yet simple log management products demand that security staffs conduct manual event correlation, making it impossible to have the level of day-to-day understanding about potential breaches and attacks needed to prevent damage. In fact, with basic log management, companies typically find out about these attacks and breaches long after they occur.

Instead, organizations need automated, real-time event correlation, made possible by a combined SIM and log management strategy. To defend against threats and data breaches, companies need a reliable, integrated solution that captures volumes of diverse data from across the network, centralizes and archives event logs, and provides in-depth reporting. Today’s increasingly targeted and hard-to-detect threats require visibility into logs, understanding patterns and trends in real time, and identifying threats as they happen.

When companies have the right correlation capabilities, they can automatically collect massive amounts of security-incident data and zero in on the security events that suggest potential problems. Multiple reporting devices can detect and alert on suspicious redundant activities, such as multiple login failures, that confirm that an event has occurred at a particular point in time. Statistical correlation can search for anomalies by gauging the relative relationship between two or more variables — such as the number of incoming emails versus outgoing emails on a given day, to alert on a spam server installation. Pattern-or rule-based event correlation can allow companies to identify behaviors indicative of attacks through comparing them with a catalog of real-world attack patterns.

Event correlation technologies go beyond simply collecting and storing logs. Rather, they allow companies to be proactive and discover attacks as they occur to enable a rapid response. With a clear view into their security posture at any point in time, organizations can stop attacks in their tracks before real damage occurs.

Conclusion

Protecting critical assets is getting tougher, as attacks and breaches are becoming increasingly subtle and sophisticated. Though the past year presented us with numerous well-known, damaging data incidents, data breaches continue to plague organizations in virtually every industry, year after year. When such incidents are discovered, response is critical. Organizations must quickly contain the damage, protect corporate and customer data, discover the root cause, and generate detailed reports of the process.

Log management is an important component to defending against data breaches, yet organizations need more, including the power to investigate log data for suspicious patterns. Companies need to make sense of their logs and tie together activities across the network by combining log management with an effective SIM technology. By combining these solutions, security teams can conduct ongoing, real-time correlation of security event data, enabling real-time visibility into the organization’s true security posture.

Merryl Zdatny is senior director of marketing for netForensics, a security information management firm that helps companies in every industry see and eliminate threats, secure valuable assets, and solve pressing compliance challenges.